Great Circle Associates Firewalls
(June 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Apparent ANSWER: Cisco PIX Version 4 udp problem
From: Eric Vyncke <evyncke @ cisco . com>
Date: Mon, 02 Jun 1997 18:28:02 +0000
To: "Randy.Witlicki."<randy . witlicki @ valley . net>, firewalls @ GreatCircle . COM 
Hello Randy,

Your interpretation is probably correct... as the control
connection is to .22 and the incoming data UDP stream
comes from .254, the PIX obviously and securely denies the access.

I cannot imagine any secure way of handling it. 

BTW, even if I'm working in Cisco, I'm not THE PIX expert.

Best regards

Eric

At 15:19 1/06/97 -0400, Randy.Witlicki. wrote:
>
>  Don't you just love it when you answer your own post?
>  So there I am, out for my afternoon run. Are nice spring thoughts
>in my mind? No, its full of packets and protocols and such.
>  A probable answer hits me, so I get back to the PIX and
>turn on verbose syslogging.
>  In my previous post I said:
>
>> ...<snip>... PIX firewall Version 4.0.4
>>  However, when I try the Streamworks or VDOLive web plug-ins,
>>I get the following at the PIX console (with no *established*
>>command in the configuration):
>>
>><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1144
>>    and
>><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1263
>
>  I try a site with VDO that I know is not very big.  It works.  I go
>back to my test case and it fails.  The PIX syslog output has:
>
><166> 304001 192.168.1.2 accessed URL 207.40.202.22:/nbrx.vdo HTTP/1.0
>   followed shortly by:
><162> 106006 deny inbound udp from 207.40.202.254 7001 to 192.168.1.2 1191
>
>  This is on http://intv.net
>% traceroute intv.net
>traceroute to intv.net (207.40.202.22), 30 hops max, 40 byte packets
>  ...<snip>...
>15  AccessUS-1.ChcgIL.savvis.com (206.114.200.250)
>16  vision.accessus.net (207.40.202.254)
>
>  So the URL was at .22 and the UDP stream came from .254 and it looks
>like the cisco PIX "enhanced multimedia Adaptive Security algorithm"
>(to use cisco's terminology) does not allow for this situation.
>
>  - Randy     randy .
 witlicki @
 valley .
 net
>       Norwich, Vermont   USA
> -
>
>
>
Eric Vyncke      Internet, security consultant
Cisco Systems Belgium SA/NV   /------------------------------------\
Phone:  +32-2-778.4677        | Networks bring                     |
Fax:    +32-2-778.4300        |           people                   |
E-mail: evyncke @
 cisco .
 com     |                 together...        |
Mobile: +32-75-312.458        \------------------------------------/
Indexed By Date Previous: Re: Plug-gw- One to many relationship
From: "David Lang" <dlang @ diginsite . com>
Next: Re: ISP Connection
From: Scott Lupfer - Colorado Springs <scott . lupfer @ ssds . com>
Indexed By Thread Previous: Apparent ANSWER: Cisco PIX Version 4 udp problem
From: "Randy.Witlicki."<randy . witlicki @ valley . net>
Next: Re: (Fwd) Ukiah Software
From: Benedikt Stockebrand <benedikt @ devnull . ruhr . de>
Google
 
Search Internet Search www.greatcircle.com