Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Does PIX alter TCP sequence numbers?

Status
Not open for further replies.

deeze6

Technical User
Sep 5, 2002
21
US
Hello all,

I am trying to sniff a session between a server on an "inside" segement and a server on a "DMZ" segment. The server on the inside is being NAT translated to the same address on the DMZ like so:

static (inside,DMZ) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 0 0

The problem I am having is comparing the sniffer capture on the inside server to the one on the DMZ server because I think the TCP sequence numbers are being altered. The TCP port numbers appear to be maintained.

Does the PIX alter the TCP sequence numbers? If so does it do so in a predicatble manner?

Also can someone point me to documentation on this behavior?

Thanks,
Deeze6
 
The PIX does in fact alter the sequence numbers. This is by design and the sequencing is totally random. It's actually the heart of the PIX security measures, and exists to primarily prevent TCP hijacking.

It can be disabled by adding the keyword "norandomseq" to the end of your NAT statement, but trust me... Unless you have another inline firewall that does the randomizing, you REALLY don't want to disable that :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top