Do you have knowledge about known PIX vulnerabilities and possible workarounds. Also it would be nice to know if there are common configuration faults which may compromise security.
A protocol (UDP, TCP, or ICMP) failed to create a translation through the PIX Firewall. This message appears as a fix to caveat CSCdr0063 that requested that PIX Firewall not allow packets destined to network or broadcast addresses. PIX Firewall provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, PIX Firewall denies translations for a destined IP address identified as a network or broadcast address.
PIX Firewall utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the PIX Firewall will not create an xlate for network or broadcast IP addresses with inbound packets. For example:
Global address 10.2.2.128 is treated as a network address and 10.2.2.255 as the broadcast address. Without an existing xlate, PIX Firewall denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this syslog message.
In case the suspected IP is really a host IP, a separated static command statement with a host mask needs to be configured and in front of the subnet static (first match rule for static command statements). The following static causes PIX Firewall to treat 10.2.2.128 as a host address:
The xlate may be created by traffic started with the inside host with the questioned IP address. PIX Firewall treats a network or broadcast IP address as a host IP address with overlapped subnet static config, the network address translation for both static need be the same.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.