Welcome To suyashjain.blogspot.com

For Latest and more contents visit http://www.i3w.in

Tuesday, April 17, 2007

%PIX-4-419001 -Exceed MSS Resolution

Message Type: %PIX-4-419001
Message Description: Exceed MSS Resolution
Device : PIX
Software Version: 7.x
Chassis: 5xx

Scenario:

Out side world is not able to access the web server in DMZ with ip
address 192.168.1.3.PIX syslog says that MSS exceeded, MSS 1380, data 1460 .

Diagnose:

Pix is dropping the packet due to default policy.


Resolution:


pixfirewall(config)#access-list http-list2 permit tcp any host 192.168.1.3
pixfirewall(config)#
pixfirewall#configure terminal
pixfirewall(config)#
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match access-list http-list2
pixfirewall(config-cmap)#exit
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config-tcp-map)#exit
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit
pixfirewall(config)#service-policy http-map1 interface outside


and Done.

Posted by at 1 comment:
Labels:

Linux Attack Protection

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)