Cisco PIX TCP Connection Prevention Help with the static command

Posted on 2006-05-09
Last Modified: 2013-11-16
    Ok i am trying to implament this on our firewall's  they are pix 515 e
 software versoion 6.3
Here is the link to the cisco site...

and it says to use the static command and set the  emb_limit to 1

 this is from Cisco's site

" For discarded TCP connections originating from lower security level interfaces to higher security level interfaces, TCP Intercept can be configured on STATIC commands by setting the emb_limit to 1. This results in the PIX proxying all connection attempts after the first connection. The PIX will create and send the TCP SYN,ACK from the destination to the original source. Since the original TCP SYN packet was spoofed, the source IP address will not be tracking the TCP connection and it will send a TCP RST to the PIX. The PIX will then close the connection originating from the TCP SYN packet with the incorrect checksum. TCP Intercept may impact firewall performance and should be tested before being enabled in a production environment. "

When i enter the command i get

  [no] static [(internal_if_name, external_if_name)]
         {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
         [<max_conns> [<emb_limit> [<norandomseq>]]]
 [no] static [(internal_if_name, external_if_name)] {tcp|udp}
         {<global_ip>|interface} <global_port>
         <local_ip> <local_port> [dns] [netmask <mask>]
         [<max_conns> [<emb_limit> [<norandomseq>]]]

invalid number of interfaces specified
invalid syntax

  Please some one give me the correct way to put this command in ....

  Thanks experts in advance.....

Question by:vtobusman
    LVL 9

    Accepted Solution

    If you have an existing static command, you need to first removed it because the PIX won't allow you to overwrite it.

    static (inside,outside) netmask 0 0

    To change the embryonic connection from unlimited to 1 of the following static statement, the following
    commands needs to be run on  PIX under configuration mode.

    no static (inside,outside) netmask 0 0
    static (inside,outside) netmask 0 1

    LVL 5

    Author Comment

    Thanks a bunch i know it was something simple

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    Title # Comments Views Activity
    Cisco USB Device Setup 8 39
    Missing Crypto Commands 6 38
    Host to host VPN issue 1 35
    OSPF Routing Problems 9 45
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now