Cisco PIX TCP Connection Prevention Help with the static command

 
    Ok i am trying to implament this on our firewall's  they are pix 515 e
 software versoion 6.3
 
Here is the link to the cisco site...
 http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.shtml

and it says to use the static command and set the  emb_limit to 1

 this is from Cisco's site

" For discarded TCP connections originating from lower security level interfaces to higher security level interfaces, TCP Intercept can be configured on STATIC commands by setting the emb_limit to 1. This results in the PIX proxying all connection attempts after the first connection. The PIX will create and send the TCP SYN,ACK from the destination to the original source. Since the original TCP SYN packet was spoofed, the source IP address will not be tracking the TCP connection and it will send a TCP RST to the PIX. The PIX will then close the connection originating from the TCP SYN packet with the incorrect checksum. TCP Intercept may impact firewall performance and should be tested before being enabled in a production environment. "

When i enter the command i get


 
  [no] static [(internal_if_name, external_if_name)]
         {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
         [<max_conns> [<emb_limit> [<norandomseq>]]]
 [no] static [(internal_if_name, external_if_name)] {tcp|udp}
         {<global_ip>|interface} <global_port>
         <local_ip> <local_port> [dns] [netmask <mask>]
         [<max_conns> [<emb_limit> [<norandomseq>]]]

invalid number of interfaces specified
  or
invalid syntax

  Please some one give me the correct way to put this command in ....

  Thanks experts in advance.....
 
 

LVL 5
vtobusmanAsked:
Who is Participating?
 
stressedout2004Connect With a Mentor Commented:
If you have an existing static command, you need to first removed it because the PIX won't allow you to overwrite it.

e.g.
static (inside,outside) 1.1.1.1 10.10.10.1 netmask 255.255.255.255 0 0

To change the embryonic connection from unlimited to 1 of the following static statement, the following
commands needs to be run on  PIX under configuration mode.

no static (inside,outside) 1.1.1.1 10.10.10.1 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 10.10.10.1 netmask 255.255.255.255 0 1


0
 
vtobusmanAuthor Commented:
Thanks a bunch i know it was something simple
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.