PIX-Exceed MSS Resolution-优快云博客

本文介绍了解决PIX防火墙因MSS超出而丢弃数据包的问题。通过配置特定的ACL、Class Map、TCP Map及Policy Map，并应用Service Policy到外部接口，成功解决了外界无法访问DMZ区内的192.168.1.3 IP地址的Web服务器问题。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Author Details : suyashjain Blog | suyashjain Links | India |

0 points, 4106 views Comments:

1 Comments User:

suyashjain

Message Type: %PIX-4-419001
Message Description: Exceed MSS Resolution
Device : PIX
Software Version: 7.x
Chassis: 5xx

Scenario: Out side world is not able to access the web server in DMZ with ip address 192.168.1.3.PIX syslog says that MSS exceeded, MSS 1380, data 1460 .

Diagnose: Pix is dropping the packet due to default policy.

Resolution:

pixfirewall(config)#access-list http-list2 permit tcp any host 192.168.1.3 pixfirewall(config)# pixfirewall#configure terminal pixfirewall(config)# pixfirewall(config)#class-map http-map1 pixfirewall(config-cmap)#match access-list http-list2 pixfirewall(config-cmap)#exit pixfirewall(config)#tcp-map mss-map pixfirewall(config-tcp-map)#exceed-mss allow pixfirewall(config-tcp-map)#exit pixfirewall(config)#policy-map http-map1 pixfirewall(config-pmap)#class http-map1 pixfirewall(config-pmap-c)#set connection advanced-options mss-map pixfirewall(config-pmap-c)#exit pixfirewall(config-pmap)#exit pixfirewall(config)#service-policy http-map1 interface outside