302014: Teardown TCP connection on pix 515
 




IT Certification FAQ
 
|
Home
 |
Microsoft
 |
CISCO
 |
CompTIA
 |
Exam/Study FAQ
 |
Employment FAQ
 | Links  | Forums  |
Book Reviews


FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  ProfileProfile  Log in to check your private messagesPrivate messages  Log inLog in

302014: Teardown TCP connection on pix 515

 
Post new topic   Reply to topic    Forum Index -> comp.dcom.sys.cisco
Author Message
Guest
PostPosted: Wed Apr 19, 2006 6:31 pm    Post subject: 302014: Teardown TCP connection on pix 515 Reply with quote
Hi everybody. Glad you read my post and thank you for the time you
spend here.
I'm using a pix 515e with os 6.3(4). I try to access a web server on
its dmz from a pc on the secure lan Her are the ips of this lans :
secure 192.168.7.x. The pix has an ip of 192.168.7.252 on the lan. The
pc has 192.168.7.12
dmz 192.168.137.x. The pix has an ip of 192.168.137.252. The web server
is 192.168.137.103. (by the way the dmz uses a vlan but i don't think
it causes my problem)
unsecure : 192.168.47.x. The pix has the 192.168.47.252.

The unsecure zone is served by a router (ip 192.168.47.254 on the
unsecure zone, and u.v.w.x on the internet). My ISP gave me the public
ip a.b.c.d which is natted into 192.168.47.103 by the router. The pix
nats it again into 192.168.137.103.
When i try to access the web server from outside of this lan (using
another site), everything works fine.
However, when i try to access it from the secure zone of this lan, the
pc can't access the server.

Here are what i collect from the logs when i try to access it from the
secure zone of the lan :
106100: access-list inside_access_in permitted tcp
inside/192.168.7.12(2163) -> outside/a.b.c.d(81) hit-cnt 1 (first hit)
305011: Built dynamic TCP translation from inside:192.168.7.12/2163 to
outside:192.168.47.253/28962
302013: Built outbound TCP connection 271372 for outside:a.b.c.d/81
(a.b.c.d/81) to inside:192.168.7.12/2163 (192.168.47.253/28962)
302013: Built inbound TCP connection 271373 for outside:u.v.w.x/33462
(u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
302014: Teardown TCP connection 271373 for outside:u.v.w.x/33462 to
DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O
302013: Built inbound TCP connection 271374 for outside:u.v.w.x/33462
(u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
302014: Teardown TCP connection 271374 for outside:u.v.w.x/33462 to
DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O
302013: Built inbound TCP connection 271375 for outside:u.v.w.x/33462
(u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
302014: Teardown TCP connection 271375 for outside:u.v.w.x/33462 to
DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O

When i try to access the web server from outside of this lan (using
another site), i collect :
106100: access-list outside_access_in permitted tcp
outside/193.251.10.191(11106) -> DMZ_WS/192.168.47.103(81) hit-cnt 1
(first hit)
302013: Built inbound TCP connection 271385 for
outside:193.251.10.191/11106 (193.251.10.191/11106) to
DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
106100: access-list outside_access_in permitted tcp
outside/193.251.10.191(11107) -> DMZ_WS/192.168.47.103(81) hit-cnt 1
(first hit)
302013: Built inbound TCP connection 271386 for
outside:193.251.10.191/11107 (193.251.10.191/11107) to
DMZ_WS:192.168.137.103/81 (192.168.47.103/81)

I think the 302014: Teardown TCP connection is the problem but i don't
know how to solve this issue... Thanks again
Back to top
NETADMIN
Guest
PostPosted: Wed Apr 19, 2006 8:13 pm    Post subject: Re: 302014: Teardown TCP connection on pix 515 Reply with quote
By default Thsi should not work as LANinterface has 100security and DMZ
can be between 01 to 99 anyone .
Firewall rules Secuirty 100 can access anything less then 100

Did you have any access-l;ist stating that PIX lan interface can access
DMZ with specific IP

If you can post the config?


Regards..
CK-NET
Back to top
Mark Williams
Guest
PostPosted: Thu Apr 20, 2006 2:49 am    Post subject: Re: 302014: Teardown TCP connection on pix 515 Reply with quote
You cannot connect to the "outside" ip address of a host on your dmz
from the inside, or secure network. Doing so would cause the packet to
cross from the inside interface to the outside interface, then back
*into* the outside interface, then through the DMZ interface. Try
testing again by connecting to the real, or configured IP of the server
on the DMZ.

A PIX will not allow a packet to cross two interfaces with the same
security level. Typically this means that a packet can't bounce through
the same interface. But, if you did an experiment on a PIX by setting
one interface at 100 and two interfaces at 50, no traffic could pass
between the two interfaces set at 50.

This is a common problem when you don't implement split-DNS at your
site. External connections work fine because hostnames resolve to the
external IP. Internal connections resolve to the external IP, and the
PIX won't allow that connection.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Forum Index -> comp.dcom.sys.cisco All times are GMT
Page 1 of 1

 

Copyright © 2002-2006 Web-S-Sense Pty. Ltd. All rights reserved.

Powered by phpBB
Advertising | Policies/Disclaimers | Contact us | Link to us

Featured Sites: Free Antivirus and Antispyware Info | Free PC Support | MCSE Directory