Solved

pix 515 and syn flag problems

Posted on 2004-04-11
3
1,507 Views
Last Modified: 2013-11-16
I have a pix 515 ( 6.3.3) in place and working well.  The outside interface is talking to a 2621 over a vlan...

isp ---------> 2621 outside int
                             |     < --- same vlan
                             |
                    pix outside int  -----> inside networks


I am changing routers and t1 providers... so I change all of my translates, accesslists, globals and routes to reflect the new public network.

the Pix and the new router can see each other AND anything that I put on the "public network VLAN"  but any traffic that the pix is supposed to pass to the inside network(s) come back with the error "inbound tcp connection denyed xxx.xxx.xxx.xxx/port to xxx.xxx.xxx.xxx/80 (or whatever port) SYN flag on interface outside" (in the syslog BTW)

after I change the acls and xlates i do a clear xlate, clear arp and dump the active connections...

I'm baffled and I am sure that it is something simple that I am missing


0
Comment
Question by:Nomad469
  • 2
3 Comments
 
LVL 4

Assisted Solution

by:hawgpig
hawgpig earned 500 total points
ID: 10803508
With out a config I can't tell...
Check your access-lists and make sure they are in the correct format.....
and make sure your statics are correct...
Access-lists should look like this
access-list permit tcp [source address] [external translated address on pix] eq port
statics should look like this
static (high security interface name, low security interface name) [low security IP ADDRESS] [high security IP ADDRESS] netmask 255.255.255.255
static (inside,outside) 67.56.45.34 192.168.10.1 netmask 255.255.255.255
Hope this helps...
basically the message you are getting.....is denying PER YOUR SECURITY SETTINGS....
Just double check the syntax on your config...
good Luck
0
 
LVL 4

Accepted Solution

by:
hawgpig earned 500 total points
ID: 10803558
I think this is the message you are getting...
This is off the cisco site...

Log Message %PIX-2-106001: Inbound TCP connection denied from IP_addr/port to IP_addr/port flags TCP_flags

Explanation   This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN,ACK.

The TCP_flags are as follows:

ACK—The acknowledgment number was received.


FIN—Data was sent.


PSH—The receiver passed data to the application.


RST—The connection was reset.


SYN-—Sequence numbers were synchronized to start a connection.


URG—The urgent pointer was declared valid.


Recommended Action   None required.

0
 
LVL 1

Author Comment

by:Nomad469
ID: 10821383
Ok... I feel rather lame on this one ... I hope that cisco isn't watching they'll want my cert back !!
It was connection based ... when I did the command set in word pad to do all of the changes at the same time ... I did a no on the outside acl without turning it back on ... oopps ! It was something simple... a silly little missing permission. D'oh.

Its working correctly now ... thanks for all your help!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to use a IP block on cisco 877 3 40
Cisco ASA 5505 ios upgrade 6 41
Shoretel QoS Configuration on Cisco Switches 9 40
traffic flow without STP 9 45
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now