Solved

Cisco PIX 515E SYN Timeout Errors

Posted on 2007-11-24
3
6,018 Views
Last Modified: 2010-05-18
I'm trying to setup a Cisco 515e firewall.  It's a basic install, all users will use the interface PAT to the internet and there's one email server that will accept incoming smtp for mail and https requests for webmail.  I cannot get this to work and it's driving me crazy.  I've included the config and the debug messages I'm constantly seeing.

: Saved
:
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname alpha
domain-name domainname.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.202.1.119 Einstein
access-list inside_access_in permit ip 10.202.1.0 255.255.255.0 any
access-list outside_access_in remark https://mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq https
access-list outside_access_in remark mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq smtp
pager lines 24
logging on
logging console informational
logging trap debugging
logging device-id ipaddress inside
logging host inside 10.202.1.80
mtu outside 1500
mtu inside 1500
ip address outside x.x.166.42 255.255.255.248
ip address inside 10.202.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.202.4.0 255.255.255.0 inside
pdm location 10.202.5.0 255.255.255.0 inside
pdm location 10.202.0.0 255.255.0.0 inside
pdm location Einstein 255.255.255.255 inside
pdm location 10.202.1.253 255.255.255.255 inside
pdm location 10.202.1.80 255.255.255.255 inside
pdm location x.x.166.41 255.255.255.255 outside
pdm location 10.202.11.0 255.255.255.0 inside
pdm location 10.202.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.202.0.0 255.255.0.0 0 0
static (inside,outside) x.x.166.43 Einstein netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 x.x.166.41 1
route inside 10.202.4.0 255.255.255.0 10.202.1.254 1
route inside 10.202.5.0 255.255.255.0 10.202.1.254 1
route inside 10.202.10.0 255.255.255.0 10.202.1.254 1
route inside 10.202.11.0 255.255.255.0 10.202.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.202.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b42f7f6a2981022646ff68bb885c2dba
: end


302013: Built inbound TCP connection 505 for outside:98.192.73.70/1363 (98.192.7
3.70/1363) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 494 for outside:70.222.236.6/1591 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 495 for outside:70.222.236.6/1592 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.11.40 from 10.202.1.50
302014: Teardown TCP connection 496 for outside:70.222.236.6/1593 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 497 for outside:98.192.73.70/1348 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.5.20 from 10.202.1.50
302013: Built inbound TCP connection 506 for outside:74.166.2.39/50307 (74.166.2
.39/50307) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 498 for outside:74.166.2.39/50306 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 507 for outside:98.192.73.70/1365 (98.192.7
3.70/1365) to inside:10.202.1.119/443 (x.x.166.43/443)
110001: No route to 10.202.5.20 from 10.202.1.50
302014: Teardown TCP connection 499 for outside:98.192.73.70/1351 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 508 for outside:58.9.4.46/21651 (58.9.4.46/
21651) to inside:10.202.1.119/25 (x.x.166.43/25)

I'm at a loss, my Cisco experience is limited, but I've set them up before.  Please help me
0
Comment
Question by:mbulls
  • 2
3 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20343621
Please try following
   nat (inside) 1 10.202.1.119 255.255.255.255
cl xl (will drop connections shortly)
   Make sure 10.202.1.119 has 10.202.1.1 as gateway.


0
 

Author Comment

by:mbulls
ID: 20349621
route inside 0.0.0.0 0.0.0.0 x.x.166.41 1

This was the problem.  Should have been outside instead of in.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20349655
Ah :) correct
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now