Solved

Cisco PIX 515E SYN Timeout Errors

Posted on 2007-11-24
3
6,029 Views
Last Modified: 2010-05-18
I'm trying to setup a Cisco 515e firewall.  It's a basic install, all users will use the interface PAT to the internet and there's one email server that will accept incoming smtp for mail and https requests for webmail.  I cannot get this to work and it's driving me crazy.  I've included the config and the debug messages I'm constantly seeing.

: Saved
:
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname alpha
domain-name domainname.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.202.1.119 Einstein
access-list inside_access_in permit ip 10.202.1.0 255.255.255.0 any
access-list outside_access_in remark https://mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq https
access-list outside_access_in remark mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq smtp
pager lines 24
logging on
logging console informational
logging trap debugging
logging device-id ipaddress inside
logging host inside 10.202.1.80
mtu outside 1500
mtu inside 1500
ip address outside x.x.166.42 255.255.255.248
ip address inside 10.202.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.202.4.0 255.255.255.0 inside
pdm location 10.202.5.0 255.255.255.0 inside
pdm location 10.202.0.0 255.255.0.0 inside
pdm location Einstein 255.255.255.255 inside
pdm location 10.202.1.253 255.255.255.255 inside
pdm location 10.202.1.80 255.255.255.255 inside
pdm location x.x.166.41 255.255.255.255 outside
pdm location 10.202.11.0 255.255.255.0 inside
pdm location 10.202.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.202.0.0 255.255.0.0 0 0
static (inside,outside) x.x.166.43 Einstein netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 x.x.166.41 1
route inside 10.202.4.0 255.255.255.0 10.202.1.254 1
route inside 10.202.5.0 255.255.255.0 10.202.1.254 1
route inside 10.202.10.0 255.255.255.0 10.202.1.254 1
route inside 10.202.11.0 255.255.255.0 10.202.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.202.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b42f7f6a2981022646ff68bb885c2dba
: end


302013: Built inbound TCP connection 505 for outside:98.192.73.70/1363 (98.192.7
3.70/1363) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 494 for outside:70.222.236.6/1591 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 495 for outside:70.222.236.6/1592 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.11.40 from 10.202.1.50
302014: Teardown TCP connection 496 for outside:70.222.236.6/1593 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 497 for outside:98.192.73.70/1348 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.5.20 from 10.202.1.50
302013: Built inbound TCP connection 506 for outside:74.166.2.39/50307 (74.166.2
.39/50307) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 498 for outside:74.166.2.39/50306 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 507 for outside:98.192.73.70/1365 (98.192.7
3.70/1365) to inside:10.202.1.119/443 (x.x.166.43/443)
110001: No route to 10.202.5.20 from 10.202.1.50
302014: Teardown TCP connection 499 for outside:98.192.73.70/1351 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 508 for outside:58.9.4.46/21651 (58.9.4.46/
21651) to inside:10.202.1.119/25 (x.x.166.43/25)

I'm at a loss, my Cisco experience is limited, but I've set them up before.  Please help me
0
Comment
Question by:mbulls
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20343621
Please try following
   nat (inside) 1 10.202.1.119 255.255.255.255
cl xl (will drop connections shortly)
   Make sure 10.202.1.119 has 10.202.1.1 as gateway.


0
 

Author Comment

by:mbulls
ID: 20349621
route inside 0.0.0.0 0.0.0.0 x.x.166.41 1

This was the problem.  Should have been outside instead of in.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20349655
Ah :) correct
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 78
VIRTUAL NETWORKING 3 96
Need a "SonicWall" Replacement 12 55
IKEv2 on Palo Alto Networks 5050 FW 2 33
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question