mbulls
asked on
Cisco PIX 515E SYN Timeout Errors
I'm trying to setup a Cisco 515e firewall. It's a basic install, all users will use the interface PAT to the internet and there's one email server that will accept incoming smtp for mail and https requests for webmail. I cannot get this to work and it's driving me crazy. I've included the config and the debug messages I'm constantly seeing.
: Saved
:
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname alpha
domain-name domainname.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.202.1.119 Einstein
access-list inside_access_in permit ip 10.202.1.0 255.255.255.0 any
access-list outside_access_in remark https://mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq https
access-list outside_access_in remark mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq smtp
pager lines 24
logging on
logging console informational
logging trap debugging
logging device-id ipaddress inside
logging host inside 10.202.1.80
mtu outside 1500
mtu inside 1500
ip address outside x.x.166.42 255.255.255.248
ip address inside 10.202.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.202.4.0 255.255.255.0 inside
pdm location 10.202.5.0 255.255.255.0 inside
pdm location 10.202.0.0 255.255.0.0 inside
pdm location Einstein 255.255.255.255 inside
pdm location 10.202.1.253 255.255.255.255 inside
pdm location 10.202.1.80 255.255.255.255 inside
pdm location x.x.166.41 255.255.255.255 outside
pdm location 10.202.11.0 255.255.255.0 inside
pdm location 10.202.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.202.0.0 255.255.0.0 0 0
static (inside,outside) x.x.166.43 Einstein netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 x.x.166.41 1
route inside 10.202.4.0 255.255.255.0 10.202.1.254 1
route inside 10.202.5.0 255.255.255.0 10.202.1.254 1
route inside 10.202.10.0 255.255.255.0 10.202.1.254 1
route inside 10.202.11.0 255.255.255.0 10.202.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.202.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b42f7f6a298
: end
302013: Built inbound TCP connection 505 for outside:98.192.73.70/1363 (98.192.7
3.70/1363) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 494 for outside:70.222.236.6/1591 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 495 for outside:70.222.236.6/1592 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.11.40 from 10.202.1.50
302014: Teardown TCP connection 496 for outside:70.222.236.6/1593 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 497 for outside:98.192.73.70/1348 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.5.20 from 10.202.1.50
302013: Built inbound TCP connection 506 for outside:74.166.2.39/50307 (74.166.2
.39/50307) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 498 for outside:74.166.2.39/50306 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 507 for outside:98.192.73.70/1365 (98.192.7
3.70/1365) to inside:10.202.1.119/443 (x.x.166.43/443)
110001: No route to 10.202.5.20 from 10.202.1.50
302014: Teardown TCP connection 499 for outside:98.192.73.70/1351 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 508 for outside:58.9.4.46/21651 (58.9.4.46/
21651) to inside:10.202.1.119/25 (x.x.166.43/25)
I'm at a loss, my Cisco experience is limited, but I've set them up before. Please help me
: Saved
:
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname alpha
domain-name domainname.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.202.1.119 Einstein
access-list inside_access_in permit ip 10.202.1.0 255.255.255.0 any
access-list outside_access_in remark https://mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq https
access-list outside_access_in remark mail.domainname.net
access-list outside_access_in permit tcp any host x.x.166.43 eq smtp
pager lines 24
logging on
logging console informational
logging trap debugging
logging device-id ipaddress inside
logging host inside 10.202.1.80
mtu outside 1500
mtu inside 1500
ip address outside x.x.166.42 255.255.255.248
ip address inside 10.202.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.202.4.0 255.255.255.0 inside
pdm location 10.202.5.0 255.255.255.0 inside
pdm location 10.202.0.0 255.255.0.0 inside
pdm location Einstein 255.255.255.255 inside
pdm location 10.202.1.253 255.255.255.255 inside
pdm location 10.202.1.80 255.255.255.255 inside
pdm location x.x.166.41 255.255.255.255 outside
pdm location 10.202.11.0 255.255.255.0 inside
pdm location 10.202.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.202.0.0 255.255.0.0 0 0
static (inside,outside) x.x.166.43 Einstein netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 x.x.166.41 1
route inside 10.202.4.0 255.255.255.0 10.202.1.254 1
route inside 10.202.5.0 255.255.255.0 10.202.1.254 1
route inside 10.202.10.0 255.255.255.0 10.202.1.254 1
route inside 10.202.11.0 255.255.255.0 10.202.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.202.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b42f7f6a298
: end
302013: Built inbound TCP connection 505 for outside:98.192.73.70/1363 (98.192.7
3.70/1363) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 494 for outside:70.222.236.6/1591 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 495 for outside:70.222.236.6/1592 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.11.40 from 10.202.1.50
302014: Teardown TCP connection 496 for outside:70.222.236.6/1593 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 497 for outside:98.192.73.70/1348 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
110001: No route to 10.202.5.20 from 10.202.1.50
302013: Built inbound TCP connection 506 for outside:74.166.2.39/50307 (74.166.2
.39/50307) to inside:10.202.1.119/443 (x.x.166.43/443)
302014: Teardown TCP connection 498 for outside:74.166.2.39/50306 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 507 for outside:98.192.73.70/1365 (98.192.7
3.70/1365) to inside:10.202.1.119/443 (x.x.166.43/443)
110001: No route to 10.202.5.20 from 10.202.1.50
302014: Teardown TCP connection 499 for outside:98.192.73.70/1351 to inside:10.2
02.1.119/443 duration 0:02:01 bytes 0 SYN Timeout
302013: Built inbound TCP connection 508 for outside:58.9.4.46/21651 (58.9.4.46/
21651) to inside:10.202.1.119/25 (x.x.166.43/25)
I'm at a loss, my Cisco experience is limited, but I've set them up before. Please help me
ASKER
route inside 0.0.0.0 0.0.0.0 x.x.166.41 1
This was the problem. Should have been outside instead of in.
This was the problem. Should have been outside instead of in.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
nat (inside) 1 10.202.1.119 255.255.255.255
cl xl (will drop connections shortly)
Make sure 10.202.1.119 has 10.202.1.1 as gateway.