asked on
SYN on interface outside
Hi,
I have a number of static IP addresses from my provider. I am using static nat for a number of internal hosts and trying to add another static nat but with another static ip.
I have added the static ip to nat to an internal ip as per usual and allowed the access list from a particular host to the address. But i am receiving an error in my logs and the user can't connect:
Inbound TCP connection denied from 91.123.*.*/43669 to MY PUBLIC IP flags syn on interface outside
Details from my config:
global (outside) 2 MY PUBLIC IP
nat (inside) 2 10.0.26.5 255.255.255.255
access-list outside_access_in extended permit tcp host 91.123.*.* host 10.0.26.5
Anyone see anything wrong at all?
I have a number of static IP addresses from my provider. I am using static nat for a number of internal hosts and trying to add another static nat but with another static ip.
I have added the static ip to nat to an internal ip as per usual and allowed the access list from a particular host to the address. But i am receiving an error in my logs and the user can't connect:
Inbound TCP connection denied from 91.123.*.*/43669 to MY PUBLIC IP flags syn on interface outside
Details from my config:
global (outside) 2 MY PUBLIC IP
nat (inside) 2 10.0.26.5 255.255.255.255
access-list outside_access_in extended permit tcp host 91.123.*.* host 10.0.26.5
Anyone see anything wrong at all?
CiscoHardware Firewalls
Last Comment
Voltz-dk
What you have made is not a static NAT, but a dynamic one. You need do something like:
static (inside,outside)
static (inside,outside)
Oh, and another thing. You need to specify the public IP in your access-list.
ASKER
This is an example of my configuation. Some of my other Nats are working ok, for example for SMTP and FTP.
The one I am having issues with is VNC.
access-list outside_access_in extended permit tcp host PUBLIC IP interface outside eq 5900
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5900 10.0.26.17 5900 netmask 255.255.255.255
It looks like the connection is being allowed, it's not denied on the logs anyway. After about a minute it times out though and in the logs:
Built Inbound TCP connection for Public IP
Then I get Teardown TCP conneciton with a SYN timeout.
Any ideas at all????
The one I am having issues with is VNC.
access-list outside_access_in extended permit tcp host PUBLIC IP interface outside eq 5900
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5900 10.0.26.17 5900 netmask 255.255.255.255
It looks like the connection is being allowed, it's not denied on the logs anyway. After about a minute it times out though and in the logs:
Built Inbound TCP connection for Public IP
Then I get Teardown TCP conneciton with a SYN timeout.
Any ideas at all????
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Just an update, i have resolved this issue partially by changing outside email address, i dont get the error denying access in anymore.
However external seems to connect but then timesout.
From the logs:
Built TCP connection for host ...
then
Syn timeout, and it times out on the external parties side also.