Deny TCP (no connection) from 1.2.3.4/80 to 5.6.7.8/36214 flags ACK

[yanks2112]

Hi All

I am getting the above message on my PIX 515 7.04 logs after I try to access a particular web site, When I try to access the page it "loops".

I am NATing and using the outside interface as my public ip. If I do not use NAT (or one to one nat) using an available public ip I can view the website through my PIX

My question is can I make exceptions for this traffic based on the ips of the web site i am trying to access (there are three of them). I have tried adding them to my outbound and inbound access-lists but that hasn't worked. Hopefully this makes sense to somebody! Thanks

 

[NetworkGhost]

The problem is exactly what is being said in the error "no connection"

For some reason the connection to the web server was closed. You could do a capture to try to determine what is happening in the flow:

access-list cap_acl permit tcp host sss.sss.sss.sss host ddd.ddd.ddd.ddd
access-list cap_acl permit tcp host ddd.ddd.ddd.ddd host sss.sss.sss.sss

cap cap_traff access-list cap_acl in interface inside

sss.sss.sss.sss is source IP of your client
ddd.ddd.ddd.ddd is destination



Try the traffic. After a good failure do a "sh cap cap_traff" and post the results. When done do a no cap cap_traff.


Hard to tell exactly what is going on here. Is the referenced IP in the no connection found error the same IP you are accessing to get to the website? Can you give us the website?

http://www.wr-mem.com

 

[yanks2112]

Hi NetworkGhost,

Thanks for the reply. The website is:

http://www.cmeinstitute.com/ppp/login/login_check.asp?dest=/newcme/launcher.asp|test=751

Below is the output. I changed my internal ip to 1.2.3.4 the destination ips are the same.

102 packets captured
1: 20:55:30.318602 1.2.3.4.3390 > 216.37.74.93.80: S 2166126802:21661268
02(0) win 65535 <mss 1460,nop,nop,sackOK>
2: 20:55:30.382930 216.37.74.93.80 > 1.2.3.4.3390: S 688668123:688668123
(0) ack 2166126803 win 16560 <mss 1380,nop,nop,sackOK>
3: 20:55:30.383357 1.2.3.4.3390 > 216.37.74.93.80: . ack 688668124 win 6
5535
4: 20:55:30.383753 1.2.3.4.3390 > 216.37.74.93.80: P 2166126803:21661275
44(741) ack 688668124 win 65535
5: 20:55:30.469534 216.37.74.93.80 > 1.2.3.4.3390: . 688668124:688669504
(1380) ack 2166127544 win 15819
6: 20:55:30.469595 216.37.74.93.80 > 1.2.3.4.3390: P 688669504:688670557
(1053) ack 2166127544 win 15819
7: 20:55:30.470221 1.2.3.4.3390 > 216.37.74.93.80: . ack 688670557 win 6
5535
8: 20:55:30.488957 1.2.3.4.3344 > 216.37.74.69.80: P 2209091965:22090925
24(559) ack 2658692315 win 64551
9: 20:55:30.491948 1.2.3.4.3390 > 216.37.74.93.80: P 2166127544:21661281
10(566) ack 688670557 win 65535
10: 20:55:30.492238 1.2.3.4.3340 > 216.37.74.69.80: P 2984166008:29841665
27(519) ack 2338697184 win 65535
11: 20:55:30.492589 1.2.3.4.3341 > 216.37.74.94.80: . 2659503097:26595044
77(1380) ack 270077444 win 65535
12: 20:55:30.492879 1.2.3.4.3341 > 216.37.74.94.80: P 2659504477:26595047
54(277) ack 270077444 win 65535
13: 20:55:30.495259 1.2.3.4.3392 > 216.37.74.94.80: S 2337048926:23370489
26(0) win 65535 <mss 1460,nop,nop,sackOK>
14: 20:55:30.571427 216.37.74.69.80 > 1.2.3.4.3344: . 2658692315:26586936
95(1380) ack 2209092524 win 16560
15: 20:55:30.571534 216.37.74.69.80 > 1.2.3.4.3344: P 2658693695:26586947
53(1058) ack 2209092524 win 16560
16: 20:55:30.572098 1.2.3.4.3344 > 216.37.74.69.80: . ack 2658694753 win
65535
17: 20:55:30.572190 1.2.3.4.3344 > 216.37.74.69.80: R 2209092524:22090925
24(0) ack 2658694753 win 0
18: 20:55:30.572693 216.37.74.94.80 > 1.2.3.4.3392: S 2470069131:24700691
31(0) ack 2337048927 win 16560 <mss 1380,nop,nop,sackOK>
19: 20:55:30.573014 1.2.3.4.3393 > 216.37.74.69.80: S 1244787999:12447879
99(0) win 65535 <mss 1460,nop,nop,sackOK>
20: 20:55:30.573838 1.2.3.4.3392 > 216.37.74.94.80: . ack 2470069132 win
65535
21: 20:55:30.573914 216.37.74.94.80 > 1.2.3.4.3341: . ack 2659504754 win
16560
22: 20:55:30.573990 1.2.3.4.3392 > 216.37.74.94.80: . 2337048927:23370503
07(1380) ack 2470069132 win 65535
23: 20:55:30.574112 1.2.3.4.3392 > 216.37.74.94.80: P 2337050307:23370505
91(284) ack 2470069132 win 65535
24: 20:55:30.586837 216.37.74.94.80 > 1.2.3.4.3341: . 270077444:270078824
(1380) ack 2659504754 win 16560
25: 20:55:30.586914 216.37.74.94.80 > 1.2.3.4.3341: P 270078824:270079739
(915) ack 2659504754 win 16560
26: 20:55:30.587402 1.2.3.4.3341 > 216.37.74.94.80: . ack 270079739 win 6
5535
27: 20:55:30.623258 216.37.74.69.80 > 1.2.3.4.3340: P 2338697184:23386978
18(634) ack 2984166527 win 16041
28: 20:55:30.640164 216.37.74.69.80 > 1.2.3.4.3393: S 3011661119:30116611
19(0) ack 1244788000 win 16560 <mss 1380,nop,nop,sackOK>
29: 20:55:30.640668 1.2.3.4.3393 > 216.37.74.69.80: . ack 3011661120 win
65535
30: 20:55:30.640836 1.2.3.4.3393 > 216.37.74.69.80: P 1244788000:12447885
42(542) ack 3011661120 win 65535
31: 20:55:30.649075 216.37.74.94.80 > 1.2.3.4.3392: . ack 2337050591 win
16560
32: 20:55:30.656505 216.37.74.93.80 > 1.2.3.4.3390: P 688670557:688671156
(599) ack 2166128110 win 15253
33: 20:55:30.663845 216.37.74.94.80 > 1.2.3.4.3392: . 2470069132:24700705
12(1380) ack 2337050591 win 16560
34: 20:55:30.664607 216.37.74.94.80 > 1.2.3.4.3392: . 2470070512:24700718
92(1380) ack 2337050591 win 16560
35: 20:55:30.666011 1.2.3.4.3392 > 216.37.74.94.80: . ack 2470071892 win
65535
36: 20:55:30.666057 1.2.3.4.3392 > 216.37.74.94.80: R 2337050591:23370505
91(0) ack 2470071892 win 0
37: 20:55:30.703210 1.2.3.4.3390 > 216.37.74.93.80: . ack 688671156 win 6
4936
38: 20:55:30.703332 1.2.3.4.3340 > 216.37.74.69.80: . ack 2338697818 win
64901
39: 20:55:30.711999 216.37.74.69.80 > 1.2.3.4.3393: P 3011661120:30116614
70(350) ack 1244788542 win 16018
40: 20:55:30.729393 1.2.3.4.3390 > 216.37.74.93.80: P 2166128110:21661287
60(650) ack 688671156 win 64936
41: 20:55:30.802616 216.37.74.93.80 > 1.2.3.4.3390: P 688671156:688671718
(562) ack 2166128760 win 16560
42: 20:55:30.803776 1.2.3.4.3390 > 216.37.74.93.80: P 2166128760:21661295
01(741) ack 688671718 win 64374
43: 20:55:30.883499 216.37.74.93.80 > 1.2.3.4.3390: . 688671718:688673098
(1380) ack 2166129501 win 15819
44: 20:55:30.883575 216.37.74.93.80 > 1.2.3.4.3390: P 688673098:688674151
(1053) ack 2166129501 win 15819
45: 20:55:30.884063 1.2.3.4.3390 > 216.37.74.93.80: . ack 688674151 win 6
5535
46: 20:55:30.903456 1.2.3.4.3340 > 216.37.74.69.80: P 2984166527:29841670
46(519) ack 2338697818 win 64901
47: 20:55:30.903822 1.2.3.4.3390 > 216.37.74.93.80: P 2166129501:21661300
67(566) ack 688674151 win 65535
48: 20:55:30.904158 1.2.3.4.3341 > 216.37.74.94.80: . 2659504754:26595061
34(1380) ack 270079739 win 65535
49: 20:55:30.904265 1.2.3.4.3341 > 216.37.74.94.80: P 2659506134:26595064
11(277) ack 270079739 win 65535
50: 20:55:30.904982 1.2.3.4.3393 > 216.37.74.69.80: . ack 3011661470 win
65185
51: 20:55:30.906203 1.2.3.4.3394 > 216.37.74.94.80: S 2112803886:21128038
86(0) win 65535 <mss 1460,nop,nop,sackOK>
52: 20:55:30.978144 216.37.74.94.80 > 1.2.3.4.3341: . ack 2659504754 win
16560 <nop,nop,sack sack 1 {3120743013:3120743290} >
53: 20:55:30.979090 216.37.74.94.80 > 1.2.3.4.3394: S 2920609944:29206099
44(0) ack 2112803887 win 16560 <mss 1380,nop,nop,sackOK>
54: 20:55:30.979151 216.37.74.94.80 > 1.2.3.4.3341: . ack 2659506411 win
16560
55: 20:55:30.979227 1.2.3.4.3394 > 216.37.74.94.80: . ack 2920609945 win
65535
56: 20:55:30.979533 1.2.3.4.3394 > 216.37.74.94.80: . 2112803887:21128052
67(1380) ack 2920609945 win 65535
57: 20:55:30.979853 1.2.3.4.3394 > 216.37.74.94.80: P 2112805267:21128055
51(284) ack 2920609945 win 65535
58: 20:55:30.993448 216.37.74.94.80 > 1.2.3.4.3341: . 270079739:270081119
(1380) ack 2659506411 win 16560
59: 20:55:30.993509 216.37.74.94.80 > 1.2.3.4.3341: P 270081119:270082034
(915) ack 2659506411 win 16560
60: 20:55:30.993814 1.2.3.4.3341 > 216.37.74.94.80: . ack 270082034 win 6
5535
61: 20:55:31.054379 216.37.74.94.80 > 1.2.3.4.3394: . ack 2112805551 win
16560
62: 20:55:31.062206 216.37.74.93.80 > 1.2.3.4.3390: P 688674151:688674750
(599) ack 2166130067 win 15253
63: 20:55:31.065517 216.37.74.69.80 > 1.2.3.4.3340: P 2338697818:23386984
52(634) ack 2984167046 win 15522
64: 20:55:31.071529 216.37.74.94.80 > 1.2.3.4.3394: . 2920609945:29206113
25(1380) ack 2112805551 win 16560
65: 20:55:31.071636 216.37.74.94.80 > 1.2.3.4.3394: . 2920611325:29206127
05(1380) ack 2112805551 win 16560
66: 20:55:31.072261 1.2.3.4.3394 > 216.37.74.94.80: . ack 2920612705 win
65535
67: 20:55:31.073574 1.2.3.4.3394 > 216.37.74.94.80: R 2112805551:21128055
51(0) ack 2920612705 win 0
68: 20:55:31.079784 1.2.3.4.3390 > 216.37.74.93.80: P 2166130067:21661307
17(650) ack 688674750 win 64936
69: 20:55:31.152976 216.37.74.93.80 > 1.2.3.4.3390: P 688674750:688675312
(562) ack 2166130717 win 16560
70: 20:55:31.154365 1.2.3.4.3390 > 216.37.74.93.80: P 2166130717:21661314
58(741) ack 688675312 win 64374
71: 20:55:31.233035 1.2.3.4.3340 > 216.37.74.69.80: . ack 2338698452 win
64267
72: 20:55:31.233142 216.37.74.93.80 > 1.2.3.4.3390: . 688675312:688676692
(1380) ack 2166131458 win 15819
73: 20:55:31.233233 216.37.74.93.80 > 1.2.3.4.3390: P 688676692:688677745
(1053) ack 2166131458 win 15819
74: 20:55:31.233783 1.2.3.4.3390 > 216.37.74.93.80: . ack 688677745 win 6
5535
75: 20:55:31.253160 1.2.3.4.3390 > 216.37.74.93.80: P 2166131458:21661320
24(566) ack 688677745 win 65535
76: 20:55:31.253542 1.2.3.4.3393 > 216.37.74.69.80: P 1244788542:12447890
61(519) ack 3011661470 win 65185
77: 20:55:31.254030 1.2.3.4.3341 > 216.37.74.94.80: . 2659506411:26595077
91(1380) ack 270082034 win 65535
78: 20:55:31.254305 1.2.3.4.3341 > 216.37.74.94.80: P 2659507791:26595080
68(277) ack 270082034 win 65535
79: 20:55:31.255357 1.2.3.4.3395 > 216.37.74.94.80: S 832352356:832352356
(0) win 65535 <mss 1460,nop,nop,sackOK>
80: 20:55:31.327085 216.37.74.94.80 > 1.2.3.4.3395: S 4225005783:42250057
83(0) ack 832352357 win 16560 <mss 1380,nop,nop,sackOK>
81: 20:55:31.327268 1.2.3.4.3395 > 216.37.74.94.80: . ack 4225005784 win
65535
82: 20:55:31.327558 1.2.3.4.3395 > 216.37.74.94.80: . 832352357:832353737
(1380) ack 4225005784 win 65535
83: 20:55:31.327848 1.2.3.4.3395 > 216.37.74.94.80: P 832353737:832354021
(284) ack 4225005784 win 65535
84: 20:55:31.327970 216.37.74.94.80 > 1.2.3.4.3341: . ack 2659506411 win
16560 <nop,nop,sack sack 1 {3120744670:3120744947} >
85: 20:55:31.328916 216.37.74.94.80 > 1.2.3.4.3341: . ack 2659508068 win
16560
86: 20:55:31.341870 216.37.74.94.80 > 1.2.3.4.3341: . 270082034:270083414
(1380) ack 2659508068 win 16560
87: 20:55:31.341947 216.37.74.94.80 > 1.2.3.4.3341: P 270083414:270084329
(915) ack 2659508068 win 16560
88: 20:55:31.342862 1.2.3.4.3341 > 216.37.74.94.80: . ack 270084329 win 6
5535
89: 20:55:31.390055 216.37.74.93.80 > 1.2.3.4.3390: P 688677745:688678344
(599) ack 2166132024 win 15253
90: 20:55:31.402033 216.37.74.94.80 > 1.2.3.4.3395: . ack 832354021 win 1
6560
91: 20:55:31.408197 216.37.74.69.80 > 1.2.3.4.3393: P 3011661470:30116621
04(634) ack 1244789061 win 15499
92: 20:55:31.417916 216.37.74.94.80 > 1.2.3.4.3395: . 4225005784:42250071
64(1380) ack 832354021 win 16560
93: 20:55:31.418038 216.37.74.94.80 > 1.2.3.4.3395: . 4225007164:42250085
44(1380) ack 832354021 win 16560
94: 20:55:31.418450 1.2.3.4.3395 > 216.37.74.94.80: . ack 4225008544 win
65535
95: 20:55:31.420296 1.2.3.4.3395 > 216.37.74.94.80: R 832354021:832354021
(0) ack 4225008544 win 0
96: 20:55:31.428627 1.2.3.4.3390 > 216.37.74.93.80: P 2166132024:21661326
74(650) ack 688678344 win 64936
97: 20:55:31.501469 216.37.74.93.80 > 1.2.3.4.3390: P 688678344:688678906
(562) ack 2166132674 win 16560
98: 20:55:31.502720 1.2.3.4.3390 > 216.37.74.93.80: P 2166132674:21661334
15(741) ack 688678906 win 64374
99: 20:55:31.561158 1.2.3.4.3393 > 216.37.74.69.80: . ack 3011662104 win
64551
100: 20:55:31.582245 216.37.74.93.80 > 1.2.3.4.3390: . 688678906:688680286
(1380) ack 2166133415 win 15819
101: 20:55:31.582336 216.37.74.93.80 > 1.2.3.4.3390: P 688680286:688681339
(1053) ack 2166133415 win 15819
102: 20:55:31.582947 1.2.3.4.3390 > 216.37.74.93.80: . ack 688681339 win 6
5535
102 packets shown

 

[NetworkGhost]

From your internal host I see 3 reset packets being sent. This could be for several reasons. Did you get the no conn error for this flow?

Please post it if you did?

http://www.wr-mem.com

 

[yanks2112]

Here's the output from the syslog from that flow. Thanks again for your help

<166>Feb 25 2008 20:55:30: %PIX-6-302013: Built outbound TCP connection 17980100 for outside:216.37.74.94/80 (216.37.74.94/80) to inside:1.2.3.4/3394 (5.6.7.8/16489)
<165>Feb 25 2008 20:55:30: %PIX-5-304001: 1.2.3.4Accessed URL 216.37.74.94:/ping/global_ping.aspx?u=20342&first=1&g=1227F325AEBF43ED9F201D414F32F7E7&RememberMe=
<166>Feb 25 2008 20:55:31: %PIX-6-302014: Teardown TCP connection 17980100 for outside:216.37.74.94/80 to inside:1.2.3.4/3394 duration 0:00:00 bytes 4424 TCP Reset-I
<165>Feb 25 2008 20:55:31: %PIX-5-304001: 10.76.252.22 Accessed URL 216.37.74.93:/newcme/launcher.asp?test=751
<166>Feb 25 2008 20:55:31: %PIX-6-106015: Deny TCP (no connection) from 216.37.74.94/80 to 5.6.7.8/16489 flags RST on interface outside

 

[NetworkGhost]

What are you accessing when the failure occurs? We obviously see that the connection is getting reset by your host. There may be more to this.

66: 20:55:31.072261 1.2.3.4.3394 > 216.37.74.94.80: . ack 2920612705 win
65535
67: 20:55:31.073574 1.2.3.4.3394 > 216.37.74.94.80: R 2112805551:21128055
51(0) ack 2920612705 win 0

Do the capture again to include all of the webservers but this time lets do ip instead of tcp in the capture. Just modify the ACL. Have to get both ways for each server.

Is this the URL you are trying when it fails?

%PIX-5-304001: 1.2.3.4Accessed URL 216.37.74.94:/ping/global_ping.aspx?u=20342&first=1&g=1227F325AEBF43ED9F201D414F32F7E7&RememberMe=

http://www.wr-mem.com

 

[NetworkGhost]

What are you accessing when the failure occurs? We obviously see that the connection is getting reset by your host. There may be more to this.

66: 20:55:31.072261 1.2.3.4.3394 > 216.37.74.94.80: . ack 2920612705 win
65535
67: 20:55:31.073574 1.2.3.4.3394 > 216.37.74.94.80: R 2112805551:21128055
51(0) ack 2920612705 win 0

Do the capture again to include all of the webservers but this time lets do ip instead of tcp in the capture. Just modify the ACL. Have to get both ways for each server.

Is this the URL you are trying when it fails?

%PIX-5-304001: 1.2.3.4Accessed URL 216.37.74.94:/ping/global_ping.aspx?u=20342&first=1&g=1227F325AEBF43ED9F201D414F32F7E7&RememberMe=

http://www.wr-mem.com

 

[yanks2112]

I'm not sure what I am accessing when it fails because the page just "loops" for lack of a better term. I'm not sure about when it fails exactly, the browser does not give me any indication of failed access (i.e., error on page or page cannot be displayed messages). Here is the output from the capture using tcp in the cap acl instead of tcp. Again, thanks very much for your help.
84 packets captured
1: 16:14:36.626417 1.2.3.4.3629 > 216.37.74.93.80: S 3337009385:33370093
85(0) win 65535 <mss 1460,nop,nop,sackOK>
2: 16:14:36.700723 216.37.74.93.80 > 1.2.3.4.3629: S 1252406005:12524060
05(0) ack 3337009386 win 16560 <mss 1380,nop,nop,sackOK>
3: 16:14:36.700967 1.2.3.4.3629 > 216.37.74.93.80: . ack 1252406006 win
65535
4: 16:14:36.701242 1.2.3.4.3629 > 216.37.74.93.80: P 3337009386:33370099
66(580) ack 1252406006 win 65535
5: 16:14:36.916014 216.37.74.93.80 > 1.2.3.4.3629: . ack 3337009966 win
15980
6: 16:14:36.988047 216.37.74.93.80 > 1.2.3.4.3629: . 1252406006:12524073
86(1380) ack 3337009966 win 15980
7: 16:14:36.988367 216.37.74.93.80 > 1.2.3.4.3629: P 1252407386:12524086
57(1271) ack 3337009966 win 15980
8: 16:14:36.989359 1.2.3.4.3629 > 216.37.74.93.80: . ack 1252408657 win
65535
9: 16:14:37.015929 1.2.3.4.3629 > 216.37.74.93.80: P 3337009966:33370104
85(519) ack 1252408657 win 65535
10: 16:14:37.100748 1.2.3.4.3631 > 216.37.74.69.80: S 1980184086:19801840
86(0) win 65535 <mss 1460,nop,nop,sackOK>
11: 16:14:37.101770 1.2.3.4.3632 > 216.37.74.69.80: S 3277009897:32770098
97(0) win 65535 <mss 1460,nop,nop,sackOK>
12: 16:14:37.154441 216.37.74.93.80 > 1.2.3.4.3629: P 1252408657:12524093
23(666) ack 3337010485 win 15461
13: 16:14:37.168249 216.37.74.69.80 > 1.2.3.4.3631: S 3536108130:35361081
30(0) ack 1980184087 win 16560 <mss 1380,nop,nop,sackOK>
14: 16:14:37.168341 216.37.74.69.80 > 1.2.3.4.3632: S 2037960227:20379602
27(0) ack 3277009898 win 16560 <mss 1380,nop,nop,sackOK>
15: 16:14:37.168631 1.2.3.4.3631 > 216.37.74.69.80: . ack 3536108131 win
65535
16: 16:14:37.168677 1.2.3.4.3632 > 216.37.74.69.80: . ack 2037960228 win
65535
17: 16:14:37.291107 1.2.3.4.3629 > 216.37.74.93.80: . ack 1252409323 win
64869
18: 16:14:37.732872 1.2.3.4.3633 > 216.37.74.94.80: S 3758566286:37585662
86(0) win 65535 <mss 1460,nop,nop,sackOK>
19: 16:14:37.733421 1.2.3.4.3634 > 216.37.74.94.80: S 3400477239:34004772
39(0) win 65535 <mss 1460,nop,nop,sackOK>
20: 16:14:37.734382 1.2.3.4.3631 > 216.37.74.69.80: P 1980184087:19801845
91(504) ack 3536108131 win 65535
21: 16:14:37.734504 1.2.3.4.3632 > 216.37.74.69.80: P 3277009898:32770103
62(464) ack 2037960228 win 65535
22: 16:14:37.843004 216.37.74.94.80 > 1.2.3.4.3633: S 2961289090:29612890
90(0) ack 3758566287 win 16560 <mss 1380,nop,nop,sackOK>
23: 16:14:37.843050 216.37.74.94.80 > 1.2.3.4.3634: S 2221842358:22218423
58(0) ack 3400477240 win 16560 <mss 1380,nop,nop,sackOK>
24: 16:14:37.843401 1.2.3.4.3633 > 216.37.74.94.80: . ack 2961289091 win
65535
25: 16:14:37.843462 1.2.3.4.3634 > 216.37.74.94.80: . ack 2221842359 win
65535
26: 16:14:37.843706 1.2.3.4.3634 > 216.37.74.94.80: P 3400477240:34004777
01(461) ack 2221842359 win 65535
27: 16:14:37.844026 1.2.3.4.3633 > 216.37.74.94.80: P 3758566287:37585667
41(454) ack 2961289091 win 65535
28: 16:14:37.850526 216.37.74.69.80 > 1.2.3.4.3631: . 3536108131:35361095
11(1380) ack 1980184591 win 16056
29: 16:14:37.850801 216.37.74.69.80 > 1.2.3.4.3631: P 3536109511:35361105
69(1058) ack 1980184591 win 16056
30: 16:14:37.851091 1.2.3.4.3631 > 216.37.74.69.80: R 1980184591:19801845
91(0) ack 3536109511 win 0
31: 16:14:37.851182 1.2.3.4.3631 > 216.37.74.69.80: R 1980184591:19801845
91(0) win 0
32: 16:14:37.851671 1.2.3.4.3635 > 216.37.74.69.80: S 3292761743:32927617
43(0) win 65535 <mss 1460,nop,nop,sackOK>
33: 16:14:37.934064 216.37.74.94.80 > 1.2.3.4.3633: . 2961289091:29612904
71(1380) ack 3758566741 win 16106
34: 16:14:37.934140 216.37.74.94.80 > 1.2.3.4.3633: P 2961290471:29612914
50(979) ack 3758566741 win 16106
35: 16:14:37.934201 216.37.74.69.80 > 1.2.3.4.3635: S 2791169392:27911693
92(0) ack 3292761744 win 16560 <mss 1380,nop,nop,sackOK>
36: 16:14:37.934628 1.2.3.4.3635 > 216.37.74.69.80: . ack 2791169393 win
65535
37: 16:14:37.934674 1.2.3.4.3633 > 216.37.74.94.80: . ack 2961291450 win
65535
38: 16:14:37.934933 1.2.3.4.3635 > 216.37.74.69.80: P 3292761744:32927622
31(487) ack 2791169393 win 65535
39: 16:14:37.940899 216.37.74.94.80 > 1.2.3.4.3634: . 2221842359:22218437
39(1380) ack 3400477701 win 16099
40: 16:14:37.943692 216.37.74.94.80 > 1.2.3.4.3634: . 2221843739:22218451
19(1380) ack 3400477701 win 16099
41: 16:14:37.943768 216.37.74.69.80 > 1.2.3.4.3632: P 2037960228:20379609
29(701) ack 3277010362 win 16096
42: 16:14:37.944088 1.2.3.4.3634 > 216.37.74.94.80: . ack 2221845119 win
65535
43: 16:14:37.947796 1.2.3.4.3634 > 216.37.74.94.80: R 3400477701:34004777
01(0) ack 2221845119 win 0
44: 16:14:38.008254 216.37.74.69.80 > 1.2.3.4.3635: P 2791169393:27911697
43(350) ack 3292762231 win 16073
45: 16:14:38.017531 1.2.3.4.3629 > 216.37.74.93.80: P 3337010485:33370111
35(650) ack 1252409323 win 64869
46: 16:14:38.056820 1.2.3.4.3632 > 216.37.74.69.80: . ack 2037960929 win
64834
47: 16:14:38.093424 216.37.74.93.80 > 1.2.3.4.3629: P 1252409323:12524098
85(562) ack 3337011135 win 16560
48: 16:14:38.094431 1.2.3.4.3629 > 216.37.74.93.80: P 3337011135:33370118
76(741) ack 1252409885 win 64307
49: 16:14:38.166052 1.2.3.4.3635 > 216.37.74.69.80: . ack 2791169743 win
65185
50: 16:14:38.174948 216.37.74.93.80 > 1.2.3.4.3629: . 1252409885:12524112
65(1380) ack 3337011876 win 15819
51: 16:14:38.175039 216.37.74.93.80 > 1.2.3.4.3629: P 1252411265:12524123
18(1053) ack 3337011876 win 15819
52: 16:14:38.175375 1.2.3.4.3629 > 216.37.74.93.80: . ack 1252412318 win
65535
53: 16:14:38.195165 1.2.3.4.3632 > 216.37.74.69.80: P 3277010362:32770108
81(519) ack 2037960929 win 64834
54: 16:14:38.196217 1.2.3.4.3629 > 216.37.74.93.80: P 3337011876:33370124
42(566) ack 1252412318 win 65535
55: 16:14:38.196599 1.2.3.4.3633 > 216.37.74.94.80: . 3758566741:37585681
21(1380) ack 2961291450 win 65535
56: 16:14:38.196873 1.2.3.4.3633 > 216.37.74.94.80: P 3758568121:37585683
98(277) ack 2961291450 win 65535
57: 16:14:38.198384 1.2.3.4.3637 > 216.37.74.94.80: S 3235055512:32350555
12(0) win 65535 <mss 1460,nop,nop,sackOK>
58: 16:14:38.272126 216.37.74.94.80 > 1.2.3.4.3637: S 3769322156:37693221
56(0) ack 3235055513 win 16560 <mss 1380,nop,nop,sackOK>
59: 16:14:38.272202 216.37.74.94.80 > 1.2.3.4.3633: . ack 3758568398 win
16560
60: 16:14:38.272401 1.2.3.4.3637 > 216.37.74.94.80: . ack 3769322157 win
65535
61: 16:14:38.272721 1.2.3.4.3637 > 216.37.74.94.80: . 3235055513:32350568
93(1380) ack 3769322157 win 65535
62: 16:14:38.273011 1.2.3.4.3637 > 216.37.74.94.80: P 3235056893:32350571
77(284) ack 3769322157 win 65535
63: 16:14:38.285812 216.37.74.94.80 > 1.2.3.4.3633: . 2961291450:29612928
30(1380) ack 3758568398 win 16560
64: 16:14:38.285889 216.37.74.94.80 > 1.2.3.4.3633: P 2961292830:29612937
45(915) ack 3758568398 win 16560
65: 16:14:38.286270 1.2.3.4.3633 > 216.37.74.94.80: . ack 2961293745 win
65535
66: 16:14:38.344830 216.37.74.69.80 > 1.2.3.4.3632: P 2037960929:20379615
63(634) ack 3277010881 win 15577
67: 16:14:38.347058 216.37.74.94.80 > 1.2.3.4.3637: . ack 3235055513 win
16560 <nop,nop,sack sack 1 {4132979428:4132979712} >
68: 16:14:38.347119 216.37.74.94.80 > 1.2.3.4.3637: . ack 3235057177 win
16560
69: 16:14:38.358074 216.37.74.93.80 > 1.2.3.4.3629: P 1252412318:12524129
17(599) ack 3337012442 win 15253
70: 16:14:38.365657 216.37.74.94.80 > 1.2.3.4.3637: . 3769322157:37693235
37(1380) ack 3235057177 win 16560
71: 16:14:38.365749 216.37.74.94.80 > 1.2.3.4.3637: . 3769323537:37693249
17(1380) ack 3235057177 win 16560
72: 16:14:38.367244 1.2.3.4.3637 > 216.37.74.94.80: . ack 3769324917 win
65535
73: 16:14:38.368373 1.2.3.4.3637 > 216.37.74.94.80: R 3235057177:32350571
77(0) ack 3769324917 win 0
74: 16:14:38.374980 1.2.3.4.3629 > 216.37.74.93.80: P 3337012442:33370130
92(650) ack 1252412917 win 64936
75: 16:14:38.453208 216.37.74.93.80 > 1.2.3.4.3629: P 1252412917:12524134
79(562) ack 3337013092 win 16560
76: 16:14:38.454612 1.2.3.4.3629 > 216.37.74.93.80: P 3337013092:33370138
33(741) ack 1252413479 win 64374
77: 16:14:38.494130 1.2.3.4.3632 > 216.37.74.69.80: . ack 2037961563 win
64200
78: 16:14:38.596343 216.37.74.93.80 > 1.2.3.4.3629: . 1252413479:12524148
59(1380) ack 3337013833 win 15819
79: 16:14:38.596419 216.37.74.93.80 > 1.2.3.4.3629: P 1252414859:12524159
12(1053) ack 3337013833 win 15819
80: 16:14:38.596801 1.2.3.4.3629 > 216.37.74.93.80: . ack 1252415912 win
65535
81: 16:14:38.949535 1.2.3.4.3629 > 216.37.74.93.80: R 3337013833:33370138
33(0) ack 1252415912 win 0
82: 16:14:38.949841 1.2.3.4.3635 > 216.37.74.69.80: R 3292762231:32927622
31(0) ack 2791169743 win 0
83: 16:14:38.949917 1.2.3.4.3632 > 216.37.74.69.80: R 3277010881:32770108
81(0) ack 2037961563 win 0
84: 16:14:38.950451 1.2.3.4.3633 > 216.37.74.94.80: R 3758568398:37585683
98(0) ack 2961293745 win 0
84 packets shown

 

[NetworkGhost]

Ok, so if you use a static translation everything works ok through the PIX. When you switch to NAT it fails?

Do you have DNS records in place for the statics? Some sites will only allow hosts that can be resolved through a reverse lookup.


You can do policy nat.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113601

http://www.wr-mem.com

 

[yanks2112]

Hi Network Ghost,

Sorry about the delay, I had other network issues to take care of but I'm back to this one. To answer your first questions: Yes, that is correct. Static translation works whereas NAT fails. I also have DNS records for both. I haven’t tried policy NAT yet, I hope to over the weekend.

One thing I did notice is that my workstation that is NATed sends out two SYN packet consecutively. The first one that is sent goes through the three way handshake then does a GET for a HTTP page (with no reply yet).
Then the second conversation finishes its 3 way handshake and does a GET.
The first connection's GET request is then responded to, and it gets dropped. The second connection stays opened and is not dropped.
The machine that is static does not display this behavior.