Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Deny tcp (no connection) ???? or less connection
- Thread starter 151569
- Start date
NetworkGhost
IS-IT--Management
Means Basically the TCP packet was sent with something other than the syn flag sent. Therefore the PIX would check its connection table, no previous connection existed and the packet gets denied.
- Thread starter
- #4
Thank for respond me Network Ghost, in my case the client request my server http through my Pix, server Http respond for client, again client send information for server Http in time show this message log
Dec 10 13:23:31 192.168.0.243 %PIX-6-106015: Deny TCP (no connection) from IP_client/80 to IP_PIX/57226 flags FIN PSH ACK on interface outside
This link have some problem, however solution not work. I try decrease value timeout of half-closed for 0:05:00 ... and nothing !!!
Obs
Two ip are valid.
Tnanks.
Dec 10 13:23:31 192.168.0.243 %PIX-6-106015: Deny TCP (no connection) from IP_client/80 to IP_PIX/57226 flags FIN PSH ACK on interface outside
This link have some problem, however solution not work. I try decrease value timeout of half-closed for 0:05:00 ... and nothing !!!
Obs
Two ip are valid.
Tnanks.
NetworkGhost
IS-IT--Management
Are you experiencing any problems? TCP Connections usually dont timeout unless they remain half open or just plain never get a fin packet. So the issue here could be a few things.
ddd.ddd.ddd.ddd == Destination
sss.sss.sss.sss == Source
This is what I suggest
Start a capture on the traffic in question. We want to do this from the source facing interface first:
access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
capture cap_acl_http access-list cap_http interface inside buffer 8000
Attempt the traffic that is failing. After that is complete perform a "sh cap cap_acl_http" on the PIX. Copy and save the results.
Do the same on the outside interface. This time the source IP will be the nat'd IP on the outside interface
no cap cap_acl_http
no access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
no access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
capture cap_acl_http access-list cap_http interface Outside buffer 8000
Scrube the IPs in both captures and post the results.
ddd.ddd.ddd.ddd == Destination
sss.sss.sss.sss == Source
This is what I suggest
Start a capture on the traffic in question. We want to do this from the source facing interface first:
access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
capture cap_acl_http access-list cap_http interface inside buffer 8000
Attempt the traffic that is failing. After that is complete perform a "sh cap cap_acl_http" on the PIX. Copy and save the results.
Do the same on the outside interface. This time the source IP will be the nat'd IP on the outside interface
no cap cap_acl_http
no access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
no access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
capture cap_acl_http access-list cap_http interface Outside buffer 8000
Scrube the IPs in both captures and post the results.
- Thread starter
- #6
Hello
I make capture of trafic and client and my server
this is result of
In interface dmz
Dec 12 18:00:07 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1384819 for outside:IP_client/26
21 (IP_client/2621) to dmz:IP_serv_http/80 (201.34.206.66/80)
Dec 12 18:00:40 192.168.0.243 %PIX-6-302014: Teardown TCP connection 1384819 for outside:IP_client/2621 to
dmz:IP_serv_http/80 duration 0:00:32 bytes 1133 TCP Reset-O
Dec 12 18:00:40 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1385023 for outside:IP_client/26
40 (IP_client/2640) to dmz:IP_serv_http/80 (201.34.206.66/80)
Dec 12 18:01:11 192.168.0.243 %PIX-6-302014: Teardown TCP connection 1385023 for outside:IP_client/2640 to
dmz:IP_serv_http/80 duration 0:00:30 bytes 567 TCP Reset-O
In interface outside.
Dec 12 19:19:02 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429700 for outside:ip_client/3130 (ip_client/3130) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
Dec 12 19:19:02 192.168.0.243 %PIX-5-304001: ip_client Accessed URL ip_serv_http:/web/clientes.consulta.php?aco=cgc&cod=89706560815
Dec 12 19:19:10 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429721 for outside:ip_client/3133 (ip_client/3133) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
Dec 12 19:19:10 192.168.0.243 %PIX-5-304001: ip_client Accessed URL ip_serv_http:/web/clientes.atualiza.php?cod=IJSVMP
Dec 12 19:19:20 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429742 for outside:ip_client/3137 (ip_client/3137) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
192.168.4.3 --> this my server real serv http inside dmz
ip_VALID_serv_http make nat for IP_serv_http(dmz)
|-> 200.xxx.xxx |-> 192.168.4.3
Ok , Do you understand ?
Thanks
I make capture of trafic and client and my server
this is result of
In interface dmz
Dec 12 18:00:07 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1384819 for outside:IP_client/26
21 (IP_client/2621) to dmz:IP_serv_http/80 (201.34.206.66/80)
Dec 12 18:00:40 192.168.0.243 %PIX-6-302014: Teardown TCP connection 1384819 for outside:IP_client/2621 to
dmz:IP_serv_http/80 duration 0:00:32 bytes 1133 TCP Reset-O
Dec 12 18:00:40 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1385023 for outside:IP_client/26
40 (IP_client/2640) to dmz:IP_serv_http/80 (201.34.206.66/80)
Dec 12 18:01:11 192.168.0.243 %PIX-6-302014: Teardown TCP connection 1385023 for outside:IP_client/2640 to
dmz:IP_serv_http/80 duration 0:00:30 bytes 567 TCP Reset-O
In interface outside.
Dec 12 19:19:02 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429700 for outside:ip_client/3130 (ip_client/3130) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
Dec 12 19:19:02 192.168.0.243 %PIX-5-304001: ip_client Accessed URL ip_serv_http:/web/clientes.consulta.php?aco=cgc&cod=89706560815
Dec 12 19:19:10 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429721 for outside:ip_client/3133 (ip_client/3133) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
Dec 12 19:19:10 192.168.0.243 %PIX-5-304001: ip_client Accessed URL ip_serv_http:/web/clientes.atualiza.php?cod=IJSVMP
Dec 12 19:19:20 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429742 for outside:ip_client/3137 (ip_client/3137) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
192.168.4.3 --> this my server real serv http inside dmz
ip_VALID_serv_http make nat for IP_serv_http(dmz)
|-> 200.xxx.xxx |-> 192.168.4.3
Ok , Do you understand ?
Thanks
NetworkGhost
IS-IT--Management
- Status
Similar threads
- Locked
- Question
- Locked
- Question