Inbound TCP connection denied, flags SYN on interface inside

[djcronos]

I have two internal networks - 10.30.1.0/24 and 10.30.2.0/24. Both networks are able to access the internet just fine, however I am unable to talk between networks. I get the following error when trying to access the web servers on each network:

Oct 08 2008 10:49:57: %PIX-2-106001: Inbound TCP connection denied from 10.30.1.10/4529 to 10.30.2.11/80 flags SYN  on interface inside

Here is my config:

: Saved
:
PIX Version 7.0(8)
!
hostname puppypix
domain-name nodomain.com
enable password  *** encrypted
passwd *** encrypted
names
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.192
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.30.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 nameif intf2
 security-level 4
 no ip address
!
interface Ethernet3
 shutdown
 nameif intf3
 security-level 6
 no ip address
!
interface Ethernet4
 shutdown
 nameif intf4
 security-level 8
 no ip address
!
interface Ethernet5
 shutdown
 nameif intf5
 security-level 10
 no ip address
!
boot system flash:/image.bin
ftp mode passive
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp any any eq 3389
access-list outbound extended permit tcp any any
access-list outbound extended permit icmp any any
access-list outbound extended permit udp any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap warnings
logging facility 23
logging queue 16
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
no failover
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.30.1.0 255.255.255.0
nat (inside) 1 10.30.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 10.30.1.10 3389 netmask 255.255.255.2
55
static (inside,outside) xx.xx.xx.xx 10.30.1.4 netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
access-group outbound out interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 10.30.2.0 255.255.255.0 10.30.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username *** password *** encrypted privilege 15
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.30.1.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.30.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 1
console timeout 0
dhcpd address 10.30.1.20-10.30.1.50 inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:10ea459b23e3a8e6d7093d49a5c48808
: end

After reading a bunch of posts both on here and found on google, it sounds like I have something wrong with my access lists, but I'm not sure what. Any help is appreciated.

Thanks in advance.

 

[brianinms]

The pix isn't a router and thus can't route traffic between the networks.

 

[unclerico]

what type of device is routing for the .2 network? Have you tried the following command:

pix(config)# same-security-traffic permit intra-interface

Two other things:
- remove your ACL's on the inside interface. You don't need them
- your inbound ACL should be more specific for the destination addresses as it is applied to your outside interface. Any-Any inbound ACE's are definitely not best practice.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Supergrrover]

It won't route between networks that are not directly attached. You can put interface 1 in one network and interface 2 in the other and assign them the same security level. Then just add
same-security-traffic permit intra-interface
as unclerico says.


Brent
Systems Engineer / Consultant
CCNP, CCSP