Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX denying TCP connections

Status
Not open for further replies.
jduran

jduran

IS-IT--Management
Jan 30, 2003
7
ES
Hi forum,

I have a problem with a PIX 525. It is configured with an interface acting as a DMZ (called dmz_wan) where all traffic is permitted and no translation between this interface and the inside interface.

There is an application server in inside (192.168.0.16) listening at port 211/tcp.

The problem is that sometimes the client side located on the DMZ interface (192.168.2.126) drops the connection without a logical reason for that. (no rules involved directly)

I've installed a syslog and the message that appears related to that is the following:

<166>:Mar 16 12:54:34 CEST: %PIX-6-106015: Deny TCP (no connection) from 192.168.2.126/1447 to 192.168.0.16/211 flags PSH ACK on interface dmz_wan

This application is crucial. Is there a way to bypass this drop action or does anybody know if I need to reconfigure something (fixup, timeouts, tcp options or something like that)?

Bear in mind that this DMZ is a trusted zone so if I have to 'low' the level of security is not a problem for now.

Thanks in advance, guys
 
Sort by date Sort by votes
you need a static translation

static (inside, dmz_wan) 192.168.0.16 192.168.0.16 netmask 255.255.255.255

 
Upvote 0 Downvote
Sorry, I forgot to say that there is a nat 0 access-list between both two interfaces so traffic is allowed without translation, i.e. routing.

To be clear ALL IP is allowed between both interfaces and a NAT 0 ACCESS-LIST is used between them.

There are a lot other connections in between but ONLY those explained before are dropped sometimes.

Any help? Need to clarify something else?

Thanks
 
Upvote 0 Downvote
Is there any kind of keep-alive packets between the client and the server ?, if there isn't then you should make it do that, most client/server appl. support this.
The pix will close the session after the configured conn timeout xx:xx:xx if there is no traffic.
If it does it while traffic is running, you should probably upgrade the pix or do some network sniffing to see what the real problem is.

Jan

Network Systems Engineer
CCNA/CQS/CCSP
 
Upvote 0 Downvote
Finally the problem was with the default values of the timeout parameter wich I needed to change in order to work correctly. Solved. Thanks to all for your answerings
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
476
Nitta84
Nitta84
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
steve56k
  • Locked
  • Question
Number of connections for VPN tunnel
Replies
0
Views
89
steve56k
steve56k
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
153
brownmab53
brownmab53
RodneyMcSnow
  • Locked
  • Question
Windows 8.1 PRO has to open connections when NETSTAT is used.
Replies
0
Views
105
RodneyMcSnow
RodneyMcSnow

Part and Inventory Search

Sponsor

Back
Top