Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TCP Reset solution?

Status
Not open for further replies.
aghi

aghi

ISP
Mar 3, 2004
5
BR
Hi,

I'm a newbie dealing with PIX, I've just configured basic access-lists to let outside interfaces to access inside networks. The problem is, my connections are being resetd after some little time, and PIX shows me messages like:

TCP Reset-O
TCP Reset-I
(no connection) RST ACK


Looks like the tcp handshake is scrambled after minutes of connection established. How do you solve this? I saw lots of posts with similar problems but no solution.

PIX: 515E v6.3

My config:

PIX Version 6.3(3)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100basetx
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 TELEMAR security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ****pix
domain-name ****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 stacao
name 200.241.127.82 aghi
name 200.165.254.229 aghihome
name 192.168.1.3 ADU-EBT
name 192.168.2.2 ADU-TEL
object-group service FTPS-PROVIDER tcp
description FTPS do aghi
port-object range 1024 65535
port-object eq ftp
port-object eq ftp-data
object-group service EMAIL-PROVIDER tcp
description Pacote e-mail provider
port-object eq pop3
port-object eq 10000
port-object eq https
port-object eq www
port-object eq smtp
access-list outside_access_in remark ICMP para o mundo
access-list outside_access_in permit icmp any host ADU-EBT
access-list outside_access_in remark ICMP para o mundo
access-list outside_access_in permit icmp any host ADU-TEL
access-list outside_access_in remark SSH MANUTENCAO PROVIER
access-list outside_access_in permit tcp host aghi host ADU-EBT eq ssh log 3 interval 5
access-list outside_access_in remark SSH MANUTENCAO PROVIDER - telemar
access-list outside_access_in permit tcp host aghi host ADU-TEL eq ssh
access-list outside_access_in remark
access-list outside_access_in permit tcp host aghi host ADU-EBT object-group FTPS-PROVIDER
access-list outside_access_in remark INET SMTP
access-list outside_access_in permit tcp host aghi host ADU-TEL object-group FTPS-PROVIDER
access-list outside_access_in remark
access-list outside_access_in remark
access-list outside_access_in remark INET SMTP
access-list outside_access_in permit tcp any host ADU-EBT object-group EMAIL-PROVIDER
access-list outside_access_in remark FTP PROVIDER - telemar
access-list outside_access_in permit tcp any host ADU-TEL object-group EMAIL-PROVIDER
access-list outside_access_in remark
access-list outside_access_in remark FTP PROVIDER - telemar
access-list outside_access_in remark
access-list outside_access_in remark FTP SMTP - telemar
access-list outside_access_in remark INET EMAIL
access-list outside_access_in remark INET EMAIL
access-list outside_access_in remark INET EMAIL
access-list outside_access_in remark INET SMTP - telemar
access-list outside_access_in remark INET EMAIL - telemar
access-list outside_access_in remark INET SMTP - telemar
access-list inside_access_in remark INSIDE OUT PERMITA TUDO
access-list inside_access_in permit ip host ADU-EBT any
access-list TELEMAR_access_in remark TELEMAR PERMITA TUDO
access-list TELEMAR_access_in permit ip any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1460
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu TELEMAR 1500
ip address outside 200.241.127.79 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
ip address TELEMAR 192.168.2.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address TELEMAR
pdm location stacao 255.255.255.255 inside
pdm location aghi 255.255.255.255 outside
pdm location ADU-EBT 255.255.255.255 inside
pdm location aghihome 255.255.255.255 outside
pdm location ADU-TEL 255.255.255.255 TELEMAR
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
static (inside,outside) ADU-EBT ADU-EBT netmask 255.255.255.255 0 0
static (TELEMAR,outside) ADU-TEL ADU-TEL netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group TELEMAR_access_in in interface TELEMAR
route outside 0.0.0.0 0.0.0.0 200.241.127.94 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 1:00:00 udp 0:30:00 rpc 0:00:00 h225 0:00:00
timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
timeout uauth 0:30:00 absolute uauth 0:20:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
sysopt connection tcpmss 0
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address stacao-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:801f276d2974e9beb4612d61de9bceea
: end
[OK]
 
Sort by date Sort by votes
Well, basically any nat'ing and firewall device has a translation timeout if no traffic is seen after a defined timeperiod, these commands control that :

timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 1:00:00 udp 0:30:00 rpc 0:00:00 h225 0:00:00
timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
timeout uauth 0:30:00 absolute uauth 0:20:00 inactivity

You could mess with those or just make the application you are having problems with send some type of keep-alive packets, most applications has this options buried somewhere in their settings.

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :
 
Upvote 0 Downvote
It's not the problem. I already tried to remove timeouts before and it's not the cause of my problem.
Any other hint?
 
Upvote 0 Downvote
You can't remove timeouts on the pix, it will just revert to default settings. Try upgrading to 6.3(4) or the recently released 6.3(5)

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :
 
Upvote 0 Downvote
Again,

I decided to use NAT and followed Cisco's Document ID 4804
For "Firewall with Mail Server" and the freezing continues...
I really think it's not a problem with my configuration and my PIX has some kind of gremlin inside it.
Any thoughts?

My new conf:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 telemar security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 200.zz.zz.zz aghi
access-list smtp permit tcp any host 192.168.2.1 eq smtp
access-list smtp permit tcp host aghi host 192.168.2.1 eq ssh
access-list smtp permit icmp any host 192.168.2.1
access-list smtp permit icmp any host 192.168.1.1
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu telemar 1500
ip address outside 200.xx.xx.xx 255.255.255.224
ip address inside 10.0.0.1 255.255.255.252
no ip address intf2
no ip address intf3
no ip address intf4
ip address telemar 11.0.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address telemar
pdm location 11.0.0.2 255.255.255.255 telemar
pdm location 10.0.0.2 255.255.255.255 inside
pdm location aghi 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
static (telemar,outside) 192.168.1.1 11.0.0.2 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.2.1 10.0.0.2 netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 200.yy.yy.yy 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 12:10:00 udp 12:02:00 rpc 12:10:00 h225 6:00:00
timeout h323 1:05:00 mgcp 1:05:00 sip 1:30:00 sip_media 1:02:00
timeout uauth 1:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 120
Cryptochecksum:75b016baf171915d9864b746512e3912
 
Upvote 0 Downvote
Hmm, your config is definitely wrong now. are you just testing those servers internally ? they are nat'ed to private adresses now and not routable internet adresses.

static (telemar,outside) 192.168.1.1 11.0.0.2
static (inside,outside) 192.168.2.1 10.0.0.2

Software you can get from the place that you got the pix from.

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
216
Nitta84
Nitta84
desrose
  • Locked
  • Question
snort rules alert for maximum tcp connection of 10
Replies
1
Views
85
kjv1611
kjv1611
ingram87
  • Locked
  • Question
Keep getting "TCP connection dropped" to our server. Need help finding why that's happenin
Replies
1
Views
155
joepc
joepc
dbdataplus
  • Locked
  • Question
Pix 501 reset & upgrade
Replies
2
Views
86
ADB100
ADB100
xyCruiseryx
  • Locked
  • Question
Session-Timeout: Need a solution to keep TCP Sessions alive
Replies
5
Views
147
xyCruiseryx
xyCruiseryx

Part and Inventory Search

Sponsor

Back
Top