302014: Teardown TCP connection on pix 515

Discussion in 'Cisco' started by slhuillier.om, Apr 19, 2006.

  1. Hi everybody. Glad you read my post and thank you for the time you
    spend here.
    I'm using a pix 515e with os 6.3(4). I try to access a web server on
    its dmz from a pc on the secure lan Her are the ips of this lans :
    secure 192.168.7.x. The pix has an ip of 192.168.7.252 on the lan. The
    pc has 192.168.7.12
    dmz 192.168.137.x. The pix has an ip of 192.168.137.252. The web server
    is 192.168.137.103. (by the way the dmz uses a vlan but i don't think
    it causes my problem)
    unsecure : 192.168.47.x. The pix has the 192.168.47.252.

    The unsecure zone is served by a router (ip 192.168.47.254 on the
    unsecure zone, and u.v.w.x on the internet). My ISP gave me the public
    ip a.b.c.d which is natted into 192.168.47.103 by the router. The pix
    nats it again into 192.168.137.103.
    When i try to access the web server from outside of this lan (using
    another site), everything works fine.
    However, when i try to access it from the secure zone of this lan, the
    pc can't access the server.

    Here are what i collect from the logs when i try to access it from the
    secure zone of the lan :
    106100: access-list inside_access_in permitted tcp
    inside/192.168.7.12(2163) -> outside/a.b.c.d(81) hit-cnt 1 (first hit)
    305011: Built dynamic TCP translation from inside:192.168.7.12/2163 to
    outside:192.168.47.253/28962
    302013: Built outbound TCP connection 271372 for outside:a.b.c.d/81
    (a.b.c.d/81) to inside:192.168.7.12/2163 (192.168.47.253/28962)
    302013: Built inbound TCP connection 271373 for outside:u.v.w.x/33462
    (u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
    302014: Teardown TCP connection 271373 for outside:u.v.w.x/33462 to
    DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O
    302013: Built inbound TCP connection 271374 for outside:u.v.w.x/33462
    (u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
    302014: Teardown TCP connection 271374 for outside:u.v.w.x/33462 to
    DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O
    302013: Built inbound TCP connection 271375 for outside:u.v.w.x/33462
    (u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
    302014: Teardown TCP connection 271375 for outside:u.v.w.x/33462 to
    DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O

    When i try to access the web server from outside of this lan (using
    another site), i collect :
    106100: access-list outside_access_in permitted tcp
    outside/193.251.10.191(11106) -> DMZ_WS/192.168.47.103(81) hit-cnt 1
    (first hit)
    302013: Built inbound TCP connection 271385 for
    outside:193.251.10.191/11106 (193.251.10.191/11106) to
    DMZ_WS:192.168.137.103/81 (192.168.47.103/81)
    106100: access-list outside_access_in permitted tcp
    outside/193.251.10.191(11107) -> DMZ_WS/192.168.47.103(81) hit-cnt 1
    (first hit)
    302013: Built inbound TCP connection 271386 for
    outside:193.251.10.191/11107 (193.251.10.191/11107) to
    DMZ_WS:192.168.137.103/81 (192.168.47.103/81)

    I think the 302014: Teardown TCP connection is the problem but i don't
    know how to solve this issue... Thanks again
     
    slhuillier.om, Apr 19, 2006
    #1
    1. Advertisements

  2. slhuillier.om

    NETADMIN Guest

    By default Thsi should not work as LANinterface has 100security and DMZ
    can be between 01 to 99 anyone .
    Firewall rules Secuirty 100 can access anything less then 100

    Did you have any access-l;ist stating that PIX lan interface can access
    DMZ with specific IP

    If you can post the config?


    Regards..
    CK-NET
     
    NETADMIN, Apr 19, 2006
    #2
    1. Advertisements

  3. You cannot connect to the "outside" ip address of a host on your dmz
    from the inside, or secure network. Doing so would cause the packet to
    cross from the inside interface to the outside interface, then back
    *into* the outside interface, then through the DMZ interface. Try
    testing again by connecting to the real, or configured IP of the server
    on the DMZ.

    A PIX will not allow a packet to cross two interfaces with the same
    security level. Typically this means that a packet can't bounce through
    the same interface. But, if you did an experiment on a PIX by setting
    one interface at 100 and two interfaces at 50, no traffic could pass
    between the two interfaces set at 50.

    This is a common problem when you don't implement split-DNS at your
    site. External connections work fine because hostnames resolve to the
    external IP. Internal connections resolve to the external IP, and the
    PIX won't allow that connection.
     
    Mark Williams, Apr 19, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.