02-26-2007 06:52 PM - edited 03-11-2019 02:38 AM
My public IP address changed for my Road Runner connection so I adjusted my access-list and static NAT statements to reflect the change so users could connect to a FTP server on the Inside of my network. After making the changes I?m now getting a log message I?ve never seen and I was curious if anyone had.
106001: Inbound TCP connection denied from 60.223.142.199/40169 to 23.209.122.20/19999 flags SYN on interface outside
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
My config:
PIX Version 6.3(5)
object-group service FTP_Port tcp
port-object eq 19999
access-list outside permit tcp any host 23.209.122.20 object-group FTP_Port
ip address outside dhcp setroute (My IP is 23.209.122.20)
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
static (inside,outside) tcp 23.209.122.20 19999 10.10.10.150 ftp netmask 255.255.255.255 0 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is what I get from Cisco.
Error Message %PIX-2-106001: Inbound TCP connection denied from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name
Explanation: This is a connection-related message. This message occurs when an attempt to connect
to an inside address is denied by your security policy. Possible tcp_flags values correspond to the
flags in the TCP header that were present when the connection was denied. For example, a TCP
packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The
tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
? ACK?The acknowledgment number was received.
? FIN?Data was sent.
? PSH?The receiver passed data to the application.
? RST?The connection was reset.
? SYN?Sequence numbers were synchronized
? URG?The urgent pointer was declared
Recommended Action None required.
02-26-2007 07:06 PM
try...
static (inside,outside) tcp interface 19999 10.10.10.150 ftp netmask 255.255.255.255
and
access-list outside permit tcp any interface outside object-group FTP_Port
02-26-2007 07:12 PM
I replaced my line with the one you gave but got the same result. Any other ideas?
Thanks in advance!
02-26-2007 11:58 PM
Hi
When you changed the translation did you clear the xlate entry for it ?
Jon
02-27-2007 03:53 AM
Yes, I did but had the same error.
06-12-2007 04:02 AM
Hi,
i have the same error with a my pix running version 7.2.2. Did you solve the problem, or have you any suggests for me?
02-27-2007 04:20 AM
Hi
Sorry for the basic stuff but how many lines are there in your access-list that is applied to the outside interface ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: