Help with: Deny TCP (no connection)

Answered Question
May 10th, 2010

We are going to be renumbering our network and due to how it was set up previously we are dropping in an additional PIX to run side-by-side the existing one while we prep the new configuration. We’ll migrate/change the IPs on the outside for various web apps bit by bit and when we are finished we plan to shut off the original PIX. I’m running into a problem because the PIX#1 is denying outbound access (response to an HTTP request for example) when the original request came through PIX#2.

The complication comes in because we plan to renumber the inside network (undesirable config we’d like to change) as well as the outside (due to ISP change). Each host we are renumbering we are binding the a new IP to the same nic as the old IP. The nic – at this point – still has its gateway specified as the old pix.

So essentially the request is coming through PIX#2 to the new IP bound to the web host and it’s trying to leave PIX#1 to return to the requesting host PC outside the network.

It makes sense that it’s blocking the connection but is there any way we can allow such connections to take place? The idea would be to slowly migrate to using the new PIX for 100% of the traffic but until then both would be used and they both have internal interfaces tapping into the same physical switch with different subnets.

Here is the Syslog entry we are seeing:
2010-05-10 12:26:30    Local4.Info    10.0.0.1    May 10 2010 12:26:57: %PIX-6-106015: Deny TCP (no connection) from 10.100.1.18/80 to 71.99.118.112/50526 flags SYN ACK  on interface

Any ideas?

-H

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

H

Easiest solution would be to simply PAT all source addresses coming in from the outside on pix2 to the inside interface address of pix2 then the return  traffic will be automatically sent back to pix2. Something like

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 05/10/2010 - 10:32

H

Easiest solution would be to simply PAT all source addresses coming in from the outside on pix2 to the inside interface address of pix2 then the return  traffic will be automatically sent back to pix2. Something like

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

Jon

mhcraig Mon, 05/10/2010 - 11:55

You are right That works well. I'm going to dig and see if it has any side-effects in our setup but this should be a great solution even if it's used in the interim.

Thanks for the help!

-H

Actions

This Discussion