cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1065
Views
0
Helpful
12
Replies

PIX denying inbound http connection

dextertorres
Level 1
Level 1

Hi guys trying to figure this out but it seems that im hitting a  wall.

Inbound TCP connection denied from 72.246.30.97/80 to 192.168.2.1/4659 flags SYN ACK on interface Inside

two internal network 192.168.1.0 and 192.168.2.1

The 192.168.1. network works fine and able to connect to internet with no issue. I have a NAT entry of NAT (inside) 1 0.0.0.0 0.0.0.0 thats translated to the outside interface.

I also have a static route to our cisco catalyst 4000 switch with layer 3 routing. Routing works inside the network.

I also tested this config in our ASA 5505 applinace and it works with no problem. So basically any request from the 2 network is being dropped by the firewall.

Not sure if im missing something, its a very simple config and should've have problem. any inputs is highly appreciated.

Thanks,

Dexter

http://Inbound TCP connection denied from 72.246.30.97/80 to 192.168.2.1/4659 flags SYN ACK  on interface inside

12 Replies 12

Could you post the topology.

I think that this issue is due to a problem with the 3 way handshake. But I need to understand a little better the current topology.

Its very basic actually.

Router----PIX----ROUTER/Switch----internal network

I have a dmz on the firewall for vpn concentrator.

You said 2 internal networks?

192.168.1.0 and 192.168.2.1

Is one in your inside and the another one behind the router/switch ????

The issue is not very clear. what is not working?

rahmant
Level 1
Level 1

Maybe anti-spoofing?  If the firewall is directly connected to the 192.168.1.0/24 subnet, do you have a route pointing the 192.168.2.0/24 network to the internal router via the inside interface?

Tariq

the problem is that 192.168.2.0 network is not able to connect to the internet.

I do have the static route in the inside interface pointing to the internal router for routing. no anti-spoofing just the firewall. i do have a anti-spyware box in between but all it does is pass traffic.

Can you sanitize and then post the config?  IMHO, it still looks like something is bouncing the response packet going back to the 2.1 address via the firewall from the internal network.  Can you run a capture as well and then post the *.pcap?

Tariq

heres the ingress file. the egress file is empty.

will work on the config

heres the config.

I know you've said that routing is functioning on the internal network, but I still think there's something that's pushing traffic destined for the 2.x network to the firewall.

You said that you have some kind of anti-spyware device sitting between the firewall and the internal network - is that an L2 or L3 device?  If L3, does it have routes to the 2.x network pointing in the right direction?

From my (admittedly limited) analysis of the capture, the conversations are running something like this:

1) The client initiates an outbound tcp/80 request through the firewall to the web server (SYN)

2) The server responds and sends back a SYN/ACK to the client, which the firewall is passing on to the internal network

3) The firewall then receives that same SYN/ACK response packet against it's internal interface.

I'm thinking that something along the return path does not have a route to the 2.x network and is possibly following your site's default route to the firewall.  So when the firewall hands the packet to the internal network destined for the 2.x based client, something in the path is bouncing it right back to the firewall.

I could be wrong, but could you check the routes on all the devices along the path?


Tariq

that what i thought so too. Although i have a small network with the same setup and it seems to work using the static route in the inside interface. I will do more testing.

The anti-spyware is basically a PC with two NIC for to pass traffic. It shouldnt be filtering any IP but I would double check it just to make sure.

I tested my vpn from the outside to test the static route to teh 192.168.2.0 network and its working fine. I can ping servers in both network. I. still puzzled as to why it doesnt work as the nat (inside) 1 0.0.0.0 0.0.0.0 should take care of everything. Still doing research.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: