×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Connections through firewall getting dropped - help

Unanswered Question
Sep 29th, 2006
User Badges:

An SSH connection between a NAT'ed client on the DMZ interface and a server on the outside interface gets reset after a few seconds. An SSH connection between a client on the DMZ interface and a server on the inside interface works perfectly. The client is NAT'ed by a guest appliance connected to the DMZ interface. The DMZ interface uses identity NAT (nat zero). All other services between client and the outside interface work perfectly.


A packet capture at the DMZ interface shows that after a Selective ACK is sent from server to client, the NAT gateway sends a RESET which kills the connection. A capture at the SSH client shows that it is not sending the RESET.


Even though NAT zero is in use on the firewall the TCP sequence numbers are still being randomized. Could this be the cause of the problem? Any help greatly appreciated.

Piaras

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mmorris11 Fri, 09/29/2006 - 07:03
User Badges:
  • Silver, 250 points or more

Is it possible that the "nat gateway" is also randomizing the sequence #s for the same connection?

plwalsh Wed, 10/04/2006 - 02:37
User Badges:

Update:

The problem was only observed with the puTTy SSH client. The SSH.com client worked perfectly. Even though I was using NAT 0 on the dmz interface for traffic originating from the NAT gateway the PIX still randomises TCP sequence numbers.

Using NAT 0 plus norandomseq has caused fewer TCP RESETS being issued by the NAT gateway when clients are using puTTy SSH.


Actions

This Discussion