Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with: Deny TCP (no connection)

We are going to be renumbering our network and due to how it was set up previously we are dropping in an additional PIX to run side-by-side the existing one while we prep the new configuration. We’ll migrate/change the IPs on the outside for various web apps bit by bit and when we are finished we plan to shut off the original PIX. I’m running into a problem because the PIX#1 is denying outbound access (response to an HTTP request for example) when the original request came through PIX#2.

The complication comes in because we plan to renumber the inside network (undesirable config we’d like to change) as well as the outside (due to ISP change). Each host we are renumbering we are binding the a new IP to the same nic as the old IP. The nic – at this point – still has its gateway specified as the old pix.

So essentially the request is coming through PIX#2 to the new IP bound to the web host and it’s trying to leave PIX#1 to return to the requesting host PC outside the network.

It makes sense that it’s blocking the connection but is there any way we can allow such connections to take place? The idea would be to slowly migrate to using the new PIX for 100% of the traffic but until then both would be used and they both have internal interfaces tapping into the same physical switch with different subnets.

Here is the Syslog entry we are seeing:
2010-05-10 12:26:30    Local4.Info    10.0.0.1    May 10 2010 12:26:57: %PIX-6-106015: Deny TCP (no connection) from 10.100.1.18/80 to 71.99.118.112/50526 flags SYN ACK  on interface

Any ideas?

-H

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Help with: Deny TCP (no connection)

H

Easiest solution would be to simply PAT all source addresses coming in from the outside on pix2 to the inside interface address of pix2 then the return  traffic will be automatically sent back to pix2. Something like

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Help with: Deny TCP (no connection)

H

Easiest solution would be to simply PAT all source addresses coming in from the outside on pix2 to the inside interface address of pix2 then the return  traffic will be automatically sent back to pix2. Something like

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

Jon

New Member

Re: Help with: Deny TCP (no connection)

You are right That works well. I'm going to dig and see if it has any side-effects in our setup but this should be a great solution even if it's used in the interim.

Thanks for the help!

-H

400
Views
0
Helpful
2
Replies