Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX denying inbound http connection

Hi guys trying to figure this out but it seems that im hitting a  wall.

Inbound TCP connection denied from 72.246.30.97/80 to 192.168.2.1/4659 flags SYN ACK on interface Inside

two internal network 192.168.1.0 and 192.168.2.1

The 192.168.1. network works fine and able to connect to internet with no issue. I have a NAT entry of NAT (inside) 1 0.0.0.0 0.0.0.0 thats translated to the outside interface.

I also have a static route to our cisco catalyst 4000 switch with layer 3 routing. Routing works inside the network.

I also tested this config in our ASA 5505 applinace and it works with no problem. So basically any request from the 2 network is being dropped by the firewall.

Not sure if im missing something, its a very simple config and should've have problem. any inputs is highly appreciated.

Thanks,

Dexter

http://Inbound TCP connection denied from 72.246.30.97/80 to 192.168.2.1/4659 flags SYN ACK  on interface inside

12 REPLIES

Re: PIX denying inbound http connection

Could you post the topology.

I think that this issue is due to a problem with the 3 way handshake. But I need to understand a little better the current topology.

New Member

Re: PIX denying inbound http connection

Its very basic actually.

Router----PIX----ROUTER/Switch----internal network

I have a dmz on the firewall for vpn concentrator.

Re: PIX denying inbound http connection

You said 2 internal networks?

192.168.1.0 and 192.168.2.1

Is one in your inside and the another one behind the router/switch ????

Re: PIX denying inbound http connection

The issue is not very clear. what is not working?

New Member

Re: PIX denying inbound http connection

Maybe anti-spoofing?  If the firewall is directly connected to the 192.168.1.0/24 subnet, do you have a route pointing the 192.168.2.0/24 network to the internal router via the inside interface?

Tariq

New Member

Re: PIX denying inbound http connection

the problem is that 192.168.2.0 network is not able to connect to the internet.

I do have the static route in the inside interface pointing to the internal router for routing. no anti-spoofing just the firewall. i do have a anti-spyware box in between but all it does is pass traffic.

New Member

Re: PIX denying inbound http connection

Can you sanitize and then post the config?  IMHO, it still looks like something is bouncing the response packet going back to the 2.1 address via the firewall from the internal network.  Can you run a capture as well and then post the *.pcap?

Tariq

New Member

Re: PIX denying inbound http connection

heres the ingress file. the egress file is empty.

will work on the config

New Member

Re: PIX denying inbound http connection

heres the config.

New Member

Re: PIX denying inbound http connection

I know you've said that routing is functioning on the internal network, but I still think there's something that's pushing traffic destined for the 2.x network to the firewall.

You said that you have some kind of anti-spyware device sitting between the firewall and the internal network - is that an L2 or L3 device?  If L3, does it have routes to the 2.x network pointing in the right direction?

From my (admittedly limited) analysis of the capture, the conversations are running something like this:

1) The client initiates an outbound tcp/80 request through the firewall to the web server (SYN)

2) The server responds and sends back a SYN/ACK to the client, which the firewall is passing on to the internal network

3) The firewall then receives that same SYN/ACK response packet against it's internal interface.

I'm thinking that something along the return path does not have a route to the 2.x network and is possibly following your site's default route to the firewall.  So when the firewall hands the packet to the internal network destined for the 2.x based client, something in the path is bouncing it right back to the firewall.

I could be wrong, but could you check the routes on all the devices along the path?


Tariq

New Member

Re: PIX denying inbound http connection

that what i thought so too. Although i have a small network with the same setup and it seems to work using the static route in the inside interface. I will do more testing.

The anti-spyware is basically a PC with two NIC for to pass traffic. It shouldnt be filtering any IP but I would double check it just to make sure.

New Member

Re: PIX denying inbound http connection

I tested my vpn from the outside to test the static route to teh 192.168.2.0 network and its working fine. I can ping servers in both network. I. still puzzled as to why it doesnt work as the nat (inside) 1 0.0.0.0 0.0.0.0 should take care of everything. Still doing research.

409
Views
0
Helpful
12
Replies