106001: Inbound TCP connection denied from 220.127.116.11/45593 to 18.104.22.168/80 flags SYN on interface outside
This PIX has no other statics. Another PIX I take care of has many statics - I have compared everything I can think of to compare between the two, but so far I can't find what I'm doing wrong.
One more piece of info: response to "sh xlate state static" varies. Sometimes the response includes 22.214.171.124, sometimes not. Attempts to ping and http produce the results above regardless of whether or not the address appears in the xlate table.
"System Messages" doc for v6.3 says "This message occurs when an attempt to connect to an inside address is denied by your security policy." But I don't see anything in the box's config that qualifies...
Problem solved - acl on the outside interface was incomplete, and acl on dmz1 interface was backwards. (turned out the additional params for permit icmp weren't needed, it was just a matter a including the necessary ACEs for outside, and correcting mistakes for the dmz.)
I still have a question, though.
There's a traffic flow concept that I understood as "Traffic flows from higher security interfaces to lower security interfaces." I thought that meant you didn't need ACEs to allow traffic from higher security interfaces to lower. Yet to get this to work, I had to have
...."permit proto any"
in an ACL applied to the DMZ interface.
My interfaces are thus:
nameif ethernet0 ... security0
nameif ethernet1 ... security100
nameif ethernet2 ... security10
The DMZ interface is ethernet2.
The outside interface is ethernet0
If "traffic flows higher to lower", why do I need an ACL to get a server in the DMZ to converse with the outside world?
You wouldn't...until you wanted to ping the server since icmp does not apply to what you have described above. So as soon as you created an acl into the dmz interface for icmp ping replies, you must then allow all other traffic because of the implicy deny ip any any at the end of the acl.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...