I have connection from my LAN to two remote offices in Dallas and Texas. I have two routers one for each office connected with T1 lines.I installed one PIX515e between my LAN to Dallas and Texas before both routers.So I have 3 ethernet interfaces. One connected with LAN switch, 2nd with Dallas router's ethernet and 3rd with Texas router's ethernet.
All client computers on my network are now able to connect both dallas and texas office computers.Only one Application Server is not getting connection to remote Dallas office application server. However the same server if I connect directly to the router it get connection. So I have paste the log of my PIX515e. Pls see this and tell me what should I do to make connection between both servers via PIX.
LAN application server IP is 172.26.22.100 and Dallas office server IP is 188.8.131.52
Log of the PIX515E:
302013: Built outbound TCP connection 323 for outside:184.108.40.206/7661 (220.127.116.11/7661) to inside:172.26.22.102/1320 (172.26.29.26/1320)
106015: Deny TCP (no connection) from 172.26.29.26/1320 to 18.104.22.168/7661 flags RST on interface inside
302013: Built outbound TCP connection 361 for outside:22.214.171.124/7661 (126.96.36.199/7661) to inside:172.26.22.102/1372 (172.26.29.26/1372)
106015: Deny TCP (no connection) from 172.26.29.26/1372 to 188.8.131.52/7661 flags RST on interface inside
Following is the output of Show run command:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz2 security40
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit ip any any
access-list lant permit ip any any
pager lines 24
logging console debugging
logging trap errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz2 1500
ip address outside 172.26.29.2 255.255.255.0
ip address inside 172.26.22.10 255.255.255.0
ip address dmz2 10.46.46.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 172.26.29.30-172.26.29.100 netmask 255.255.255.0
global (dmz2) 1 10.46.46.30-10.46.46.100 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.26.29.26 172.26.22.102 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group lant in interface inside
access-group acl_out in interface dmz2
route dmz2 10.2.1.0 255.255.255.0 10.46.46.1 1
route outside 10.10.10.0 255.255.255.0 172.26.29.1 1
route dmz2 10.255.255.0 255.255.255.0 10.46.46.1 1
route outside 184.108.40.206 255.255.0.0 172.26.29.1 1
route outside 192.168.30.0 255.255.255.0 172.26.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 172.26.22.112
snmp-server location Office
snmp-server contact imran
snmp-server community xxxxxxx
no snmp-server enable traps
telnet 172.26.22.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Your NAT appears to be working ok but for some reason the server (172.26.22.102) appears to be rejecting the connection by sending a RST packet. Is there an issue with this application working through NAT?
Thanks for reply me dear. But this application is working in other company with NAT perfectly. I think it should'nt be a NAT issue.Pls help?
I would agree with Grant, your log shows that the PIX has seen a RST (reset) on the inside interface! Check your internal server to verify that there are no anomalies with it. The PIX is NAT'ing correctly.
run a sniffer (e.g. ethereal) on the connection from 150.100.0.x ?
Config does looks ok - the most obvious places to look are NAT, ACL and routing, and they're all ok.
Everything looks fine, I would suggest upgrading to 6.3(5) just to make sure you are not running into any bugs.
Please issue the debug packet command on the PIX. The reason why I suggest this command is so we can see the sequence of flags before the RST is seen.
The command to use is as follows:
debug packet inside src
repeat the command and capture the output for the inside first. Then stop the debug and re-issue the same command but this time on the outside interface.
The debug is quite specific so there is not much risk in losing your connection to the FW.
bye for now,
Just something else for you to think about.
Before the PIX was installed you had connectivity right. So you must make sure that the routing between all the sites is consistent and follow the same routing path. This is particularly important since as you know the PIX is holding on the session state information and is handling the TCP handshake process.
Look at routing on each and every device which make up the hops from source to destination. There is possibility of asymetric routing occurring or out of sequence packets arriving at the FW. The debugs I in my previous post will help us to drill further down to the root cause of this problem.