01-03-2002 02:40 AM - edited 03-08-2019 09:29 PM
Hi !
i have configured L2TP IPSec VPN on PIX 515,
on the other side is WinXP native client.
I can ping from client to the inside hosts, UDP
services are working (dns resolving) but TCP connections are denied. Here is output from pix log:
302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53
302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53
302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53
302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53
302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53
106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside
302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53
106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/445 to 10.82.100.1/1486 flags RST ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/445 to 10.82.100.1/1486 flags RST ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside
106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside
So TCP packets from client to inside host are allowed, but no xlate is created and SYN ACK or RST ACK packets are denied (my explanation).
Can anybody help ?
thanks for your time
robert
01-04-2002 02:48 AM
I'll answer myself - don't use
sysopt ipsec pl-compatible
with
sysopt connection permit-ipsec
sysopt connection permit-l2tp
:-(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide