Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny TCp (no connection)

Hi !

i have configured L2TP IPSec VPN on PIX 515,

on the other side is WinXP native client.

I can ping from client to the inside hosts, UDP

services are working (dns resolving) but TCP connections are denied. Here is output from pix log:

302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside

302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/445 to 10.82.100.1/1486 flags RST ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/445 to 10.82.100.1/1486 flags RST ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside

So TCP packets from client to inside host are allowed, but no xlate is created and SYN ACK or RST ACK packets are denied (my explanation).

Can anybody help ?

thanks for your time

robert

1 REPLY
New Member

Re: Deny TCp (no connection)

I'll answer myself - don't use

sysopt ipsec pl-compatible

with

sysopt connection permit-ipsec

sysopt connection permit-l2tp

:-(

409
Views
0
Helpful
1
Replies
CreatePlease login to create content