302014: Teardown TCP connection on pix 515

- S
- slhuillier.om
  
  Contact options for registered users
posted
18 years ago

Wed, Apr 19, 2006 2:31 PM

Hi everybody. Glad you read my post and thank you for the time you spend here. I'm using a pix 515e with os 6.3(4). I try to access a web server on its dmz from a pc on the secure lan Her are the ips of this lans : secure 192.168.7.x. The pix has an ip of 192.168.7.252 on the lan. The pc has 192.168.7.12 dmz 192.168.137.x. The pix has an ip of 192.168.137.252. The web server is 192.168.137.103. (by the way the dmz uses a vlan but i don't think it causes my problem) unsecure : 192.168.47.x. The pix has the 192.168.47.252.

The unsecure zone is served by a router (ip 192.168.47.254 on the unsecure zone, and u.v.w.x on the internet). My ISP gave me the public ip a.b.c.d which is natted into 192.168.47.103 by the router. The pix nats it again into 192.168.137.103. When i try to access the web server from outside of this lan (using another site), everything works fine. However, when i try to access it from the secure zone of this lan, the pc can't access the server.

Here are what i collect from the logs when i try to access it from the secure zone of the lan :

106100: access-list inside_access_in permitted tcp inside/192.168.7.12(2163) -> outside/a.b.c.d(81) hit-cnt 1 (first hit) 305011: Built dynamic TCP translation from inside:192.168.7.12/2163 to outside:192.168.47.253/28962 302013: Built outbound TCP connection 271372 for outside:a.b.c.d/81 (a.b.c.d/81) to inside:192.168.7.12/2163 (192.168.47.253/28962) 302013: Built inbound TCP connection 271373 for outside:u.v.w.x/33462 (u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81) 302014: Teardown TCP connection 271373 for outside:u.v.w.x/33462 to DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O 302013: Built inbound TCP connection 271374 for outside:u.v.w.x/33462 (u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81) 302014: Teardown TCP connection 271374 for outside:u.v.w.x/33462 to DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O 302013: Built inbound TCP connection 271375 for outside:u.v.w.x/33462 (u.v.w.x/33462) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81) 302014: Teardown TCP connection 271375 for outside:u.v.w.x/33462 to DMZ_WS:192.168.137.103/81 duration 0:00:00 bytes 0 TCP Reset-O

When i try to access the web server from outside of this lan (using another site), i collect :

106100: access-list outside_access_in permitted tcp outside/193.251.10.191(11106) -> DMZ_WS/192.168.47.103(81) hit-cnt 1 (first hit) 302013: Built inbound TCP connection 271385 for outside:193.251.10.191/11106 (193.251.10.191/11106) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81) 106100: access-list outside_access_in permitted tcp outside/193.251.10.191(11107) -> DMZ_WS/192.168.47.103(81) hit-cnt 1 (first hit) 302013: Built inbound TCP connection 271386 for outside:193.251.10.191/11107 (193.251.10.191/11107) to DMZ_WS:192.168.137.103/81 (192.168.47.103/81)

I think the 302014: Teardown TCP connection is the problem but i don't know how to solve this issue... Thanks again

- N
- NETADMIN
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, Apr 19, 2006 4:13 PM

By default Thsi should not work as LANinterface has 100security and DMZ can be between 01 to 99 anyone . Firewall rules Secuirty 100 can access anything less then 100

Did you have any access-l;ist stating that PIX lan interface can access DMZ with specific IP

If you can post the config?

Regards.. CK-NET

- M
- Mark Williams
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, Apr 19, 2006 10:49 PM

You cannot connect to the "outside" ip address of a host on your dmz from the inside, or secure network. Doing so would cause the packet to cross from the inside interface to the outside interface, then back

*into* the outside interface, then through the DMZ interface. Try testing again by connecting to the real, or configured IP of the server on the DMZ.

A PIX will not allow a packet to cross two interfaces with the same security level. Typically this means that a packet can't bounce through the same interface. But, if you did an experiment on a PIX by setting one interface at 100 and two interfaces at 50, no traffic could pass between the two interfaces set at 50.

This is a common problem when you don't implement split-DNS at your site. External connections work fine because hostnames resolve to the external IP. Internal connections resolve to the external IP, and the PIX won't allow that connection.