Re: PIX Port Forwarding Problem

Do you know how to stop the PIX thinking the request is trying to access the
internal HTTP service?

"Walter Roberson" <roberson@xxxxxxxxxxxxxxxxxx> wrote in message
news:dp6li1$j31$1@xxxxxxxxxxxxxxxxxxxxxxxxxx
> In article <nRttf.70520$vl2.27121@xxxxxxxxxxxxxxxxxxxxxxxxx>,
> Cisco Newbie <noemail@xxxxxxxxxxxxxxx> wrote:
>>The log I get when trynig to access my web site is as follows:
>
>>3|Dec 31 2005 10:55:35|710003: TCP access denied by ACL from
>>192.168.1.50/2988 to inside:xx.xx.xx.xx/80
>
> The PIX thinks that you are attempting to access the http service
> of the PIX itself, rather than passing along the request to
> the inside machine.
>
>>4|Dec 31 2005 10:55:32|106023: Deny tcp src outside:64.152.4.80/80 dst
>>inside:xx.xx.xx.xx/5985 by access-group "outside_access_in"
>
> As I recall you are running PIX 7; I don't know much about PIX 7.
> In PIX 6.3, messages such as those are artifacts: the PIX thinks the
> connection has been torn down but then it sees the final packet or two
> from the remote host clearing down the connection, and it logs them
> as if the remote host is trying to create a new connection. This
> situation was handled better in earlier PIX versions and I had hoped
> it would be returned to something more sensible in PIX 7.
>
>>6|Dec 31 2005 10:55:29|609002: Teardown local-host outside:64.233.183.99
>>duration 0:00:00
>
> Hmmm, that's odd. In PIX 6, you can only get local-hosts associated
> with inner interfaces, unless you happen to exchange interface names
> (which the PIX warns about.) Looking at the PIX 7.0 documentation,
> I see that local-host has an expanded role, but it I'm having a
> bit of difficulty in working from the examples back to what the
> new local-host conception is.
>
>
>>5|Dec 31 2005 10:55:29|304001: 192.168.1.52 Accessed URL 64.233.183.99:/
>>6|Dec 31 2005 10:55:29|302013: Built outbound TCP connection 5264 for
>>outside:64.233.183.99/80 (64.233.183.99/80) to inside:192.168.1.52/1423
>>(xx.xx.xx.xx/6001)
>>6|Dec 31 2005 10:55:29|305011: Built dynamic TCP translation from
>>inside:192.168.1.52/1423 to outside:xx.xx.xx.xx/6001
>
> I would have expected those last two to be reversed, the TCP translation
> built before the outbound TCP connection. Perhaps the processing order
> has changed in 7.0.
>
>>6|Dec 31 2005 10:55:29|609001: Built local-host outside:64.233.183.99
> --
> If you lie to the compiler, it will get its revenge. -- Henry Spencer


.

Relevant Pages

  • Re: PPTP Clients loose connection to cisco PIX 506E after a while..
    ... A customer of mine have just gotten a new Cisco Pix 506E, ... I've heard is that they loose connection after a while, ... pdm location 213.179.57.7 255.255.255.255 outside ... timeout xlate 0:05:00 ...
    (comp.dcom.sys.cisco)
  • Re: PIX 501 help please!
    ... > PIX rebooted. ... (tried straight through and X-Over cables from PIX to modem) ... Checking the LEDs on the pix to ensure connection, ... enter and it should write the configuration to memory. ...
    (comp.security.firewalls)
  • PIX Firewalls cut-through proxy
    ... Cisco PIX handles HTTP connections? ... Cisco http connection management is as follows: ... In User Service and policy is checked, the PIX Firewall shifts ...
    (Security-Basics)
  • Re: PIX 501 help please!
    ... hyper terminal console. ... >> PIX rebooted. ... Checking the LEDs on the pix to ensure connection, ... > enter and it should write the configuration to memory. ...
    (comp.security.firewalls)
  • Re: Cisco device traffic / bandwidth requirements
    ... The max connections is in the PIX data sheets, ... The connection blocking probability on the PIX 6.x software ... might require seeing a few packets to activate. ...
    (comp.dcom.sys.cisco)