https://community.cisco.com/t5/network-security/weird-pix-problem-accessing-a-specific-website/m-p/147176#M604806 <HTML><HEAD></HEAD><BODY><P>Thanks, but it doesn't really explain why it works fine from every other network, including networks behind PIX's. Why would it be answering from the wrong IP to only one site?</P></BODY></HTML> Wed, 11 Jun 2003 10:15:12 GMT fpineau 2003-06-11T10:15:12Z https://community.cisco.com/t5/network-security/weird-pix-problem-accessing-a-specific-website/m-p/147174#M604804 <P>I have a weird problem trying to access a specific website. No client</P><P>inside the PIX can hit it (although they can all ping it). Clients</P><P>outside the firewall (on different networks) are fine. I get the</P><P>following messages on the firewall:</P><P></P><P>302001: Built outbound TCP connection 49750 for faddr &lt;TARGET</P><P>SUBNET&gt;.179/80 gaddr &lt;SRC SUBNET&gt;.174/3128 laddr 192.168.1.251/3128</P><P>106015: Deny TCP (no connection) from &lt;TARGET SUBNET&gt;.178/80 to &lt;SRC</P><P>SUBNET&gt;.174/3128 flags SYN ACK on interface outside</P><P>106015: Deny TCP (no connection) from &lt;TARGET SUBNET&gt;.178/80 to &lt;SRC</P><P>SUBNET&gt;.174/3128 flags SYN ACK on interface outside</P><P>106015: Deny TCP (no connection) from &lt;TARGET SUBNET&gt;.178/80 to &lt;SRC</P><P>SUBNET&gt;.174/3128 flags ACK on interface outside</P><P></P><P>("&lt;TARGET SUBNET&gt;" and "&lt;SRC SUBNET&gt;" are my edits)</P><P></P><P>&lt;SRC SUBNET&gt;.174 is a static map to 192.168.1.251</P><P></P><P>The errors seem to indicate that the syn ack is coming back from the</P><P>wrong IP address (.178), so the PIX disallows it as it is expecting it</P><P>from .179</P><P></P><P>I've tried this behind several other PIX's on different networks and</P><P>had no trouble.</P><P></P><P>Assuming for the moment that the TARGET site made no changes, is there</P><P>anything on the SRC PIX that could account for this? A bug in the FW</P><P>software, for example?</P><P></P><P>I suspect the target site made some sort of change (they said they</P><P>didn't, but they always say that, don't they?) but I need to be able</P><P>to rule out everything on this end first.</P> Fri, 21 Feb 2020 06:47:40 GMT https://community.cisco.com/t5/network-security/weird-pix-problem-accessing-a-specific-website/m-p/147174#M604804 fpineau 2020-02-21T06:47:40Z https://community.cisco.com/t5/network-security/weird-pix-problem-accessing-a-specific-website/m-p/147175#M604805 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You are to the point accurate with your analysis on the log. It appears that the web server is sending a response back using a different ip which is .178 instead of .179. So, pix is simply dropping the packets as there is no xlate/conn object . I am confident that the problem is not with the PIX, and if really want to prove it, you proabably can put a sniffer on the outside of the pix to verify if pix is logging it right. Based on the pix log, the problem is definitely with the webserver. </P><P></P><P>Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Wed, 11 Jun 2003 04:17:19 GMT https://community.cisco.com/t5/network-security/weird-pix-problem-accessing-a-specific-website/m-p/147175#M604805 mhoda 2003-06-11T04:17:19Z https://community.cisco.com/t5/network-security/weird-pix-problem-accessing-a-specific-website/m-p/147176#M604806 <HTML><HEAD></HEAD><BODY><P>Thanks, but it doesn't really explain why it works fine from every other network, including networks behind PIX's. Why would it be answering from the wrong IP to only one site?</P></BODY></HTML> Wed, 11 Jun 2003 10:15:12 GMT https://community.cisco.com/t5/network-security/weird-pix-problem-accessing-a-specific-website/m-p/147176#M604806 fpineau 2003-06-11T10:15:12Z