PIX Denies Established TCP connection

kevin_noll — Fri, 21 Feb 2020 06:43:26 GMT

I have a PIX 515e with 6 interfaces (5 in use) - inside, outside, dmz, dmz2 and vpn.

I am unable to telnet (or anything else) from dmz2 to dmz or dmz to vpn (possibly other combinations), but I am able to get from inside to anywhere or outside to anywhere, dmz to outside or inside, vpn to inside, etc. (of course, all

these are restricted based on access-lists).

When I attempt to make a connection from dmz2 to dmz, I get the following log messages:

302013: Built inbound TCP connection 375382 for dmz2:10.64.16.25/1168 (10.64.16.

25/1168) to dmz:10.216.120.69/23 (10.216.120.69/23)

106015: Deny TCP (no connection) from 10.216.120.69/23 to 10.64.16.25/1168 flag

s SYN ACK on interface dmz

Here is my PIX configuration:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 vpn security60

nameif ethernet4 dmz2 security40

names

name 10.216.120.22 dcvpn02-public

name 10.216.120.19 dcnet02r-fa0-0

name 10.216.120.21 dcvpn01-public

name 10.216.120.18 dcnet01r-fa0-0

name 10.216.120.17 dcnet0Xr-hsrp

name 10.216.120.69 dcvpn01-private

name 10.216.120.70 dcvpn02-private

name 10.216.120.4 dcnet0X-intrcnct

name 10.216.120.2 dcnet02r-lo0

name 10.216.120.1 dcnet01r-lo0

name 10.216.120.0 dcnet0X-lo0

name 10.216.120.20 dcvpn-pub-lbvip

name 10.216.120.6 dcnet02r-fa0-1

name 10.216.120.5 dcnet01r-fa0-1

name 192.168.239.3 dc6509a-16

name 192.168.239.2 dc6509a-15

name 10.36.172.0 ISP-IP-Addrs

name 10.216.120.16 Outside_Network

name 10.216.120.64 DMZ_Network

name 10.216.120.71 dcdmz01s

name 10.216.120.72 dcdmz02s

name 10.216.120.73 sid

name 10.216.120.74 zurg

name 10.64.32.0 VPN_Clients_32

name 10.64.33.0 VPN_Clients_33

name 172.20.53.204 host1

name 10.3.185.20 host2

object-group network DCNET0X_INTERFACES

description All interfaces on the Internet routers

network-object dcnet01r-lo0 255.255.255.255

network-object dcnet02r-lo0 255.255.255.255

network-object dcnet01r-fa0-1 255.255.255.255

network-object dcnet02r-fa0-1 255.255.255.255

network-object dcnet01r-fa0-0 255.255.255.255

network-object dcnet02r-fa0-0 255.255.255.255

object-group network VPN_CLIENTS

description All VPN Clients

network-object VPN_Clients_32 255.255.255.0

network-object VPN_Clients_33 255.255.255.0

object-group network INSIDE_NETWORKS

description All Inside Networks

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

network-object 10.0.0.0 255.0.0.0

object-group network VPNC_PRIVATE_INT

description Private Interfaces of VPN Concentrators

network-object dcvpn01-private 255.255.255.255

network-object dcvpn02-private 255.255.255.255

network-object 10.64.24.11 255.255.255.255

network-object 10.64.24.12 255.255.255.255

object-group network MGMT_STATIONS

description Network Management Workstations

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group network DMZ_SWITCHES

description Management Interfaces of the DMZ switches

network-object dcdmz01s 255.255.255.255

network-object dcdmz02s 255.255.255.255

network-object 10.64.16.11 255.255.255.255

network-object 10.64.16.12 255.255.255.255

object-group network DNS_SERVERS

description External/Public DNS Servers

network-object sid 255.255.255.255

network-object zurg 255.255.255.255

object-group network DMZ_HOSTS

description These are hosts that are on the DMZ

network-object DMZ_Network 255.255.255.224

object-group network INSIDE_DENIED_INTERNET

description These are inside hosts that are denied Internet access

network-object 10.32.96.0 255.255.252.0

network-object 10.32.24.0 255.255.252.0

object-group network INSIDE_DENIED_DMZ

description These hosts are denied access to the DMZ

network-object 10.32.96.0 255.255.252.0

network-object 10.32.24.0 255.255.252.0

object-group service VPNC_INTERNAL_SERVICES tcp-udp

description TCP and UDP Ports that the VPN Concentrators need to use

port-object eq domain

port-object eq tacacs

port-object eq 69

port-object eq 161

port-object eq 162

port-object eq 514

port-object eq 1645

port-object eq 1646

port-object eq 123

object-group network DO_VPN_CLIENTS

description Clients on remote VPN segments

network-object 10.68.0.0 255.255.0.0

access-list dont_nat permit ip object-group DCNET0X_INTERFACES object-group MGMT_STATIONS

access-list dont_nat permit ip object-group VPNC_PRIVATE_INT object-group INSIDE_NETWORKS

access-list dont_nat permit ip object-group DMZ_SWITCHES object-group MGMT_STATIONS

access-list dont_nat permit ip object-group DNS_SERVERS any

access-list outside_inbound permit udp object-group DCNET0X_INTERFACES any eq tftp

access-list outside_inbound permit udp object-group DCNET0X_INTERFACES any eq ntp

access-list outside_inbound permit udp any object-group DNS_SERVERS eq domain

access-list outside_inbound permit tcp host host2 host 10.216.120.26 eq 8080

access-list outside_inbound permit tcp host 10.216.120.35 any eq www

access-list outside_inbound permit tcp host 10.216.120.35 any eq https

access-list dmz_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq tftp

access-list dmz_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq ntp

access-list dmz_inbound permit tcp object-group DNS_SERVERS object-group INSIDE_NETWORKS eq smtp

access-list dmz_inbound permit udp object-group DNS_SERVERS object-group INSIDE_NETWORKS eq ntp

access-list dmz_inbound deny udp object-group DNS_SERVERS object-group INSIDE_NETWORKS eq domain

access-list dmz_inbound permit udp object-group DNS_SERVERS any eq domain

access-list dmz_inbound permit udp object-group VPNC_PRIVATE_INT object-group INSIDE_NETWORKS object-group VPNC_INTERNAL_SERVICES

access-list dmz_inbound permit ip object-group VPN_CLIENTS any

access-list dmz_inbound permit ip object-group DO_VPN_CLIENTS any

access-list inside_inbound deny ip object-group INSIDE_DENIED_DMZ object-group DMZ_HOSTS

access-list inside_inbound deny ip object-group INSIDE_DENIED_INTERNET any

access-list inside_inbound permit ip object-group INSIDE_NETWORKS any

access-list vpn_inbound permit udp object-group VPNC_PRIVATE_INT object-group INSIDE_NETWORKS object-group VPNC_INTERNAL_SERVICES

access-list vpn_inbound permit ip object-group VPN_CLIENTS any

access-list vpn_inbound permit ip object-group DO_VPN_CLIENTS any

access-list vpn_inbound permit ip object-group VPNC_PRIVATE_INT VPN_Clients_32 255.255.255.0

access-list dmz2_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq tftp

access-list dmz2_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq ntp

access-list dmz2_inbound permit ip host 10.64.17.35 object-group INSIDE_NETWORKS

access-list dmz2_inbound permit ip 10.64.16.0 255.255.255.0 10.64.24.0 255.255.255.0

access-list dmz2_inbound permit ip 10.64.16.0 255.255.255.0 10.32.0.0 255.255.0.0

access-list dmz2_inbound permit ip host 10.64.16.25 host dcvpn01-private

access-list dont_nat_vpn permit ip 10.64.24.0 255.255.255.0 VPN_Clients_32 255.255.255.0

access-list dont_nat_vpn permit ip VPN_Clients_32 255.255.255.0 10.64.24.0 255.255.255.0

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 100full

ip address outside 10.216.120.23 255.255.255.240

ip address inside 192.168.225.15 255.255.255.0

ip address dmz 10.216.120.66 255.255.255.224

ip address vpn 10.64.24.1 255.255.252.0

ip address dmz2 10.64.16.1 255.255.252.0

ip address intf5 127.0.0.1 255.255.255.255

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip verify reverse-path interface vpn

ip verify reverse-path interface dmz2

global (outside) 100 10.216.120.25

global (outside) 160 10.216.120.26

nat (inside) 0 access-list dont_nat

nat (inside) 100 0.0.0.0 0.0.0.0 0 0

nat (dmz) 100 VPN_Clients_32 255.255.255.0 0 0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.240.0.0 0 0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (dmz,outside) sid sid netmask 255.255.255.255 0 0

static (dmz,outside) zurg zurg netmask 255.255.255.255 0 0

static (inside,outside) 10.216.120.26 host1 netmask 255.255.255.255 0 0

static (inside,dmz) 10.32.0.0 10.32.0.0 netmask 255.255.0.0 0 0

static (inside,vpn) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

static (inside,vpn) 172.16.0.0 172.16.0.0 netmask 255.240.0.0 0 0

static (inside,vpn) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (dmz2,outside) 10.216.120.35 10.64.17.35 netmask 255.255.255.255 0 0

static (inside,dmz2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0 0 0

static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

static (inside,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (vpn,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (vpn,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (dmz,dmz2) DMZ_Network DMZ_Network netmask 255.255.255.224 0 0

access-group outside_inbound in interface outside

access-group inside_inbound in interface inside

access-group dmz_inbound in interface dmz

access-group dmz2_inbound in interface dmz2

rip dmz passive version 2

rip vpn passive version 2

route outside 0.0.0.0 0.0.0.0 dcnet0Xr-hsrp 1

route dmz 10.1.1.0 255.255.255.0 dcvpn01-private 1

route dmz 10.1.2.0 255.255.255.0 dcvpn02-private 1

route inside 10.32.0.0 255.255.0.0 192.168.225.1 1

route inside 10.33.0.0 255.255.0.0 192.168.225.1 1

route dmz VPN_Clients_32 255.255.255.0 dcvpn01-private 1

route vpn VPN_Clients_33 255.255.255.0 10.64.24.12 1

route outside ISP-IP-Addrs 255.255.255.0 dcnet0Xr-hsrp 1

route inside 172.16.0.0 255.240.0.0 192.168.225.1 1

route inside 192.168.0.0 255.255.0.0 192.168.225.1 1

Re: PIX Denies Established TCP connection

yizhar — Tue, 06 May 2003 19:11:03 GMT

HI.

I would try the following:

> ip verify reverse-path interface dmz

Try without the above line - just for the test.

> static (dmz,dmz2) DMZ_Network DMZ_Network netmask 255.255.255.224

Try to remove that line and add:

access-list nonatdmz permit ip 10.216.120.64 255.255.255.224 10.64.16.0 255.255.252.0

nat (dmz) 0 access-list nonatdmz

Does it change anything?

Re: PIX Denies Established TCP connection

kevin_noll — Wed, 07 May 2003 01:42:23 GMT

I noticed in my original post that I forgot to actually say what I wanted to do. I think you figured it out, though. I need to be able to get traffic from dmz or dmz2 to vpn and vice versa.

I've tried what you suggested already, but I did it again.

I'm a bit frustrated, the various configurations I've tried have either gotten me

"305005: No translation group found for tcp src dmz:10.64.32.1/1336 dst vpn:10.64.24.12/23" (this is what I got with your suggestions)

or I get the "deny TCP" that I posted in the original.

Turning off reverse-path didn't change anything.

--kan--

Re: PIX Denies Established TCP connection

gfullage — Wed, 07 May 2003 04:34:00 GMT

You need to fix up these, they'll definately be causing strange things:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,vpn) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (vpn,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (vpn,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

In one command you're telling the PIX the whole 10.0.0.0 subnet sits on the inside interface, then you're telling it it sits on the vpn interface (yes, these override the static routes when the PIX receives packets on interfaces). Make all your statics reference the specific subnets only that are on each interface (there doen't seem to be too many going by your static routes), and see how you go.

Try plugging your config into the Output Interpretor (https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl) and it'll tell you a wealth of information.

Re: PIX Denies Established TCP connection

kevin_noll — Thu, 08 May 2003 00:22:06 GMT

I was suspecting that these overlaps may be problems, but nothing that I could find indicated it was for sure. They are. I put the more specific statics in the config and it fired right up.

Thanks for the help.

topic Re: PIX Denies Established TCP connection in Network Security

PIX Denies Established TCP connection

Re: PIX Denies Established TCP connection

Re: PIX Denies Established TCP connection

Re: PIX Denies Established TCP connection

Re: PIX Denies Established TCP connection