https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718817#M970778 <P>I may be missing something obvious, but would appreciate some help.</P><P></P><P>I'm attempting to establish new connectivity to an inside server from an outside vendor. The traffic is being denied with no connection as soon as the conversation is initiated. I can see the entry in the conn table while the connection is being refused. Messages in log:</P><P></P><P></P><P></P><P>302013: Built inbound TCP connection 479966211 for dmz_vendor:a.b.c.d/52249 (a.b.c.d/52249) to inside:1.2.3.4/80 </P><P></P><P>106015: Deny TCP (no connection) from 1.2.3.4/80 to a.b.c.d/52249 flags SYN ACK on interface inside</P><P></P><P>The deny is the very next message in the log, so there is no delay. At the same time, I was showing the conn table (repeatedly) and saw:</P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1808 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:03 Bytes 0 flags SaAB</P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1820 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:06 Bytes 0 flags SaAB</P><P></P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1794 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:13 Bytes 0 flags SaAB</P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1788 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:14 Bytes 0 flags SaAB</P><P></P><P>So I don't understand why the outgoing packet is being denied for no connection, when the entry is in the conn table. Any ideas? </P> Mon, 11 Mar 2019 11:01:14 GMT msanford3755 2019-03-11T11:01:14Z https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718817#M970778 <P>I may be missing something obvious, but would appreciate some help.</P><P></P><P>I'm attempting to establish new connectivity to an inside server from an outside vendor. The traffic is being denied with no connection as soon as the conversation is initiated. I can see the entry in the conn table while the connection is being refused. Messages in log:</P><P></P><P></P><P></P><P>302013: Built inbound TCP connection 479966211 for dmz_vendor:a.b.c.d/52249 (a.b.c.d/52249) to inside:1.2.3.4/80 </P><P></P><P>106015: Deny TCP (no connection) from 1.2.3.4/80 to a.b.c.d/52249 flags SYN ACK on interface inside</P><P></P><P>The deny is the very next message in the log, so there is no delay. At the same time, I was showing the conn table (repeatedly) and saw:</P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1808 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:03 Bytes 0 flags SaAB</P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1820 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:06 Bytes 0 flags SaAB</P><P></P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1794 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:13 Bytes 0 flags SaAB</P><P></P><P>ibk-pix-firewall# sh conn local 1.2.3.4</P><P>1788 in use, 5550 most used</P><P>TCP out a.b.c.d:52249 in 1.2.3.4:80 idle 0:00:14 Bytes 0 flags SaAB</P><P></P><P>So I don't understand why the outgoing packet is being denied for no connection, when the entry is in the conn table. Any ideas? </P> Mon, 11 Mar 2019 11:01:14 GMT https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718817#M970778 msanford3755 2019-03-11T11:01:14Z https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718818#M970779 <HTML><HEAD></HEAD><BODY><P>Mike, could you post the access list for others to see, strip out public ip info, are you natting from the dmz to the inside if so is the vendor connecting to the nat address instead of your local host IP? </P><P></P><P></P></BODY></HTML> Wed, 22 Aug 2007 15:05:17 GMT https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718818#M970779 JORGE RODRIGUEZ 2007-08-22T15:05:17Z https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718819#M970780 <HTML><HEAD></HEAD><BODY><P>Do you have ACL's restricting traffic inbound at the inside interface?</P></BODY></HTML> Wed, 22 Aug 2007 15:43:46 GMT https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718819#M970780 rigoberto.cintron 2007-08-22T15:43:46Z https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718820#M970781 <HTML><HEAD></HEAD><BODY><P>hi ensure that the following are present.</P><P></P><P>1. static NAT for the private IP to a public IP</P><P></P><P>2. access list on the outside allowing http access to the Public IP of the server ( as above )</P><P></P><P>3. Access group has been applied on the outside interface : )</P><P></P><P>4 route available to the inside &amp; outside interfaces.</P></BODY></HTML> Thu, 23 Aug 2007 12:25:42 GMT https://community.cisco.com/t5/network-security/pix-connection-problem/m-p/718820#M970781 anandramapathy 2007-08-23T12:25:42Z