10-06-2005 12:49 AM - edited 02-21-2020 12:26 AM
Hi, that's the Problem:
When I try to connect MSN it's not possible.
I saw that on the firewall:
---
305011: Built dynamic TCP translation from inside:inside-ip/1166 to outside:outside-ip/55586
302013: Built outbound TCP connection 75493 for outside:65.54.239.20/1863 (65.54.239.20/1863) to inside:inside-ip/1166 (outside-ip/55586)
305011: Built dynamic TCP translation from inside:inside-ip/1167 to outside:outside-ip/55587
302013: Built outbound TCP connection 75494 for outside:207.46.0.22/1863 (207.46.0.22/1863) to inside:inside-ip/1167 (outside-ip/55587)
302014: Teardown TCP connection 75493 for outside:65.54.239.20/1863 to inside:inside-ip/1166 duration 0:00:01 bytes 302 TCP FINs
305011: Built dynamic TCP translation from inside:inside-ip/1169 to outside:outside-ip/55588
302013: Built outbound TCP connection 75495 for outside:65.54.183.198/443 (65.54.183.198/443) to inside:inside-ip/1169 (outside-ip/55588)
302014: Teardown TCP connection 75495 for outside:65.54.183.198/443 to inside:inside-ip/1169 duration 0:00:01 bytes 2445 TCP FINs
106023: Deny tcp src outside:65.54.183.198/443 dst inside:outside-ip/55588 by access-group "incoming"
305011: Built dynamic TCP translation from inside:inside-ip/1171 to outside:outside-ip/55589
302013: Built outbound TCP connection 75497 for outside:65.54.131.249/443 (65.54.131.249/443) to inside:inside-ip/1171 (outside-ip/55589)
302014: Teardown TCP connection 75497 for outside:65.54.131.249/443 to inside:inside-ip/1171 duration 0:00:01 bytes 3110 TCP FINs
106023: Deny tcp src outside:65.54.131.249/443 dst inside:outside-ip/55589 by access-group "incoming"
---
1) I can see dynamic TCP translation
2) outbound connection is built
3) --> teardown TCP connection (TCP FINs)
4) the internet-server tries to connect to the closed TCP-connection --> blocked by incoming ACL
it looks like that the TCP-session is cloosed too early...
Has someone an idea?
Regards
Dieter
10-06-2005 02:53 AM
Dieter,
From the log you've posted it looks like that your ACL (named "incoming") is blocking port 443 (SSL) which MSN uses to authenticate. Can you post your PIX configuration please (take out any sensitive info).
Thanks -
Jay
10-06-2005 04:09 AM
Jay,
in the log you can see that the 443-session has been closed one line befor.
and then the Internet server tries to connect to the closed 443-session. --> denied by ACL incoming
No access to the config at the moment...
ACL incoming just allow's SMTP.
NO outgoing ACL configured.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide