Re: PIX Syslog Question

davemit · ‎11-30-2004

I just set up a syslog server for my PIX and am trying to figure out why I am getting so many messages. I am gettings tons of these:

PIX-2-106001: Inbound TCP connection denied from [internet web server]:80 [PIX Outside Global Interface]:[Random PAT port] TCP_flags

Hopefully that syntax made sense.

Basically the PIX is denying traffic from internet servers on port 80 with the destination to the global interface. The destination port is always different, usually incrementing on the higher numbers.

As best as I can tell an inside host is hitting an external web page, going through PAT on the firewall, and the firewall is denying the return traffic. The weird thing is that my users are not complaining of problems with the internet. So why am I getting tons of these severity 2 syslog messages?

I hope I explained that properly. Thanks for the help.

thisisshanky · ‎11-30-2004

It depends on the destination web-server. If the service hosted by the webserver is trying to open a port inbound to your host PCs, that will get denied and logged by the PIX.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

davemit · ‎11-30-2004

It's weird though, because this is happening all the time to all sorts of web servers on the internet. The traffic looks like what you would expect when a web server is responding to an HTML request. It is sending packets back from port 80 to the firewall's global IP, on one of the high, presumably PAT translated ports. You would think this would be normal. But for some reason my syslogs are filled with dropped packets... yet no complaints from the users.