Sign in with
Sign up | Sign in
Your question

pix 515E cannot access www or telnet

Last response: in Networking
Share
April 16, 2004 3:18:31 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

I've been battling along last 2 days with my config and the end result is I
can only ping / tracert to machines on the internet.
All hosts on the network run on public ip addresses therefore no natting.

I allow telnet but cannot telnet - or it seems somewhere data is getting
lost and telnet session never establishes. This is what log shows:

Built outbound TCP connection 17 for faddr 196.4.16.227/23 gaddr
66.8.177.x/3901 laddr 66.8.177.x/3901

After a while it shows:
Teardown TCP connection 17 faddr 196.4.16.227/23 gaddr 66.8.177.x/3901
laddr 66.8.177.x/3901duration 02:11 bytes 0 (SYN Timeout)

I have tried adding a route statement on router for 66.8.177.x to the
internal interface of the pix and no difference. I do know the access list
is working because when I remove telnet access for the host 66.8.177.x then
the log shows dropped connection due to access list.

Where can I start looking to debug this, any ideas / recommendations?
Anonymous
April 16, 2004 3:18:32 PM

Archived from groups: comp.security.firewalls (More info?)

jonathan wrote:
> Hi,
>
> I've been battling along last 2 days with my config and the end result is I
> can only ping / tracert to machines on the internet.
> All hosts on the network run on public ip addresses therefore no natting.
>
> I allow telnet but cannot telnet - or it seems somewhere data is getting
> lost and telnet session never establishes. This is what log shows:
>
> Built outbound TCP connection 17 for faddr 196.4.16.227/23 gaddr
> 66.8.177.x/3901 laddr 66.8.177.x/3901
>
> After a while it shows:
> Teardown TCP connection 17 faddr 196.4.16.227/23 gaddr 66.8.177.x/3901
> laddr 66.8.177.x/3901duration 02:11 bytes 0 (SYN Timeout)
>
> I have tried adding a route statement on router for 66.8.177.x to the
> internal interface of the pix and no difference. I do know the access list
> is working because when I remove telnet access for the host 66.8.177.x then
> the log shows dropped connection due to access list.
>
> Where can I start looking to debug this, any ideas / recommendations?
>
>
So if all machines run public IP's how do you have the interfaces
configured? What is you trusted interface (inside network) and what is
your untrusted interface(outside network)? You could post relevant
portions of your config munging ip's and passwords.


Chad
April 16, 2004 7:22:25 PM

Archived from groups: comp.security.firewalls (More info?)

I was a dummy. On the router I had a route statement sending traffic to the
"internal" if instead of the outside interface of the pix. I changed the
route statement around and it worked.
!