Sign in with
Sign up | Sign in
Your question

pix 6.1 upgrade to pix 6.3(3) - access lists dont work any..

Last response: in Networking
Share
May 26, 2004 7:35:53 PM

Archived from groups: comp.security.firewalls (More info?)

Hello

I had a working config on my pix 515E, but upgraded to 6.3(3). Servers are
on public IP's and therefore no natting is involved.
The error I get is :
Local4.Critical 66.5.61.2 May 26 2004 15:47:00: %PIX-2-106001: Inbound TCP
connection denied from 196.15.130.4/8826 to 216.136.76.11/80 flags PSH ACK
on interface outside

any idea how to solve this ?
The access lists look like :
access-list inside_access_in permit tcp host 216.136.76.11 eq www any
access-list outside_access_in permit tcp any host 216.136.76.11 eq www
May 26, 2004 7:47:24 PM

Archived from groups: comp.security.firewalls (More info?)

error is actually :
Local4.Critical 66.5.61.2 May 26 2004 15:47:00: %PIX-2-106001: Inbound TCP
connection denied from 196.15.130.4/8826 to 216.136.76.11/80 flags SYN on
interface outside
May 27, 2004 5:13:13 AM

Archived from groups: comp.security.firewalls (More info?)

Simple question, but are the access lists still showing as applied to
the interfaces. You shouldn't need the first access list you have listed
as the traffic matching it should be a response to a legitimate http
request and the firewall will allow it out based on the translation
built during the inbound syn packet.

There are only three things needed to allow traffic. Routes,
translations and permissions. Verify these three and you should be good.

Mark

jonathan wrote:
> error is actually :
> Local4.Critical 66.5.61.2 May 26 2004 15:47:00: %PIX-2-106001: Inbound TCP
> connection denied from 196.15.130.4/8826 to 216.136.76.11/80 flags SYN on
> interface outside
>
>
!