Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

pix configuration / errors question

From: Tomasz Ramsza <tomasz.ramsza () cc com pl>
Date: Mon, 10 Nov 2003 14:56:08 +0100
Hello all,
We have a very simple configuration. No NAT is used. In the internal LAN there are about 100 users accessing WWW proxy server at 192.168.1.10:80. It is the only allowed traffic. Everything is working fine (users are not complaning), but in the logs there are some errors. For example:
Deny tcp src outside:192.168.1.10/80 dst inside:10.10.10.138/3865 by access-group "acl_out" 

Just as PIX was "forgetting" about the outgoing TCP connections too fast ?
I have set logging to debug level and checked that connections to proxy server are finished by: FINs (ok), Reset-I or Reset-O. I know what it means on TCP level but I don't know if this is normal when IE is talking to proxy. 

The questions are:

- is it a normal behaviour ?
- if not, what can be changed ?


We have a following PIX 515 configuration:
=================================================
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol http 80
names
access-list acl_in permit tcp 10.10.10.0 255.255.255.0 host 192.168.1.10 eq www 
access-list acl_in deny ip any any
access-list acl_out deny ip any any
pager lines 24
logging on
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.1 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
arp timeout 14400
static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
=================================================


Thanks in advance,

Tomek

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: