Firewall Wizards mailing list archives
pix configuration / errors question
From: Tomasz Ramsza <tomasz.ramsza () cc com pl>
Date: Mon, 10 Nov 2003 14:56:08 +0100
Hello all,We have a very simple configuration. No NAT is used. In the internal LAN there are about 100 users accessing WWW proxy server at 192.168.1.10:80. It is the only allowed traffic. Everything is working fine (users are not complaning), but in the logs there are some errors. For example:
Deny tcp src outside:192.168.1.10/80 dst inside:10.10.10.138/3865 by access-group "acl_out"
Just as PIX was "forgetting" about the outgoing TCP connections too fast ?I have set logging to debug level and checked that connections to proxy server are finished by: FINs (ok), Reset-I or Reset-O. I know what it means on TCP level but I don't know if this is normal when IE is talking to proxy.
The questions are: - is it a normal behaviour ? - if not, what can be changed ? We have a following PIX 515 configuration: ================================================= PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol http 80 namesaccess-list acl_in permit tcp 10.10.10.0 255.255.255.0 host 192.168.1.10 eq www
access-list acl_in deny ip any any access-list acl_out deny ip any any pager lines 24 logging on logging buffered warnings mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.10.10.1 255.255.255.0 arp timeout 14400 static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0 access-group acl_out in interface outside access-group acl_in in interface inside timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute ================================================= Thanks in advance, Tomek _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- pix configuration / errors question Tomasz Ramsza (Nov 11)