[fw-wiz] pix configuration / errors question

From: Tomasz Ramsza (tomasz.ramsza_at_cc.com.pl)
Date: 11/10/03

  • Next message: Stephen Gill: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 10 Nov 2003 14:56:08 +0100

    Hello all,

    We have a very simple configuration. No NAT is used. In the internal LAN
    there are about 100 users accessing WWW proxy server at
    It is the only allowed traffic. Everything is working fine (users are
    not complaning), but in the logs there are some errors. For example:

    Deny tcp src outside: dst inside: by
    access-group "acl_out"

    Just as PIX was "forgetting" about the outgoing TCP connections too fast ?

    I have set logging to debug level and checked that connections to proxy
    server are finished by: FINs (ok), Reset-I or Reset-O. I know what it
    means on TCP level but I don't know if this is normal when IE is talking
    to proxy.

    The questions are:

    - is it a normal behaviour ?
    - if not, what can be changed ?

    We have a following PIX 515 configuration:
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol http 80
    access-list acl_in permit tcp host
    eq www
    access-list acl_in deny ip any any
    access-list acl_out deny ip any any
    pager lines 24
    logging on
    logging buffered warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    arp timeout 14400
    static (inside,outside) netmask 0 0
    access-group acl_out in interface outside
    access-group acl_in in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute

    Thanks in advance,


    firewall-wizards mailing list

  • Next message: Stephen Gill: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)"

    Relevant Pages

    • Re: [fw-wiz] Double firewall setup (long)
      ... You can disable NAT altogether on the 2nd PIX and just have IP Addresses pass ... > access-list OUTB permit tcp host exchange host mailsweeper eq smtp ... > access-group INB in interface outside ...
    • Re: [fw-wiz] Enforcing content filtering with PIX515E
      ... access-list InsideOut permit tcp any host ip.of.pro.xy eq 80 ... access-group in interface inside ... This will force people to either use the proxy or have no internet access. ... access-list for the inside interface on the PIX currently reads: ...