cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1065
Views
0
Helpful
4
Replies

No traffic going out from internal network to outside from FWSM

habeebuddin786
Level 1
Level 1

Hello folks,

I am new to FWSM and looking for some help to fix the outbound connection from one server in VLAN 20 (10.120.20.90) to outside.

Following are the ACL found in the FWSM and connection status when i telnet from the box (10.120.20.90) to outside IP 99.87.209.150 at port 25

Please help me to fix this.

config of FWSM

object-group service i316-services

service-object icmp echo

service-object tcp eq smtp

service-object udp eq domain

service-object tcp eq domain

service-object udp eq snmp

service-object tcp eq 1248

service-object tcp eq 3389

service-object tcp eq 9997

service-object tcp eq 8089

service-object tcp eq 2547

service-object tcp eq 12547

!

object-group network i316-ext-hosts

network-object host 205.141.238.233

network-object host 205.141.238.171

network-object host 207.239.83.246

network-object host 65.46.63.114

network-object host 216.183.80.178

network-object host 99.87.217.32

network-object host 92.41.19.54

network-object host 99.87.209.50

network-object host 99.87.209.27

network-object host 99.87.209.28

network-object host 99.87.209.29

network-object host 99.87.209.30

network-object host 99.87.209.31

network-object host 99.87.209.150

!

object-group network i316-int-mgmt-w2k

network-object host 10.120.20.88

network-object host 10.120.20.90

network-object host 10.120.20.92

!

object-group service i316-backup-server-ports

service-object tcp eq 8086

service-object tcp eq 8087

service-object tcp eq 2546

access-list i316-in extended permit ip any any

access-list i316-in extended permit ip host 10.120.20.89 10.120.146.0 255.255.255.0

access-list i316-in extended permit tcp host 10.120.20.89 any eq domain

access-list i316-in extended permit udp host 10.120.20.89 any eq domain

access-list i316-in extended permit udp host 10.120.20.89 any eq ntp

access-list i316-in extended permit tcp host 10.120.20.89 any eq smtp

access-list i316-in extended permit tcp host 10.120.20.90 any eq www

access-list i316-in extended permit tcp host 10.120.20.90 any eq https

access-list i316-in extended permit tcp host 10.120.20.90 any eq 9997

access-list i316-in extended permit object-group i316-services object-group i316-int-mgmt-w2k any

access-list i316-in extended permit object-group i316-services object-group i316-int-mgmt-w2k object-group i316-ext-hosts log

!

global (outside) 1 interface

nat (i316) 1 10.120.20.0 255.255.255.0

access-group i316-in in interface i316

!

interface Vlan20

nameif i316

security-level 100

ip address 10.120.20.2 255.255.255.0 standby 10.120.20.8

!

Default gateway of FWSM is outside IP 203.140.205.1

FWSM# sh conn | inc 99.87

TCP outside 99.87.209.150:25 i316 10.120.20.90:3109 idle 0:00:09 Bytes 132 FLAGS - S

TCP outside 99.87.209.30:9997 i316 10.120.20.90:3108 idle 0:00:14 Bytes 132 FLAGS -

FWSM# sh conn | inc 99.87

TCP outside 99.87.209.150:25 i316 10.120.20.90:3109 idle 0:00:15 Bytes 132 FLAGS - S

TCP outside 99.87.209.27:9997 i316 10.120.20.90:3114 idle 0:00:01 Bytes 132 FLAGS -

ROUTE STATUS OF THE WINDOWS BOX (10.120.20.90)

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0     10.120.20.2    10.120.20.90     10

     10.120.20.0    255.255.255.0    10.120.20.90    10.120.20.90     10

    10.120.20.90  255.255.255.255        127.0.0.1        127.0.0.1     10

   10.255.255.255  255.255.255.255    10.120.20.90    10.120.20.90     10

        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1

        224.0.0.0        240.0.0.0    10.120.20.90    10.120.20.90     10

  255.255.255.255  255.255.255.255    10.120.20.90            10004      1

  255.255.255.255  255.255.255.255    10.120.20.90            10005      1

  255.255.255.255  255.255.255.255    10.120.20.90    10.120.20.90      1

Default Gateway:      10.120.20.2

===========================================================================

Persistent Routes:

  None

4 Replies 4

habeebuddin786
Level 1
Level 1

I cleared the xlate and able to connect.

Could anybody tell me what could be the issue? Did anybody expereienced any kind of issue earlier.

Thanks,

Ahmed

Hello Habee,

Does not make sense unless you are getting out of ports in order to perform the PAT translation to the outside interface.

Can you do a show xlate next time you have the issue or do a debug nat 2 to see if there is a problem with a port-map translation failure.

An example of an error would be :

nat: ERROR - existing mapped binding for Inside:x.x.x.x/xxx

nat: ERROR - alloc portmap xlate 6 Inside:xxx/xx-> Outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sure will post next time if the issue persist again.

Thank you for your response.

Regards,

-Ahmed

Hello,

It is a pleasure to help,

Remember to rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card