01-16-2004 06:24 AM - edited 02-20-2020 11:12 PM
Hi All,
I have a interesting problem that I can not figure out. I have a Pix 520 running 6.2.2 and I have a DMZ zone. In this zone I have a Web Server. People can get to the web server pages fine. I can not do a nslookup, a windows update or an anti virus download. This used to work before and now it doesn't. At first I thought it was a os problem, but I upgraded the server and it is still does not work. I changed the network cable and port. There is nothing showing up in my logs indicating that this server is not allowed out (no deny statements). Anyone have an idea of where else I can look ? I probably did something in the firewall config to tightened down the security, but I guess I made it too tight. ;-)
Thanks in advance.
Mitch
01-16-2004 06:32 AM
Hi Mitch,
Can you post the config - having removed public IP addresses of course?
01-16-2004 07:47 AM
The sanitized version: Thanks !
PIX Version 6.2(2)
nameif ethernet0 Internet security50
nameif ethernet1 inside security100
nameif ethernet2 DMZ security75
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol ils 389
names
pager lines 24
logging on
logging buffered alerts
logging trap notifications
logging host inside w.x.y.z
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
icmp deny any Internet
icmp deny host 10.0.0.0 inside
icmp permit w.x.y.z 255.255.255.0 inside
icmp deny any DMZ
mtu Internet 1500
mtu inside 1500
mtu DMZ 1500
ip address Internet w.x.y.z 255.255.255.252
ip address inside w.x.y.z 255.255.255.240
ip address DMZ w.x.y.z 255.255.255.0
ip verify reverse-path interface Internet
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit name internet-ids info action alarm
ip audit name dmz-ids info action alarm
ip audit name dmz-ids2 attack action alarm drop reset
ip audit name inside-ids info action alarm
ip audit name inside-ids2 attack action alarm drop reset
ip audit name internet-ids2 attack action alarm drop reset
ip audit interface Internet internet-ids
ip audit interface inside inside-ids
ip audit interface inside inside-ids2
ip audit interface DMZ dmz-ids
ip audit interface DMZ dmz-ids2
ip audit info action alarm
ip audit attack action alarm drop reset
pdm logging critical 100
pdm history enable
arp timeout 14400
global (Internet) 1 w.x.y.z
nat (inside) 1 a.b.c.d 255.255.0.0 0 0
static (DMZ,Internet) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0
conduit permit icmp any any echo-reply
conduit permit tcp host a.b.c.d eq www any
conduit deny icmp host a.b.c.d any
outbound 1 deny 0.0.0.0 0.0.0.0 194 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 139 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 750 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 750 udp
outbound 1 deny 0.0.0.0 0.0.0.0 137 udp
outbound 1 deny 0.0.0.0 0.0.0.0 389 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 49 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 161 udp
outbound 1 deny 0.0.0.0 0.0.0.0 135 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 137-138 udp
outbound 1 deny 0.0.0.0 0.0.0.0 445 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 445 udp
outbound 1 deny 0.0.0.0 0.0.0.0 389 udp
outbound 1 deny 0.0.0.0 0.0.0.0 593 udp
outbound 1 deny 0.0.0.0 0.0.0.0 593 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 4444 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 69 udp
outbound 1 deny 0.0.0.0 0.0.0.0 6060-6080 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 707 tcp
apply (inside) 1 outgoing_src
route Internet 0.0.0.0 0.0.0.0 1.2.3.4 1
route DMZ 1.2.3.4 255.255.255.0 1.2.1.1 1
route inside a.b.c.d 255.255.0.0 a.b.c.d 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host ssss vbnm timeout 2
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication serial console TACACS+
aaa authentication enable console TACACS+
aaa authentication http console TACACS+
http server enable
no snmp-server location
no snmp-server contact
snmp-server community
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
: end
[OK]
01-16-2004 04:07 PM
hi,
you probably messed it out here
"outbound 1 deny 0.0.0.0 0.0.0.0 194 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 139 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 750 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 750 udp
outbound 1 deny 0.0.0.0 0.0.0.0 137 udp
outbound 1 deny 0.0.0.0 0.0.0.0 389 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 49 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 161 udp
outbound 1 deny 0.0.0.0 0.0.0.0 135 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 137-138 udp
outbound 1 deny 0.0.0.0 0.0.0.0 445 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 445 udp
outbound 1 deny 0.0.0.0 0.0.0.0 389 udp
outbound 1 deny 0.0.0.0 0.0.0.0 593 udp
outbound 1 deny 0.0.0.0 0.0.0.0 593 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 4444 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 69 udp
outbound 1 deny 0.0.0.0 0.0.0.0 6060-6080 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 707 tcp
apply (inside) 1 outgoing_src "
The correct way of doing this is
You first need to issue a deny all, then "except" the allowed ports/protocols back in
outbound 101 deny 0 0 0
outbound 101 except 0 0 23 tcp
outbound 101 except 0 0 80 tcp
[etc]
apply (inside) outgoing_src
OR
outbound 101 deny 0 0 0
outbound 101 permit 0 0 23 tcp
outbound 101 permit 0 0 80 tcp
[etc]
apply (inside) outgoing_src
Hope this solves your problem.
thanks,
ramesh
01-20-2004 06:47 AM
I have to keep those denys in, because We allow anything to go out. I added in those denys to keep any of those types (ports) of information from going back out. I have not changed over to ACL's yet. Any other suggestions?
Thanks,
Mitch
01-20-2004 08:58 PM
i think you implemented all these security settings in one go. but just loosen all these security outbound, and then put one by one and see...
ramesh
01-21-2004 06:22 AM
BTW, everything is now working....I guess, by telling the machine I was going to TAC, it got scared. All, I did (I swear) was a sh traffic, connection, interface, xlate and a few clear xlate and by magic, it stated working again. I went an immediately closed the TAC case.
Thanks for all of your suggestions.
Cheers,
Mitch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide