The sanitized version: Thanks !

PIX Version 6.2(2)

nameif ethernet0 Internet security50

nameif ethernet1 inside security100

nameif ethernet2 DMZ security75

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol ils 389

names

pager lines 24

logging on

logging buffered alerts

logging trap notifications

logging host inside w.x.y.z

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 100full

icmp deny any Internet

icmp deny host 10.0.0.0 inside

icmp permit w.x.y.z 255.255.255.0 inside

icmp deny any DMZ

mtu Internet 1500

mtu inside 1500

mtu DMZ 1500

ip address Internet w.x.y.z 255.255.255.252

ip address inside w.x.y.z 255.255.255.240

ip address DMZ w.x.y.z 255.255.255.0

ip verify reverse-path interface Internet

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit name internet-ids info action alarm

ip audit name dmz-ids info action alarm

ip audit name dmz-ids2 attack action alarm drop reset

ip audit name inside-ids info action alarm

ip audit name inside-ids2 attack action alarm drop reset

ip audit name internet-ids2 attack action alarm drop reset

ip audit interface Internet internet-ids

ip audit interface inside inside-ids

ip audit interface inside inside-ids2

ip audit interface DMZ dmz-ids

ip audit interface DMZ dmz-ids2

ip audit info action alarm

ip audit attack action alarm drop reset

pdm logging critical 100

pdm history enable

arp timeout 14400

global (Internet) 1 w.x.y.z

nat (inside) 1 a.b.c.d 255.255.0.0 0 0

static (DMZ,Internet) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0

conduit permit icmp any any echo-reply

conduit permit tcp host a.b.c.d eq www any

conduit deny icmp host a.b.c.d any

outbound 1 deny 0.0.0.0 0.0.0.0 194 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 139 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 udp

outbound 1 deny 0.0.0.0 0.0.0.0 137 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 49 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 161 udp

outbound 1 deny 0.0.0.0 0.0.0.0 135 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 137-138 udp

outbound 1 deny 0.0.0.0 0.0.0.0 445 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 445 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 4444 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 69 udp

outbound 1 deny 0.0.0.0 0.0.0.0 6060-6080 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 707 tcp

apply (inside) 1 outgoing_src

route Internet 0.0.0.0 0.0.0.0 1.2.3.4 1

route DMZ 1.2.3.4 255.255.255.0 1.2.1.1 1

route inside a.b.c.d 255.255.0.0 a.b.c.d 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host ssss vbnm timeout 2

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console TACACS+

aaa authentication serial console TACACS+

aaa authentication enable console TACACS+

aaa authentication http console TACACS+

http server enable

no snmp-server location

no snmp-server contact

snmp-server community

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

: end

[OK]

hi,

you probably messed it out here

"outbound 1 deny 0.0.0.0 0.0.0.0 194 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 139 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 udp

outbound 1 deny 0.0.0.0 0.0.0.0 137 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 49 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 161 udp

outbound 1 deny 0.0.0.0 0.0.0.0 135 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 137-138 udp

outbound 1 deny 0.0.0.0 0.0.0.0 445 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 445 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 4444 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 69 udp

outbound 1 deny 0.0.0.0 0.0.0.0 6060-6080 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 707 tcp

apply (inside) 1 outgoing_src "

The correct way of doing this is

You first need to issue a deny all, then "except" the allowed ports/protocols back in

outbound 101 deny 0 0 0

outbound 101 except 0 0 23 tcp

outbound 101 except 0 0 80 tcp

[etc]

apply (inside) outgoing_src

OR

outbound 101 deny 0 0 0

outbound 101 permit 0 0 23 tcp

outbound 101 permit 0 0 80 tcp

[etc]

apply (inside) outgoing_src

Hope this solves your problem.

thanks,

ramesh

I have to keep those denys in, because We allow anything to go out. I added in those denys to keep any of those types (ports) of information from going back out. I have not changed over to ACL's yet. Any other suggestions?

Thanks,

Mitch

i think you implemented all these security settings in one go. but just loosen all these security outbound, and then put one by one and see...

ramesh

BTW, everything is now working....I guess, by telling the machine I was going to TAC, it got scared. All, I did (I swear) was a sh traffic, connection, interface, xlate and a few clear xlate and by magic, it stated working again. I went an immediately closed the TAC case.

Thanks for all of your suggestions.

Cheers,

Mitch