11-16-2003 01:36 PM - edited 03-09-2019 05:32 AM
hey all,
I have at pix 515e that has the implcit any any ip for the inside, with this, I can browse the web no prob. But when I issue the following commands, traffic stops.
access-list outbound_traffic permit udp host 10.1.254.16 any eq domain
access-list outbound_traffic permit tcp host 10.1.254.16 any eq domain
access-list outbound_traffic permit tcp 10.1.0.0 255.255.0.0 any eq http
access-list outbound_traffic permit tcp 10.1.0.0 255.255.0.0 any eq https
access-group outbound_traffic in int inside
I clear xlate a couple of times of time to make sure nothing is present.
If I remove the acl's then traffic continues to travel.
Any insight, do I need hit upside the head, I think I have NAT correct.
Yet another time when I am at a loss. You guys have been great so far. The no fixup dns and smtp were my doing just in case any questions arise. (no related to traffic issues I hope)
Thanks
Matt
: Saved
: Written by enable_15 at 16:22:06.452 EST Sun Nov 16 2003
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password XX encrypted
passwd XX encrypted
hostname XX
domain-name XX
clock timezone EST -5
clock summer-time EDT recurring
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
pager lines 24
logging on
logging timestamp
logging trap alerts
logging history alerts
logging host inside 10.1.254.15
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside XXX.XX.XX.12 255.255.255.0
ip address inside 10.1.25.254 255.255.0.0
ip address dmz 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm drop
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 interface
global (dmz) 3 interface
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
route outside 0.0.0.0 0.0.0.0 XXX.XX.XX.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 10.1.254.10 source inside prefer
http server enable
http 10.1.20.2 255.255.255.255 inside
http 10.1.20.1 255.255.255.255 inside
snmp-server location XX
snmp-server contact XX
snmp-server community XX
snmp-server enable traps
tftp-server inside 10.1.20.2 pix
floodguard enable
sysopt noproxyarp inside
telnet 10.1.20.1 255.255.255.255 inside
telnet 10.1.20.2 255.255.255.255 inside
telnet timeout 1
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:XX
: end
11-16-2003 04:05 PM
Hi,
Can you access any web site by its IP address? What is the DNS server IP address set on your client PCs?
From the above access-list, only HTTP/HTTPS traffic is allowed. By saying "traffic stops" do you mean HTTP/HTTPS traffic?
Thanks
Nadeem
11-16-2003 05:51 PM
i can't even get to a website via an ip address. the dns server is 10.1.254.16. and that is what every will be pointing to.
Thanks
Matt
11-16-2003 06:03 PM
the dns server is a windows 2003 server
11-17-2003 03:00 PM
Your translations seems okay to me, also the access-list seems okay. How exactly did you test connection?
Did you tried one site, or different sites.
Normally, for this kind of change, there will be no need to perform an xlate, cause you are not changing any translations.
Can you put the config in again, try again and if it fails post the logging? See what logging says...
Can not think of anything wrong, besides making a typo or something like that.
Let us know how things go,
Leo
11-17-2003 09:34 PM
here is the only thing that was in the syslog for the pix. There were a lot of these. I am not too concerned. Right now we have our dhcp set to two dns servers. one in house and one off site. someone just left a machine on I suspect. Nothing was pointing to 10.1.254.16. The 10.2.X.X subnet that you see is a Vlan that I haven't configured yet. I want to get traffic to flow first.
I donno, I am going to try it again this weekend and see how I fair.
Thanks
Matt
2003-11-16 15:09:40 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:37: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside
2003-11-16 15:09:42 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:39: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside
2003-11-16 15:09:44 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:41: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to XXX.XX.XX.47 on interface inside
2003-11-16 15:09:44 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:41: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside
2003-11-16 15:09:48 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:45: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to XXX.XX.XX.47 on interface inside
2003-11-16 15:09:48 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:45: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide