No outbound traffic from SR520

Unanswered Question
Apr 8th, 2009

I've configured our SR520-FE-K9 using the documents on the cisco website (and suggestions from here.)  I can connect to all the interfaces, I can ping addresses inside and outside our network from CIOS, but I cannot get traffic to go from inside our network to outside.

Is there something I am missing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
addis Tue, 04/14/2009 - 06:07

With any firewall of any kind, there is always a possibility of implementing a rule set that unintentionally blocks out all traffic.

Here is the default config that comes with the SR520.

You might compare your config to it, or even replace your configuration with this and uses CCA to reconfigure the device.

*******************

hostname SR520
!
enable secret 0 cisco
!
username cisco privilege 15 secret 0 cisco
!
ip dhcp excluded-address 192.168.75.1 192.168.75.10
!
ip dhcp pool inside
   import all
   network 192.168.75.0 255.255.255.0
   default-router 192.168.75.1
!
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
  pass
class type inspect sdm-cls-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-cls-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  pass
class class-default
  pass
policy-map type inspect sdm-permit
class type inspect dhcp_out_self
  pass
class class-default
policy-map type inspect sdm-inspect-voip-in
  class type inspect SDM-Voice-permit
  pass
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
zone-member security out-zone
ip virtual-reassembly
duplex auto
speed auto
no shutdown
!
interface Vlan1
no ip address
shutdown
!
Vlan 75
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.75.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
no shutdown
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
ip http server
ip http secure-server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip route 10.1.1.0 255.255.255.0 192.168.75.2
ip route 10.1.10.0 255.255.255.0 192.168.75.2
ip route 192.168.10.0 255.255.255.0 192.168.75.2
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720
!
!
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
!
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.255
!
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
banner login dSR520 Base Config - MFG 1.0 d
!
line con 0
login local
line vty 0 4
privilege level 15
login local
transport input telnet
transport input telnet ssh
!
end