Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
habeebuddin786
habeebuddin786
Community Member
‎08-20-2012 12:47 PM
‎08-20-2012 12:47 PM

No traffic going out from internal network to outside from FWSM

Hello folks,

I am new to FWSM and looking for some help to fix the outbound connection from one server in VLAN 20 (10.120.20.90) to outside.

Following are the ACL found in the FWSM and connection status when i telnet from the box (10.120.20.90) to outside IP 99.87.209.150 at port 25

Please help me to fix this.

config of FWSM

object-group service i316-services

service-object icmp echo

service-object tcp eq smtp

service-object udp eq domain

service-object tcp eq domain

service-object udp eq snmp

service-object tcp eq 1248

service-object tcp eq 3389

service-object tcp eq 9997

service-object tcp eq 8089

service-object tcp eq 2547

service-object tcp eq 12547

!

object-group network i316-ext-hosts

network-object host 205.141.238.233

network-object host 205.141.238.171

network-object host 207.239.83.246

network-object host 65.46.63.114

network-object host 216.183.80.178

network-object host 99.87.217.32

network-object host 92.41.19.54

network-object host 99.87.209.50

network-object host 99.87.209.27

network-object host 99.87.209.28

network-object host 99.87.209.29

network-object host 99.87.209.30

network-object host 99.87.209.31

network-object host 99.87.209.150

!

object-group network i316-int-mgmt-w2k

network-object host 10.120.20.88

network-object host 10.120.20.90

network-object host 10.120.20.92

!

object-group service i316-backup-server-ports

service-object tcp eq 8086

service-object tcp eq 8087

service-object tcp eq 2546

access-list i316-in extended permit ip any any

access-list i316-in extended permit ip host 10.120.20.89 10.120.146.0 255.255.255.0

access-list i316-in extended permit tcp host 10.120.20.89 any eq domain

access-list i316-in extended permit udp host 10.120.20.89 any eq domain

access-list i316-in extended permit udp host 10.120.20.89 any eq ntp

access-list i316-in extended permit tcp host 10.120.20.89 any eq smtp

access-list i316-in extended permit tcp host 10.120.20.90 any eq www

access-list i316-in extended permit tcp host 10.120.20.90 any eq https

access-list i316-in extended permit tcp host 10.120.20.90 any eq 9997

access-list i316-in extended permit object-group i316-services object-group i316-int-mgmt-w2k any

access-list i316-in extended permit object-group i316-services object-group i316-int-mgmt-w2k object-group i316-ext-hosts log

!

global (outside) 1 interface

nat (i316) 1 10.120.20.0 255.255.255.0

access-group i316-in in interface i316

!

interface Vlan20

nameif i316

security-level 100

ip address 10.120.20.2 255.255.255.0 standby 10.120.20.8

!

Default gateway of FWSM is outside IP 203.140.205.1

FWSM# sh conn | inc 99.87

TCP outside 99.87.209.150:25 i316 10.120.20.90:3109 idle 0:00:09 Bytes 132 FLAGS - S

TCP outside 99.87.209.30:9997 i316 10.120.20.90:3108 idle 0:00:14 Bytes 132 FLAGS -

FWSM# sh conn | inc 99.87

TCP outside 99.87.209.150:25 i316 10.120.20.90:3109 idle 0:00:15 Bytes 132 FLAGS - S

TCP outside 99.87.209.27:9997 i316 10.120.20.90:3114 idle 0:00:01 Bytes 132 FLAGS -

ROUTE STATUS OF THE WINDOWS BOX (10.120.20.90)

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0     10.120.20.2    10.120.20.90     10

     10.120.20.0    255.255.255.0    10.120.20.90    10.120.20.90     10

    10.120.20.90  255.255.255.255        127.0.0.1        127.0.0.1     10

   10.255.255.255  255.255.255.255    10.120.20.90    10.120.20.90     10

        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1

        224.0.0.0        240.0.0.0    10.120.20.90    10.120.20.90     10

  255.255.255.255  255.255.255.255    10.120.20.90            10004      1

  255.255.255.255  255.255.255.255    10.120.20.90            10005      1

  255.255.255.255  255.255.255.255    10.120.20.90    10.120.20.90      1

Default Gateway:      10.120.20.2

===========================================================================

Persistent Routes:

  None

Labels:
0 Helpful
Reply
4 REPLIES
habeebuddin786
habeebuddin786
Community Member
‎08-20-2012 02:42 PM
‎08-20-2012 02:42 PM

No traffic going out from internal network to outside from FWSM

I cleared the xlate and able to connect.

Could anybody tell me what could be the issue? Did anybody expereienced any kind of issue earlier.

Thanks,

Ahmed

0 Helpful
Reply
Julio Carvajal
Julio Carvajal Purple
Purple
‎08-20-2012 04:09 PM
‎08-20-2012 04:09 PM

No traffic going out from internal network to outside from FWSM

Hello Habee,

Does not make sense unless you are getting out of ports in order to perform the PAT translation to the outside interface.

Can you do a show xlate next time you have the issue or do a debug nat 2 to see if there is a problem with a port-map translation failure.

An example of an error would be :

nat: ERROR - existing mapped binding for Inside:x.x.x.x/xxx

nat: ERROR - alloc portmap xlate 6 Inside:xxx/xx-> Outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Reply
habeebuddin786
habeebuddin786
Community Member
‎08-24-2012 06:02 PM
‎08-24-2012 06:02 PM

No traffic going out from internal network to outside from FWSM

Sure will post next time if the issue persist again.

Thank you for your response.

Regards,

-Ahmed

0 Helpful
Reply
Julio Carvajal
Julio Carvajal Purple
Purple
‎08-24-2012 09:20 PM
‎08-24-2012 09:20 PM

No traffic going out from internal network to outside from FWSM

Hello,

It is a pleasure to help,

Remember to rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Reply
Latest Documents
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
Firepower Threat Defense (NGFWv) on UCS E-Series blade on ISR 4K - Routed Mode in HA
Created by Kureli Sankar on 11-12-2017 09:26 PM
0
5
0
5
Documentation UCS E-Series Configuration Guide: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide.html Cisco UCS E-Series Getting Started Guide: https://www.cisco.com/c/en/us/td/docs/unified_computing/... view more
All Documents
378
Views
0
Helpful
4
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs