Re: traffic flow issues

matthew.bauer · ‎11-16-2003

hey all,

I have at pix 515e that has the implcit any any ip for the inside, with this, I can browse the web no prob. But when I issue the following commands, traffic stops.

access-list outbound_traffic permit udp host 10.1.254.16 any eq domain

access-list outbound_traffic permit tcp host 10.1.254.16 any eq domain

access-list outbound_traffic permit tcp 10.1.0.0 255.255.0.0 any eq http

access-list outbound_traffic permit tcp 10.1.0.0 255.255.0.0 any eq https

access-group outbound_traffic in int inside

I clear xlate a couple of times of time to make sure nothing is present.

If I remove the acl's then traffic continues to travel.

Any insight, do I need hit upside the head, I think I have NAT correct.

Yet another time when I am at a loss. You guys have been great so far. The no fixup dns and smtp were my doing just in case any questions arise. (no related to traffic issues I hope)

Thanks

Matt

: Saved

: Written by enable_15 at 16:22:06.452 EST Sun Nov 16 2003

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100full

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password XX encrypted

passwd XX encrypted

hostname XX

domain-name XX

clock timezone EST -5

clock summer-time EDT recurring

no fixup protocol dns

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list compiled

pager lines 24

logging on

logging timestamp

logging trap alerts

logging history alerts

logging host inside 10.1.254.15

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside XXX.XX.XX.12 255.255.255.0

ip address inside 10.1.25.254 255.255.0.0

ip address dmz 127.0.0.1 255.255.255.255

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm drop

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 2 interface

global (dmz) 3 interface

nat (inside) 1 10.1.0.0 255.255.0.0 0 0

route outside 0.0.0.0 0.0.0.0 XXX.XX.XX.254 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server 10.1.254.10 source inside prefer

http server enable

http 10.1.20.2 255.255.255.255 inside

http 10.1.20.1 255.255.255.255 inside

snmp-server location XX

snmp-server contact XX

snmp-server community XX

snmp-server enable traps

tftp-server inside 10.1.20.2 pix

floodguard enable

sysopt noproxyarp inside

telnet 10.1.20.1 255.255.255.255 inside

telnet 10.1.20.2 255.255.255.255 inside

telnet timeout 1

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:XX

: end

nkhawaja · ‎11-16-2003

Hi,

Can you access any web site by its IP address? What is the DNS server IP address set on your client PCs?

From the above access-list, only HTTP/HTTPS traffic is allowed. By saying "traffic stops" do you mean HTTP/HTTPS traffic?

Thanks

Nadeem

matthew.bauer · ‎11-16-2003

i can't even get to a website via an ip address. the dns server is 10.1.254.16. and that is what every will be pointing to.

Thanks

Matt

matthew.bauer · ‎11-16-2003

the dns server is a windows 2003 server

l.mourits · ‎11-17-2003

Your translations seems okay to me, also the access-list seems okay. How exactly did you test connection?

Did you tried one site, or different sites.

Normally, for this kind of change, there will be no need to perform an xlate, cause you are not changing any translations.

Can you put the config in again, try again and if it fails post the logging? See what logging says...

Can not think of anything wrong, besides making a typo or something like that.

Let us know how things go,

Leo

matthew.bauer · ‎11-17-2003

here is the only thing that was in the syslog for the pix. There were a lot of these. I am not too concerned. Right now we have our dhcp set to two dns servers. one in house and one off site. someone just left a machine on I suspect. Nothing was pointing to 10.1.254.16. The 10.2.X.X subnet that you see is a Vlan that I haven't configured yet. I want to get traffic to flow first.

I donno, I am going to try it again this weekend and see how I fair.

Thanks

Matt

2003-11-16 15:09:40 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:37: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside

2003-11-16 15:09:42 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:39: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside

2003-11-16 15:09:44 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:41: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to XXX.XX.XX.47 on interface inside

2003-11-16 15:09:44 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:41: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside

2003-11-16 15:09:48 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:45: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to XXX.XX.XX.47 on interface inside

2003-11-16 15:09:48 Local4.Alert 10.1.25.254 Nov 16 2003 15:09:45: %PIX-1-106021: Deny udp reverse path check from 10.2.1.19 to 149.168.11.11 on interface inside