Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
4
Replies

Traffic outbound blocked ! WHY? Help me

e.deangelis
Level 1
Level 1

‎05-09-2006 03:33 AM - edited ‎03-09-2019 02:50 PM

Hi have this configuration and i dont know why my traffic outbound it's blocked.

Yesterday with same configuration all work well, and now if i try to ping one external server (for example "ping <A HREF="javascript:newWin('http://www.google.com")')">www.google.com")</A> i not received reply.

Please see my config and help me:

PIX Version 7.0(2)

names

!

interface Ethernet0

description Interfaccia Outside

nameif outside

security-level 0

ip address PUBBLIC ADDRESS 255.255.255.248

!

interface Ethernet1

description Interfaccia Inside

nameif inside

security-level 100

ip address 192.168.149.123 255.255.255.128

!

enable password PASSWORD encrypted

passwd PASSWORD encrypted

hostname Pix

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit intra-interface

access-list inside_nat1_outbound remark ==========================================================================

access-list inside_nat1_outbound remark ======================= NAT POLICY LAN ==============================

access-list inside_nat1_outbound remark ==========================================================================

access-list inside_nat1_outbound extended permit ip 192.168.149.0 255.255.255.0 any

access-list inside_nat1_outbound extended permit ip 192.168.150.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface outside

ip local pool vpn-scope-vpnstaff 192.168.17.1-192.168.17.10 mask 255.255.255.0

ip local pool vpn-scope-fornitori 192.168.17.11-192.168.17.15 mask 255.255.255.0

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-502.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat1_outbound

route outside 0.0.0.0 0.0.0.0 88.35.248.18 1

route inside 192.168.149.0 255.255.255.0 192.168.149.126 1

route inside 192.168.150.0 255.255.255.0 192.168.149.126 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server RADIUS host 192.168.149.1

key ipercarni

group-policy vpnstaff internal

group-policy vpnstaff attributes

banner value "STAI ACCEDENDO ALLA RETE IPERCARNI, L'ACCESSO E' PER I SOLI UTENTI AUTORIZZATI, PER QUALSIASI INFORMAZIONE CONTATTARE IL SUPPORTO"

wins-server value 192.168.149.1

dns-server value 192.168.149.1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

group-policy vpnextraiper internal

group-policy vpnextraiper attributes

banner value "STAI ACCEDENDO ALLA RETE IPERCARNI, L'ACCESSO E' PER I SOLI UTENTI AUTORIZZATI, PER QUALSIASI INFORMAZIONE CONTATTARE IL SUPPORTO"

wins-server value 192.168.149.1

dns-server value 192.168.149.1

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 1

isakmp policy 30 lifetime 86400

isakmp nat-traversal 20

telnet 192.168.149.0 255.255.255.0 inside

telnet 192.168.149.126 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

Labels:
0 Helpful
4 Replies 4

Fernando_Meza
Level 7
Level 7

‎05-09-2006 03:46 AM

your config seems OK .. are you sure your ISP link is up ..?

0 Helpful

e.deangelis
Level 1
Level 1
In response to Fernando_Meza

‎05-09-2006 05:04 AM

yes becouse i go out with HTTP.....it's very strange...yesterday all work fine.

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to e.deangelis

‎05-10-2006 04:41 AM

did not you say .. it did not work and now you are saying that you were able to connect to the Internet using HTTP. Are you having problems going out when using specific applications /ports .. only ..? because if that is the case then you need to check your access-list applied to your inside interface and also the NAT and GLOBAL combination from inside to outside.

I hope it helps ... please rate if it does !!!

0 Helpful

brandon.smith
Level 1
Level 1

‎05-10-2006 05:59 AM

I'm still new to the 7.x code, but I've had to permit ICMP echo replies back in through an ACL applied to the outside interface in the past with the 6.x code on a PIX. Could this possibly be the problem? If so, it doesn't explain why it worked yesterday with this same configuration...

0 Helpful
Customers Also Viewed These Support Documents