05-09-2006 03:33 AM - edited 03-09-2019 02:50 PM
Hi have this configuration and i dont know why my traffic outbound it's blocked.
Yesterday with same configuration all work well, and now if i try to ping one external server (for example "ping <A HREF="javascript:newWin('http://www.google.com")')">www.google.com")</A> i not received reply.
Please see my config and help me:
PIX Version 7.0(2)
names
!
interface Ethernet0
description Interfaccia Outside
nameif outside
security-level 0
ip address PUBBLIC ADDRESS 255.255.255.248
!
interface Ethernet1
description Interfaccia Inside
nameif inside
security-level 100
ip address 192.168.149.123 255.255.255.128
!
enable password PASSWORD encrypted
passwd PASSWORD encrypted
hostname Pix
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
access-list inside_nat1_outbound remark ==========================================================================
access-list inside_nat1_outbound remark ======================= NAT POLICY LAN ==============================
access-list inside_nat1_outbound remark ==========================================================================
access-list inside_nat1_outbound extended permit ip 192.168.149.0 255.255.255.0 any
access-list inside_nat1_outbound extended permit ip 192.168.150.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip local pool vpn-scope-vpnstaff 192.168.17.1-192.168.17.10 mask 255.255.255.0
ip local pool vpn-scope-fornitori 192.168.17.11-192.168.17.15 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat1_outbound
route outside 0.0.0.0 0.0.0.0 88.35.248.18 1
route inside 192.168.149.0 255.255.255.0 192.168.149.126 1
route inside 192.168.150.0 255.255.255.0 192.168.149.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.149.1
key ipercarni
group-policy vpnstaff internal
group-policy vpnstaff attributes
banner value "STAI ACCEDENDO ALLA RETE IPERCARNI, L'ACCESSO E' PER I SOLI UTENTI AUTORIZZATI, PER QUALSIASI INFORMAZIONE CONTATTARE IL SUPPORTO"
wins-server value 192.168.149.1
dns-server value 192.168.149.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
group-policy vpnextraiper internal
group-policy vpnextraiper attributes
banner value "STAI ACCEDENDO ALLA RETE IPERCARNI, L'ACCESSO E' PER I SOLI UTENTI AUTORIZZATI, PER QUALSIASI INFORMAZIONE CONTATTARE IL SUPPORTO"
wins-server value 192.168.149.1
dns-server value 192.168.149.1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
telnet 192.168.149.0 255.255.255.0 inside
telnet 192.168.149.126 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
05-09-2006 03:46 AM
your config seems OK .. are you sure your ISP link is up ..?
05-09-2006 05:04 AM
yes becouse i go out with HTTP.....it's very strange...yesterday all work fine.
05-10-2006 04:41 AM
did not you say .. it did not work and now you are saying that you were able to connect to the Internet using HTTP. Are you having problems going out when using specific applications /ports .. only ..? because if that is the case then you need to check your access-list applied to your inside interface and also the NAT and GLOBAL combination from inside to outside.
I hope it helps ... please rate if it does !!!
05-10-2006 05:59 AM
I'm still new to the 7.x code, but I've had to permit ICMP echo replies back in through an ACL applied to the outside interface in the past with the 6.x code on a PIX. Could this possibly be the problem? If so, it doesn't explain why it worked yesterday with this same configuration...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide