Solved

Outbound traffic is not being routed through the internal interface

Posted on 2008-06-16
4
459 Views
Last Modified: 2012-06-22
Hi There

I am having an annoying problem with my PIX 501. It has been an ongoing issue with no consistent pattern that I can ascertain. Traffic stops being routed through the firewall. a sh int shows that the interface and line protocol are both up. A reload of the firewall resolves the issue. I have no problem accessing the device through the outside interface via ssh it is only from the WAN side. I have PIX Firewall Version 6.3 (5).

Here is a copy of the config:

PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password something encrypted
passwd something encrypted
hostname a name
domain-name the domain
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any interface outside eq 3389
access-list 101 permit tcp any interface outside eq smtp
access-list 101 permit tcp any interface outside eq www
access-list 101 permit tcp any interface outside eq https
access-list 101 permit tcp any interface outside eq 4125
access-list 101 permit tcp any interface outside eq pop3
access-list 101 permit tcp any interface outside eq 23456
access-list 101 permit tcp any interface outside eq 5900
access-list 101 permit tcp any interface outside eq 30000
access-list 101 permit tcp any interface outside eq 54321
access-list 101 permit tcp any interface outside eq 990
access-list 101 permit tcp any interface outside eq 999
access-list 101 permit tcp any interface outside eq 5721
access-list 101 permit tcp any interface outside eq 5678
access-list 101 permit tcp any interface outside eq 5679
access-list 101 permit tcp any interface outside eq 26675
access-list block_outbound remark Blocks specific outbound traffic
access-list block_outbound deny tcp host internal IP any eq www
access-list block_outbound permit tcp host internal IP any eq smtp
access-list block_outbound deny tcp any any eq smtp
access-list block_outbound permit ip any any
no pager
logging on
logging timestamp
logging trap debugging
logging facility 23
logging host inside internal IP
mtu outside 1500
mtu inside 1500
ip address outside external static IP
ip address inside internal IP 255.255.255.0
ip audit name Inside_Attack attack action alarm
ip audit name Inside_Info info action alarm
ip audit name Outside_Attack attack action drop
ip audit name Outside_Info info action alarm
ip audit interface outside Outside_Info
ip audit interface outside Outside_Attack
ip audit interface inside Inside_Info
ip audit interface inside Inside_Attack
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote remote pool
pdm location REmote pool ip and netmask outside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp internal IP smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www internal IP www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https internal IP https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 10.internal IP 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 internal IP pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 23456 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 internal IP 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 30000 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 54321 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 990 internal IP 990 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 999 internal IP 999 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5721 internal IP 5721 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5678 internal IP 5678 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5679 internal IP 5679 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 26675 internal IP 26675 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group block_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 ISP gateway
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http internal IP 255.255.255.0 inside
snmp-server host inside internal IP poll
no snmp-server location
no snmp-server contact
floodguard enable
sysopt connection permit-pptp
telnet internal IP 255.255.255.255 inside
telnet internal IP 255.255.255.0 inside
telnet timeout 5
ssh internal IP 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote
vpdn group PPTP-VPDN-GROUP client configuration dns internal IP
vpdn group PPTP-VPDN-GROUP client configuration wins internal IP
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username username password *********
vpdn enable outside

terminal width 80

I have replaced the internal address scheme with "Internal IP" and external references with various other, hopefully indicative terms.

I have tried plugging in the ethernet cable to different ports on the 3com switch and on the firewall as well as different cables.

Any further guidance would be appreciated. Thanks in advance for your help.

Gordon
0
Comment
Question by:meyerge
  • 2
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
naughton earned 500 total points
Comment Utility
try disabling logging.  this problem occurs when logging is set to TCP and there is a problem with the log host.
0
 

Author Comment

by:meyerge
Comment Utility
Thanks for the feedback naughton. I have made the changes and will report back in a couple of days.
0
 
LVL 7

Expert Comment

by:naughton
Comment Utility
ok - cool
0
 

Author Comment

by:meyerge
Comment Utility
Hey Naughton,

It has been a week and there has been an issue since I disabled logging. Thank you very much for you help.

Gordon
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now