meyerge
asked on
Outbound traffic is not being routed through the internal interface
Hi There
I am having an annoying problem with my PIX 501. It has been an ongoing issue with no consistent pattern that I can ascertain. Traffic stops being routed through the firewall. a sh int shows that the interface and line protocol are both up. A reload of the firewall resolves the issue. I have no problem accessing the device through the outside interface via ssh it is only from the WAN side. I have PIX Firewall Version 6.3 (5).
Here is a copy of the config:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password something encrypted
passwd something encrypted
hostname a name
domain-name the domain
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any interface outside eq 3389
access-list 101 permit tcp any interface outside eq smtp
access-list 101 permit tcp any interface outside eq www
access-list 101 permit tcp any interface outside eq https
access-list 101 permit tcp any interface outside eq 4125
access-list 101 permit tcp any interface outside eq pop3
access-list 101 permit tcp any interface outside eq 23456
access-list 101 permit tcp any interface outside eq 5900
access-list 101 permit tcp any interface outside eq 30000
access-list 101 permit tcp any interface outside eq 54321
access-list 101 permit tcp any interface outside eq 990
access-list 101 permit tcp any interface outside eq 999
access-list 101 permit tcp any interface outside eq 5721
access-list 101 permit tcp any interface outside eq 5678
access-list 101 permit tcp any interface outside eq 5679
access-list 101 permit tcp any interface outside eq 26675
access-list block_outbound remark Blocks specific outbound traffic
access-list block_outbound deny tcp host internal IP any eq www
access-list block_outbound permit tcp host internal IP any eq smtp
access-list block_outbound deny tcp any any eq smtp
access-list block_outbound permit ip any any
no pager
logging on
logging timestamp
logging trap debugging
logging facility 23
logging host inside internal IP
mtu outside 1500
mtu inside 1500
ip address outside external static IP
ip address inside internal IP 255.255.255.0
ip audit name Inside_Attack attack action alarm
ip audit name Inside_Info info action alarm
ip audit name Outside_Attack attack action drop
ip audit name Outside_Info info action alarm
ip audit interface outside Outside_Info
ip audit interface outside Outside_Attack
ip audit interface inside Inside_Info
ip audit interface inside Inside_Attack
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote remote pool
pdm location REmote pool ip and netmask outside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp internal IP smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www internal IP www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https internal IP https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 10.internal IP 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 internal IP pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 23456 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 internal IP 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 30000 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 54321 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 990 internal IP 990 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 999 internal IP 999 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5721 internal IP 5721 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5678 internal IP 5678 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5679 internal IP 5679 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 26675 internal IP 26675 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group block_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 ISP gateway
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http internal IP 255.255.255.0 inside
snmp-server host inside internal IP poll
no snmp-server location
no snmp-server contact
floodguard enable
sysopt connection permit-pptp
telnet internal IP 255.255.255.255 inside
telnet internal IP 255.255.255.0 inside
telnet timeout 5
ssh internal IP 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote
vpdn group PPTP-VPDN-GROUP client configuration dns internal IP
vpdn group PPTP-VPDN-GROUP client configuration wins internal IP
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username username password *********
vpdn enable outside
terminal width 80
I have replaced the internal address scheme with "Internal IP" and external references with various other, hopefully indicative terms.
I have tried plugging in the ethernet cable to different ports on the 3com switch and on the firewall as well as different cables.
Any further guidance would be appreciated. Thanks in advance for your help.
Gordon
I am having an annoying problem with my PIX 501. It has been an ongoing issue with no consistent pattern that I can ascertain. Traffic stops being routed through the firewall. a sh int shows that the interface and line protocol are both up. A reload of the firewall resolves the issue. I have no problem accessing the device through the outside interface via ssh it is only from the WAN side. I have PIX Firewall Version 6.3 (5).
Here is a copy of the config:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password something encrypted
passwd something encrypted
hostname a name
domain-name the domain
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any interface outside eq 3389
access-list 101 permit tcp any interface outside eq smtp
access-list 101 permit tcp any interface outside eq www
access-list 101 permit tcp any interface outside eq https
access-list 101 permit tcp any interface outside eq 4125
access-list 101 permit tcp any interface outside eq pop3
access-list 101 permit tcp any interface outside eq 23456
access-list 101 permit tcp any interface outside eq 5900
access-list 101 permit tcp any interface outside eq 30000
access-list 101 permit tcp any interface outside eq 54321
access-list 101 permit tcp any interface outside eq 990
access-list 101 permit tcp any interface outside eq 999
access-list 101 permit tcp any interface outside eq 5721
access-list 101 permit tcp any interface outside eq 5678
access-list 101 permit tcp any interface outside eq 5679
access-list 101 permit tcp any interface outside eq 26675
access-list block_outbound remark Blocks specific outbound traffic
access-list block_outbound deny tcp host internal IP any eq www
access-list block_outbound permit tcp host internal IP any eq smtp
access-list block_outbound deny tcp any any eq smtp
access-list block_outbound permit ip any any
no pager
logging on
logging timestamp
logging trap debugging
logging facility 23
logging host inside internal IP
mtu outside 1500
mtu inside 1500
ip address outside external static IP
ip address inside internal IP 255.255.255.0
ip audit name Inside_Attack attack action alarm
ip audit name Inside_Info info action alarm
ip audit name Outside_Attack attack action drop
ip audit name Outside_Info info action alarm
ip audit interface outside Outside_Info
ip audit interface outside Outside_Attack
ip audit interface inside Inside_Info
ip audit interface inside Inside_Attack
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote remote pool
pdm location REmote pool ip and netmask outside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm location internal IP 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp internal IP smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www internal IP www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https internal IP https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 10.internal IP 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 internal IP pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 23456 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 internal IP 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 30000 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 54321 internal IP 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 990 internal IP 990 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 999 internal IP 999 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5721 internal IP 5721 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5678 internal IP 5678 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5679 internal IP 5679 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 26675 internal IP 26675 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group block_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 ISP gateway
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http internal IP 255.255.255.0 inside
snmp-server host inside internal IP poll
no snmp-server location
no snmp-server contact
floodguard enable
sysopt connection permit-pptp
telnet internal IP 255.255.255.255 inside
telnet internal IP 255.255.255.0 inside
telnet timeout 5
ssh internal IP 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote
vpdn group PPTP-VPDN-GROUP client configuration dns internal IP
vpdn group PPTP-VPDN-GROUP client configuration wins internal IP
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username username password *********
vpdn enable outside
terminal width 80
I have replaced the internal address scheme with "Internal IP" and external references with various other, hopefully indicative terms.
I have tried plugging in the ethernet cable to different ports on the 3com switch and on the firewall as well as different cables.
Any further guidance would be appreciated. Thanks in advance for your help.
Gordon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ok - cool
ASKER
Hey Naughton,
It has been a week and there has been an issue since I disabled logging. Thank you very much for you help.
Gordon
It has been a week and there has been an issue since I disabled logging. Thank you very much for you help.
Gordon
ASKER