No Outbound Traffic, but ping from router works

datacubesystems

Reputable
May 22, 2014
3
0
4,510
Attached is the config of a firewall we have. (External IP addresses changed to protect the innocent :))

We are able to ping using the ping command on the router, but devices on 10.10.11.x subnet are unable to ping, browse, or do anything.

Can someone help me out?

Thank you so much!



HFC_SR520

Home Exec Configure




Output

Command base-URL was: /level/15/exec/-
Complete URL was:/level/15/exec/-/show/running-config/CR
Command was: show running-config


Building configuration...

Current configuration : 10278 bytes
!
version 12.4
no service pad
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HFC_SR520
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$RLcN$e9XyVs5S6vsGOte/325L01
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3043343413
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3043343413
revocation-check none
rsakeypair TP-self-signed-3043343413
!
!
crypto pki certificate chain TP-self-signed-3043343413
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303433 33343334 3133301E 170D3132 31303233 31383030
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30343333
34333431 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DA3E A85D8767 B93153E2 9F9AF221 5195E075 BA8DD306 0D6FE2CD E0E1FE47
86F442CC A7306FCE 291E6E53 7AB8CABE 6D090304 AA152E96 2AB1450A 74691AC0
F5A712CD 9E1C8F6F F7893600 678A2CA4 A1A883C9 C6B29943 39579073 904F0D2B
5ECA6733 108600EF CC54483C 72DA9682 5D8B271D 6C7F9C38 1748544E C64A99CF
1D630203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E484643 5F535235 32302E68 65726261 66616D69 6C796368
69726F2E 636F6D30 1F060355 1D230418 30168014 650180BE 280E80DE C62AFE04
E156724A CCA93517 301D0603 551D0E04 16041465 0180BE28 0E80DEC6 2AFE04E1
56724ACC A9351730 0D06092A 864886F7 0D010104 05000381 810023B9 34449631
74E7158C 9B2FDFF4 89F1AB17 5BB48BE5 791735EA 1D7C52A2 6CA72B47 E014566E
69EBA8C6 BCCB1912 E2563D5B D82121E2 6FD689F7 F3E0B24F 112E1A4C CD62B46E
E73F8861 B03CC461 C4A31950 4C29A0DA 2CF6BBCC D6F0BAE7 676BE319 12DA71F6
07175AA1 25F8BA75 544AFF73 0E3635BC CAEC05F7 5C563CA7 1211
quit
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.11.1 10.10.11.10
!
ip dhcp pool workstations
network 10.10.11.0 255.255.255.128
domain-name test.local
netbios-node-type h-node
default-router 10.10.11.1
dns-server 10.10.11.5 8.8.8.8 8.8.4.4
!
ip dhcp pool telco
network 192.168.10.0 255.255.255.128
domain-name sillyonline.com
netbios-node-type h-node
default-router 192.168.10.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip domain name testcustomer.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name INSP100 appfw IMApps
ip inspect name INSP100 cuseeme
ip inspect name INSP100 dns
ip inspect name INSP100 ftp
ip inspect name INSP100 h323
ip inspect name INSP100 https
ip inspect name INSP100 icmp
ip inspect name INSP100 imap reset
ip inspect name INSP100 pop3 reset
ip inspect name INSP100 netshow
ip inspect name INSP100 rcmd
ip inspect name INSP100 realaudio
ip inspect name INSP100 rtsp
ip inspect name INSP100 esmtp
ip inspect name INSP100 sqlnet
ip inspect name INSP100 streamworks
ip inspect name INSP100 tftp
ip inspect name INSP100 tcp
ip inspect name INSP100 udp
ip inspect name INSP100 vdolive
login block-for 1800 attempts 3 within 300
login quiet-mode access-class RemoteSSH
login on-failure log
no ipv6 cef
!
appfw policy-name IMApps
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$zyQh$UAbs83OaXkKPNMr2SfYHx/

!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh maxstartups 3
ip ssh time-out 10
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet4
ip ssh logging events
ip ssh version 2
!
class-map match-any Download
match protocol http
match protocol ftp
class-map match-any Voice
match dscp ef
match protocol rtcp
match protocol sip
match protocol rtp audio
match protocol h323
match ip rtp 10000 2000
class-map match-any Streaming
match protocol rtsp
match protocol gnutella
match protocol fasttrack
match protocol kazaa2
match protocol rtp video
match protocol bittorrent
match protocol cuseeme
!
!
policy-map Limit-In
class Voice
police rate 1000000
conform-action set-dscp-transmit ef
exceed-action set-dscp-transmit default
violate-action set-dscp-transmit default
class Streaming
police 60000
class Download
police 6000000
policy-map QoS
class Voice
priority 600
set dscp ef
class class-default
police 800000
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN Interface
ip address 71.45.52.194 255.255.255.248
ip access-group WanACL in
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
service-policy input Limit-In
service-policy output QoS
!
interface Vlan1
description Inside Interface
ip address 10.10.11.1 255.255.255.128
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description Telco Interface
ip address 192.168.10.1 255.255.255.128
ip nat inside
ip virtual-reassembly
!
ip local pool SSLVPN 10.10.15.5 10.10.15.15
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 71.45.52.193
!
no ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.11.5 6900 interface FastEthernet4 6900
ip nat inside source static tcp 10.10.11.5 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.11.1 443 interface FastEthernet4 443
!
ip access-list extended RemoteSSH
permit tcp 10.10.11.0 0.0.0.255 any range 22 telnet
permit tcp 192.168.10.0 0.0.0.127 any range 22 telnet
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit tcp host 71.41.125.40 any eq 22
deny ip any any log
permit tcp 10.10.11.0 0.0.0.127 any range 22 telnet
permit tcp host 24.173.169.102 any eq 22
ip access-list extended WanACL
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit udp host 192.43.244.18 eq ntp any
permit udp 72.21.26.0 0.0.0.31 eq ntp any gt 1023
permit udp host 8.8.8.8 eq domain any gt 1023
permit udp host 8.8.4.4 eq domain any gt 1023
permit udp any gt 1023 any range 1024 5060
permit udp any gt 1023 any range 10000 12000
permit gre any any
permit tcp host 71.41.125.40 any eq 22
permit tcp any host 71.45.52.194 eq 6900
permit tcp any any established
permit icmp any any echo log
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any log
!
logging trap debugging
!
!
!
!
!
control-plane
!
banner login ^C
----------------------------------------------------------------
Cisco Integrated Services Router
Unauthorized access prohibited. All User access will be logged.
----------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 192.43.244.18 prefer source FastEthernet4
!
webvpn gateway Test-SSL-VPN
hostname Test-SSL_881
ip address 71.45.52.194 port 443
ssl trustpoint TP-self-signed-2371334855
inservice
!
webvpn install svc flash:/webvpn/macosx.pkg sequence 2
!
webvpn context TestPortal
title "Test VPN Portal"
ssl authenticate verify all
!
!
policy group SSLVPN_1
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPN"
svc keep-client-installed
svc split include 10.10.11.0 255.255.255.128
default-group-policy SSLVPN_1
gateway Test-SSL-VPN
max-users 10
inservice
!
end
command completed.
 
Solution
So have the two networks via dhcp 192.168.10.0 and 10.10.11.0. So if you want to get them both out then you'd have an access list like this:

In global config mode:

access-list 1 permit 192.168.10.0 0.0.0.127
access-list 1 permit 10.10.11.0 0.0.0.127

datacubesystems

Reputable
May 22, 2014
3
0
4,510
Ya, that's what I thought too. What would an allow all line look like?

I am able to connect via 6900 to the machine behind the network, and I need to make sure I don't lose that ability, but what would I put to allow all traffic outbound?

Thank you so much in advance!
 

jfreggie2

Honorable
Sep 16, 2013
150
0
10,760
So have the two networks via dhcp 192.168.10.0 and 10.10.11.0. So if you want to get them both out then you'd have an access list like this:

In global config mode:

access-list 1 permit 192.168.10.0 0.0.0.127
access-list 1 permit 10.10.11.0 0.0.0.127
 
Solution

datacubesystems

Reputable
May 22, 2014
3
0
4,510


That was it. Thank you so much!