I am having issues where some of my users are not getting out to the Internet. I have narrowed it down (I believe) to my nat statements. Some users ip's are not being translated to our outgoing IP. The following is my config file. It includes statements for our VPN and mail server access (which are working):
PIX Version 6.3(4) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xuEY8/rL5zQAjHOY encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname firewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group service outbound-blocked-ports tcp-udp port-object eq 389 port-object eq 69 port-object eq 445 port-object range 135 139 access-list inbound permit icmp any any access-list inbound permit tcp any host 65.xxx.xxx.122 eq www access-list inbound permit tcp any host 65.xxx.xxx.122 eq smtp access-list inbound permit tcp any host 65.xxx.xxx.122 eq 3389 access-list inbound permit tcp any host 65.xxx.xxx.122 eq https access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0 access-list outbound deny tcp any any object-group outbound-blocked-ports access-list outbound deny udp any any object-group outbound-blocked-ports access-list outbound permit ip any any access-list outbound permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list outside_crytomap_dyn_20 permit ip any 192.168.1.0 255.255.255.128 pager lines 20 mtu outside 1500 mtu inside 1500 ip address outside 65.xxx.xxx.125 255.255.255.248 ip address inside 192.168.1.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool1 10.1.1.1-10.1.1.50 pdm location 192.168.1.0 255.255.255.128 outside pdm location 65.xxx.xxx.122 255.255.255.255 outside pdm location 10.1.1.0 255.255.255.0 outside pdm location 192.168.1.2 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 65.xxx.xxx.122 192.168.1.2 netmask 255.255.255.255 0 0 access-group inbound in interface outside access-group outbound in interface inside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 65.xxx.xxx.121 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (inside) host 192.168.1.2 quality timeout 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto dynamic-map outside_dyn_map 20 match address outside_crytomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group L2TP-VPDN-GROUP accept dialin l2tp vpdn group L2TP-VPDN-GROUP ppp authentication pap vpdn group L2TP-VPDN-GROUP ppp authentication chap vpdn group L2TP-VPDN-GROUP ppp authentication mschap vpdn group L2TP-VPDN-GROUP client configuration address local vpnpool1 vpdn group L2TP-VPDN-GROUP client configuration dns 192.168.1.2 vpdn group L2TP-VPDN-GROUP client configuration wins 192.168.1.2 vpdn group L2TP-VPDN-GROUP client authentication local vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local vpnpool1 vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.2 vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username myuser password ********* vpdn enable outside terminal width 80 Cryptochecksum:89db6a16929992045353d2f5bfa29044 : end