I need some help configuring a firewall that was pretty much thrown at me to manage. I'm unable to get out of the firewall for an application that requires the following ports be open (this is from the application vendor:
Firewall ports (outbound) that need to be enabled:
TCP/264 IPSEC and IKE (UDP/500) IPSEC ESP (IP type 50) IPSEC AH (IP type 51) TCP/500 UDP/2746 UDP/259 TCP/18231
Here's the current firewall config; the IOS has not been updated in a seriously long time; I would really appreciate some help as to why I am not able to get out of the firewall for this application. Syslogging shows that acl_inside group is disallowing the connection.
The application vendor's IP's are 192.131.69.200 and 192.131.65.200
I am not familiar with CISCO firewalls, but I believe there might also be an issue with NAT-T (correct me if I am wrong).
Thanks in advance for any/all help.
firewall config (condensed, minus some ACL's):
PIX Version 5.2(6) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 public security10 enable password 0NVe7N9xFeDnrRfe encrypted passwd tflge61LqXv/Dm/V encrypted hostname internetfw domain-name masked.out fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol ftp 2120 no fixup protocol smtp 25 no names access-list acl_inside deny ip any host 152.163.0.0 access-list acl_inside permit tcp any any eq ftp-data access-list acl_inside permit tcp any any eq ftp access-list acl_inside permit tcp any any eq domain access-list acl_inside permit udp any any eq domain access-list acl_inside permit tcp any any eq 443 access-list acl_inside permit tcp any any eq 554 access-list acl_inside permit tcp any any eq 1080 access-list acl_inside permit tcp any any eq 1755 access-list acl_inside permit tcp any any eq 1863 access-list acl_inside permit tcp any any eq 3101 access-list acl_inside permit tcp any any eq 3520 access-list acl_inside permit tcp any any eq 5050 access-list acl_inside permit tcp any any eq 5190 access-list acl_inside permit tcp any any eq 8000 access-list acl_inside permit tcp any any eq 8010 access-list acl_inside permit tcp any any eq 8080 access-list acl_inside permit icmp host 151.209.194.228 any echo access-list acl_inside permit icmp host 151.209.194.119 any echo access-list acl_inside permit icmp any any echo access-list acl_inside permit tcp any any eq www access-list acl_inside deny tcp any any eq smtp access-list acl_inside deny tcp any any access-list acl_inside deny udp any any access-list acl_inside deny ip any any access-list acl_inside deny udp any any eq tftp access-list acl_inside deny tcp any any eq 81 access-list acl_inside deny tcp any any eq 135 access-list acl_inside deny udp any any eq 135 access-list acl_inside deny tcp any any eq 136 access-list acl_inside deny udp any any eq 136 access-list acl_inside deny tcp any any eq 137 access-list acl_inside deny udp any any eq netbios-ns access-list acl_inside deny tcp any any eq 138 access-list acl_inside deny udp any any eq netbios-dgm access-list acl_inside deny tcp any any eq 139 access-list acl_inside deny udp any any eq 139 access-list acl_inside deny tcp any any eq 445 access-list acl_inside deny udp any any eq 445 access-list acl_inside deny tcp any any eq 4444 access-list acl_inside permit tcp any host 192.131.69.200 eq 264 access-list acl_inside permit udp any host 192.131.69.200 eq isakmp access-list acl_inside permit udp any host 192.131.69.200 eq 2746 access-list acl_inside permit udp any host 192.131.69.200 eq 259 access-list acl_inside permit tcp any host 192.131.69.200 eq 18231 access-list acl_inside permit udp any host 192.131.69.200 eq 4500 access-list acl_inside permit tcp any host 192.131.65.200 eq 264 access-list acl_inside permit udp any host 192.131.65.200 eq isakmp access-list acl_inside permit udp any host 192.131.65.200 eq 2746 access-list acl_inside permit udp any host 192.131.65.200 eq 259 access-list acl_inside permit tcp any host 192.131.65.200 eq 18231 access-list acl_inside permit udp any host 192.131.65.200 eq 4500 access-list acl_inside permit tcp any host 192.131.69.200 eq 500 access-list acl_inside permit tcp any host 192.131.65.200 eq 500 access-list acl_outside deny tcp any any eq 135 access-list acl_outside deny tcp any any eq 136 access-list acl_outside deny tcp any any eq 137 access-list acl_outside deny tcp any any eq 138 access-list acl_outside deny tcp any any eq 139 access-list acl_outside permit tcp any host 63.205.237.14 eq www access-list acl_outside permit tcp any host 192.131.69.200 eq 264 access-list acl_outside permit udp any host 192.131.69.200 eq isakmp access-list acl_outside permit udp any host 192.131.69.200 eq 2746 access-list acl_outside permit udp any host 192.131.69.200 eq 259 access-list acl_outside permit tcp any host 192.131.69.200 eq 18231 access-list acl_outside permit udp any host 192.131.69.200 eq 4500 access-list acl_outside permit tcp any host 192.131.65.200 eq 264 access-list acl_outside permit udp any host 192.131.65.200 eq isakmp access-list acl_outside permit udp any host 192.131.65.200 eq 2746 access-list acl_outside permit udp any host 192.131.65.200 eq 259 access-list acl_outside permit tcp any host 192.131.65.200 eq 18231 access-list acl_outside permit udp any host 192.131.65.200 eq 4500 access-list acl_outside permit tcp any host 192.131.69.200 eq 500 access-list acl_outside permit tcp any host 192.131.65.200 eq 500 pager lines 20 logging on no logging timestamp no logging standby no logging console no logging monitor logging buffered warnings logging trap warnings no logging history logging facility 20 logging queue 2048 logging host inside 151.209.194.228 no logging message 106011 interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full mtu outside 1500 mtu inside 1500 mtu public 1500 ip address outside masked 255.255.255.240 ip address inside 151.209.194.125 255.255.255.0 ip address public 10.101.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm failover failover timeout 0:00:00 failover poll 15 failover ip address outside masked failover ip address inside 151.209.194.222 failover ip address public 10.101.1.2 arp timeout 14400 global (outside) 1 masked nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) masked 151.209.194.228 netmask 255.255.255.255
0 0 static (public,outside) masked 10.101.1.197 netmask 255.255.255.255 0 0 static (inside,outside) masked 151.209.194.121 netmask 255.255.255.255 0 0 static (inside,outside) masked 151.209.194.133 netmask 255.255.255.255 0 0 static (inside,outside) masked 151.209.194.252 netmask 255.255.255.255 0 0 access-group acl_outside in interface outside access-group acl_inside in interface inside route outside 0.0.0.0 0.0.0.0 masked 1 route inside 151.209.0.0 255.255.0.0 151.209.194.121 1 route outside 151.209.24.0 255.255.255.0 masked 1 route outside 151.209.112.0 255.255.255.0 masked 1 route outside 151.209.113.0 255.255.255.0 masked 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server vpn protocol tacacs+ snmp-server host inside 151.209.194.119 no snmp-server location no snmp-server contact snmp-server community !Now!3v3r no snmp-server enable traps floodguard enable no sysopt route dnat isakmp enable outside isakmp identity hostname telnet timeout 5 ssh timeout 60 terminal width 80