Made no changes of any kind. FW suddenly started blocking HTTP/80 traffic. All other I/O traffic passes. All devices reloaded and later cold-restarted (no errors on LEDS). As last resort, erased flash config and re-entered via console cable. LAN users/servers are on subnet 192.168.1.x and VPN users on subnet 192.168.3.x
My suspicions tend toward absence of OUTBOUND statements; TIMEOUT XLATE value too long, or a brown-out during the night... Any ideas? Config follows:
Thanks! M.T.
nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ******** passwd ******** hostname FWNKI fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 200 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0 pager lines 24 logging on logging buffered debugging interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool dealer 192.168.3.1-192.168.3.254 pdm history enable arp timeout 14400 global (outside) 1 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 192.168.1.2 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host eq smtp any conduit permit tcp host eq domain any conduit permit tcp host eq 443 any conduit permit tcp host eq www any route outside 0.0.0.0 0.0.0.0 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt security fragguard sysopt connection permit-ipsec sysopt ipsec pl-compatible no sysopt route dnat crypto ipsec transform-set vpnclient esp-des esp-md5-hmac crypto ipsec transform-set vpnmark esp-des esp-md5-hmac crypto dynamic-map vpnclient 200 match address 200 crypto dynamic-map vpnclient 200 set transform-set vpnclient crypto dynamic-map lexmap 10 set transform-set vpnmark crypto map partner-map 10 ipsec-isakmp dynamic lexmap crypto map partner-map 200 ipsec-isakmp dynamic vpnclient crypto map partner-map client configuration address initiate crypto map partner-map client configuration address respond crypto map partner-map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local dealer outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 200 authentication pre-share isakmp policy 200 encryption des isakmp policy 200 hash md5 isakmp policy 200 group 1 isakmp policy 200 lifetime 86400 vpngroup vpnnki address-pool dealer vpngroup vpnnki idle-time 1800 vpngroup vpnnki password ******** telnet 192.168.1.2 255.255.255.255 inside telnet timeout 5 ssh timeout 5 terminal width 80