On PIX515 with a DMZ port running 5.2(9) everything is working as far as traffic flow in and out of the proper interfaces. I am upgrading to, or rather attempting to, 6.2(2) in order to evaluate N2H2 content filtering. 6.2(2) is required in order to evaluate.
I have upgraded the a number of times only to find that as soon as I upgrade to any 6.x PIX OS(6.0(4), 6.1(4), and 6.2(2)), inbound traffic to our web/mail server on the DMZ ceases. Outbound traffic is still permitted. As soon as I restore the OS to 5.2(9), inbound traffic starts flowing again. The current config has been in place for almost a year. ACL's haven't been modfied before or after the upgrade.
Based on those symptoms, I'm quite certain that it's not an ACL problem. I also checked the field notices and it's not the 1FE issue where the OS will disable the ethernet port because of an incorrect controller chip.
Ideas/suggestions?
Regards,
Jon
The current config if needed is as follows:
PIX Version 5.2(9)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password EpKQOYWNpWUe1tT9 encrypted
passwd 1qt092mCSX4Fm4vp encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list 102 permit ip 192.168.0.0 255.255.255.0 any
access-list 102 permit ip 192.168.1.0 255.255.255.0 any
access-list 102 permit ip 192.168.2.0 255.255.255.0 any
access-list 102 permit ip 192.168.3.0 255.255.255.0 any
access-list 101 permit tcp any host xx.xxx.xxx.3 eq www
access-list 101 permit tcp any host xx.xxx.xxx.3 eq smtp
access-list 101 permit tcp any host xx.xxx.xxx.3 eq pop3
access-list 101 permit tcp any host xx.xxx.xxx.3 eq ftp
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any echo-reply
pager lines 22
logging on
logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap warnings
logging history warnings
logging facility 21
logging queue 512
logging host inside 192.168.1.2
no logging message 111005
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.xxx.xxx.2 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip address dmz 10.0.0.254 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 xx.xxx.xxx.13-xx.xxx.xxx.14
global (outside) 1 xx.xxx.xxx.12
global (dmz) 1 10.0.0.10-10.0.0.20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) xx.xxx.xxx.3 10.0.0.1 255.255.255.255
static (dmz,outside) xx.xxx.xxx.3 10.0.0.1 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.1 1
route inside 192.168.1.0 255.255.255.0 192.168.0.253 1
route inside 192.168.2.0 255.255.255.0 192.168.0.253 1
route inside 192.168.3.0 255.255.255.0 192.168.0.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
url-server (inside) host 192.168.1.6 timeout 5 protocol TCP version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
terminal width 80
