I have PIX520 (flash 16Mb and 128 RAM). I have upgradeted from 5.1.3 to 6.3.(3). at fist the configuration was with conduit and outbount commands, later I have changed for access-list.
The PIX has 4 interfaces, Outside, DMZ, SEGURA and INSIDE. I have one DNS server (172.17.1.7) in DMZ segment and two internal servers DNS (172.25.0.176, 172.25.0.177)
PROBLEM: at first the configuration works very well, there are communication between DNSs servers. But after, without any cause the communication goes down. the DNSs between them can't communicate.
WORKAROUND: I have back the old configuration with conduit and outbound commands, and the problem resolve
Q:
What are happening?
What is the better recommendation of IOS version for this type of PIX?
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
nameif ethernet3 segura security60
name 172.17.1.10 webserver
name 172.16.1.19 mdb9
name A.B.C.193 router
access-list outside_mem permit icmp any any
access-list outside_mem permit icmp any any echo-reply
access-list outside_mem permit tcp any host A.B.C.194 eq www
access-list outside_mem permit tcp any host A.B.C.197 eq www
access-list outside_mem permit tcp any host A.B.C.196 eq smtp
access-list outside_mem permit tcp any host A.B.C.199 eq domain
access-list outside_mem permit udp any host A.B.C.199 eq domain
access-list dmz_mem permit icmp any any
access-list dmz_mem permit icmp any any echo-reply
access-list dmz_mem permit tcp host webserver host mdb9
access-list dmz_mem permit tcp host 172.17.1.4 host 172.17.1.170 eq smtp
access-list inside_mem permit tcp any host mdb9
access-list inside_mem permit tcp any host webserver eq www
access-list inside_mem permit tcp host 172.25.0.176 any eq domain
access-list inside_mem permit udp host 172.25.0.176 any eq domain
access-list inside_mem permit tcp host 172.25.0.177 any eq domain
access-list inside_mem permit udp host 172.25.0.177 any eq domain
access-list inside_mem permit tcp host 172.25.0.170 host 172.17.1.4 eq smtp
access-list inside_mem permit tcp host 172.25.0.170 host A.B.C.21 eq smtp
access-list inside_mem permit tcp host 172.25.0.22 any
access-list inside_mem permit udp host 172.25.0.22 any
access-list inside_mem permit tcp host 161.132.169.201 any
access-list inside_mem permit tcp host 161.132.169.205 any
access-list inside_mem permit icmp any any
access-list inside_mem permit icmp any any echo-reply
access-list inside_mem permit tcp host 172.25.2.63 host webserver eq ftp
access-list inside_mem permit tcp host 172.25.1.75 host webserver eq ftp
access-list inside_mem permit tcp host 172.25.1.77 host webserver eq ftp
access-list inside_mem permit tcp any host 172.16.1.20
access-list inside_mem permit tcp 172.25.0.0 255.255.254.0 any eq www
access-list inside_mem permit tcp 172.25.0.0 255.255.254.0 any eq https
access-list segura_mem permit icmp any any
access-list segura_mem permit icmp any any echo-reply
...
global (outside) 1 A.B.C.208 netmask 255.255.255.224
global (dmz) 1 172.17.1.100 netmask 255.255.255.0
global (segura) 1 172.16.1.100 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (segura) 0 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) A.B.C.199 172.17.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) A.B.C.194 webserver netmask 255.255.255.255 0 0
static (dmz,outside) A.B.C.196 172.17.1.4 netmask 255.255.255.255 0 0
static (inside,dmz) 172.17.1.170 172.25.0.170 netmask 255.255.255.255 0 0
static (inside,outside) 200.47.152.197 172.25.0.170 netmask 255.255.255.255 0 0
static (segura,dmz) mdb9 mdb9 netmask 255.255.255.255 0 0
static (inside,outside) A.B.C.213 172.25.1.75 netmask 255.255.255.255 0 0
access-group outside_mem in interface outside
access-group inside_mem in interface inside
access-group dmz_mem in interface dmz
access-group segura_mem in interface segura
route outside 0.0.0.0 0.0.0.0 router 1
