[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

Upgraded image from 6.3.5 to 8.0.2 prevents ACL from opening outside ports

Group,
Upgraded my Pix from 6.3.5 to 8.0.2 today and although the running config looks good I am not able to open up ports on the outside interface as I had before. I ran a port scanner and it shows all ports on the outside interface closed, even after I re-apply the access-group to the outside interface, clear xlate, etc. I am enclosing a copy of the config and what I can see for reference, your input would be greatly appreciated!

MeccaNetPix(config)# show running-config
: Saved
:
PIX Version 8.0(2)
!
hostname MeccaNetPix
domain-name somedomain.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 24.73.166.xx 255.255.255.252
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
 shutdown
 nameif dmz
 security-level 10
 ip address 192.168.1.1 255.255.255.0
!
passwd
banner login Hello Meccanet Admin!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name somedomain.com
object-group service SIP tcp-udp
 description IAX, SIP and RTP ports
 port-object eq 4569
 port-object range sip 5082
 port-object range 10001 20000
object-group service webservices tcp
 description MeccaNet Webservices
 port-object eq www
 port-object eq ftp
 port-object eq pop3
 port-object eq smtp
 port-object eq 81
 port-object eq 82
access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 24.73.166.xx object-group webservices
access-list outside_access_in extended permit tcp any host 24.73.166.xx object-group SIP
access-list outside_access_in extended permit udp any host 24.73.166.xx object-group SIP
access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list mecca_icmp_traffic remark Rules for ICMP Traffic
access-list mecca_icmp_traffic extended permit icmp any any unreachable
access-list mecca_icmp_traffic extended permit icmp any any time-exceeded
access-list mecca_icmp_traffic extended permit icmp any any echo-reply
access-list webservices extended permit tcp any host 24.73.166.xx object-group webservices
no pager
logging enable
logging timestamp
logging trap informational
logging history warnings
logging asdm informational
logging host inside 192.168.0.3
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool ippool 192.168.2.1-192.168.2.254
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 24.73.166.xx smtp 192.168.0.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 24.73.166.xx pop3 192.168.0.3 pop3 netmask 255.255.255.255
static (inside,outside) tcp 24.73.166.xx ftp 192.168.0.4 ftp netmask 255.255.255.255
static (inside,outside) tcp 24.73.166.xx imap4 192.168.0.3 imap4 netmask 255.255.255.255
static (inside,outside) tcp 24.73.166.xx www 192.168.0.6 www netmask 255.255.255.255
static (inside,outside) tcp 24.73.166.xx 81 192.168.0.3 81 netmask 255.255.255.255
static (inside,outside) tcp 24.73.166.xx sip 192.168.0.25 sip netmask 255.255.255.255
static (inside,outside) udp 24.73.166.xx sip 192.168.0.25 sip netmask 255.255.255.255
static (inside,outside) tcp 24.73.166.xx 82 192.168.0.3 82 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.73.166.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.0.0 255.255.255.255 inside
snmp-server location xx
snmp-server contact xx
snmp-server community xx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:207c45b0f59ed8ca283e3d32cdeef067
: end
0
blakmoon91
Asked:
blakmoon91
1 Solution
 
lrmooreCommented:
The newer PIX OS's require use of 'interface' keyword when everything uses the same IP as the outside interface.

NO:
access-list outside_access_in extended permit tcp any host 24.73.166.xx object-group webservices
static (inside,outside) tcp 24.73.166.xx smtp 192.168.0.3 smtp netmask 255.255.255.255

YES:
access-list outside_access_in extended permit tcp any interface outside object-group webservices
static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255
0
 
blakmoon91Author Commented:
I realized by looking through the command reference for 8.0 that a pretty significant amount of stuff has changed, I will have some reading to do :-) Thanks again for pointing me in the right direction.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now