Upgraded image from 6.3.5 to 8.0.2 prevents ACL from opening outside ports

Posted on 2007-09-28
Last Modified: 2013-11-16
Upgraded my Pix from 6.3.5 to 8.0.2 today and although the running config looks good I am not able to open up ports on the outside interface as I had before. I ran a port scanner and it shows all ports on the outside interface closed, even after I re-apply the access-group to the outside interface, clear xlate, etc. I am enclosing a copy of the config and what I can see for reference, your input would be greatly appreciated!

MeccaNetPix(config)# show running-config
: Saved
PIX Version 8.0(2)
hostname MeccaNetPix
enable password 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address 24.73.166.xx
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 nameif dmz
 security-level 10
 ip address
banner login Hello Meccanet Admin!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
object-group service SIP tcp-udp
 description IAX, SIP and RTP ports
 port-object eq 4569
 port-object range sip 5082
 port-object range 10001 20000
object-group service webservices tcp
 description MeccaNet Webservices
 port-object eq www
 port-object eq ftp
 port-object eq pop3
 port-object eq smtp
 port-object eq 81
 port-object eq 82
access-list 101 extended permit ip
access-list 102 extended permit ip
access-list outside_access_in extended permit tcp any host 24.73.166.xx object-group webservices
access-list outside_access_in extended permit tcp any host 24.73.166.xx object-group SIP
access-list outside_access_in extended permit udp any host 24.73.166.xx object-group SIP
access-list split extended permit ip
access-list mecca_icmp_traffic remark Rules for ICMP Traffic
access-list mecca_icmp_traffic extended permit icmp any any unreachable
access-list mecca_icmp_traffic extended permit icmp any any time-exceeded
access-list mecca_icmp_traffic extended permit icmp any any echo-reply
access-list webservices extended permit tcp any host 24.73.166.xx object-group webservices
no pager
logging enable
logging timestamp
logging trap informational
logging history warnings
logging asdm informational
logging host inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool ippool
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1
static (inside,outside) tcp 24.73.166.xx smtp smtp netmask
static (inside,outside) tcp 24.73.166.xx pop3 pop3 netmask
static (inside,outside) tcp 24.73.166.xx ftp ftp netmask
static (inside,outside) tcp 24.73.166.xx imap4 imap4 netmask
static (inside,outside) tcp 24.73.166.xx www www netmask
static (inside,outside) tcp 24.73.166.xx 81 81 netmask
static (inside,outside) tcp 24.73.166.xx sip sip netmask
static (inside,outside) udp 24.73.166.xx sip sip netmask
static (inside,outside) tcp 24.73.166.xx 82 82 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http inside
http inside
snmp-server location xx
snmp-server contact xx
snmp-server community xx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end
Question by:blakmoon91
    LVL 79

    Accepted Solution

    The newer PIX OS's require use of 'interface' keyword when everything uses the same IP as the outside interface.

    access-list outside_access_in extended permit tcp any host 24.73.166.xx object-group webservices
    static (inside,outside) tcp 24.73.166.xx smtp smtp netmask

    access-list outside_access_in extended permit tcp any interface outside object-group webservices
    static (inside,outside) tcp interface smtp smtp netmask

    Author Comment

    I realized by looking through the command reference for 8.0 that a pretty significant amount of stuff has changed, I will have some reading to do :-) Thanks again for pointing me in the right direction.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now