Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

is
New Member

Upgrading PIX OS stops inbound DMZ traffic

On PIX515 with a DMZ port running 5.2(9) everything is working as far as traffic flow in and out of the proper interfaces. I am upgrading to, or rather attempting to, 6.2(2) in order to evaluate N2H2 content filtering. 6.2(2) is required in order to evaluate.

I have upgraded the a number of times only to find that as soon as I upgrade to any 6.x PIX OS(6.0(4), 6.1(4), and 6.2(2)), inbound traffic to our web/mail server on the DMZ ceases. Outbound traffic is still permitted. As soon as I restore the OS to 5.2(9), inbound traffic starts flowing again. The current config has been in place for almost a year. ACL's haven't been modfied before or after the upgrade.

Based on those symptoms, I'm quite certain that it's not an ACL problem. I also checked the field notices and it's not the 1FE issue where the OS will disable the ethernet port because of an incorrect controller chip.

Ideas/suggestions?

Regards,

Jon

The current config if needed is as follows:

PIX Version 5.2(9)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password EpKQOYWNpWUe1tT9 encrypted

passwd 1qt092mCSX4Fm4vp encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list 102 permit ip 192.168.0.0 255.255.255.0 any

access-list 102 permit ip 192.168.1.0 255.255.255.0 any

access-list 102 permit ip 192.168.2.0 255.255.255.0 any

access-list 102 permit ip 192.168.3.0 255.255.255.0 any

access-list 101 permit tcp any host xx.xxx.xxx.3 eq www

access-list 101 permit tcp any host xx.xxx.xxx.3 eq smtp

access-list 101 permit tcp any host xx.xxx.xxx.3 eq pop3

access-list 101 permit tcp any host xx.xxx.xxx.3 eq ftp

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any echo-reply

pager lines 22

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

logging trap warnings

logging history warnings

logging facility 21

logging queue 512

logging host inside 192.168.1.2

no logging message 111005

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

icmp deny any outside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside xx.xxx.xxx.2 255.255.255.240

ip address inside 192.168.0.254 255.255.255.0

ip address dmz 10.0.0.254 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 xx.xxx.xxx.13-xx.xxx.xxx.14

global (outside) 1 xx.xxx.xxx.12

global (dmz) 1 10.0.0.10-10.0.0.20

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) xx.xxx.xxx.3 10.0.0.1 255.255.255.255

static (dmz,outside) xx.xxx.xxx.3 10.0.0.1 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group 102 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.1 1

route inside 192.168.1.0 255.255.255.0 192.168.0.253 1

route inside 192.168.2.0 255.255.255.0 192.168.0.253 1

route inside 192.168.3.0 255.255.255.0 192.168.0.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol tacacs+

url-server (inside) host 192.168.1.6 timeout 5 protocol TCP version 4

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 15

ssh timeout 5

terminal width 80

1 REPLY
Cisco Employee

Re: Upgrading PIX OS stops inbound DMZ traffic

What do the syslogs show when you upgrade and try a connection, that'll be the best indication of what's going wrong? The config looks OK, can't see anything obviously wrong with it.

107
Views
0
Helpful
1
Replies
CreatePlease login to create content