We upgraded our PIX 515 from 6.3 to 7.0, and in the process lost our ability to move packets between interfaces. The problem is our NAT configuration. Under 6.3 we used the equivalent of static NAT so we could use the addresses inside as out. Under 7.0 we want to use NAT exemption. That is, we want to use the same addresses inside the firewall as outside, and not do any address translation. Currently, we don't get any packets to cross between interfaces.
Here is the configuration, which I've simplified, I've taken out reference to the 3rd interface, and other stuff not relevant to the problem at hand. After we get it working between inside and outside, adding the DMZ will be trivial.
Thanks in advance for any suggestions.
B Squared
-----------------------------------------------
PIX Version 7.0(2)
names ! interface Ethernet0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.0
! interface Ethernet1 nameif inside security-level 100 ip address X.X.X.X 255.255.255.0
! hostname pixfirewall domain-name ourdomain.net
ftp mode passive
! I used the ASDM to create these access lists, you'd think they ! would be legit
access-list inside_nat0_outbound extended permit ip X.X.X.0 255.255.255.0 any access-list outside_nat0_inbound extended permit ip any X.X.X.0 255.255.255.0
! Here's the rest of the NAT stuff, also generated by the ASDM
nat-control nat (outside) 0 access-list outside_nat0_inbound outside nat (inside) 0 access-list inside_nat0_outbound
! Everything else is just the routine stuff, and is the default ! configuration for the PIX 515
pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500
monitor-interface outside monitor-interface inside
asdm image flash:/asdm-502.bin no asdm history enable arp timeout 14400
route inside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
! the stuff that allows us to use ASDM http server enable http X.X.X.X 255.255.255.255 inside
no snmp-server location no snmp-server contact snmp-server enable traps snmp
telnet timeout 5 ssh timeout 5 console timeout 0
class-map inspection_default match default-inspection-traffic
policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global
: end