We have a PIX 515 running 7.0 I am setting up. It's really a pretty basic installation, for example, we are not using NAT.
I've put a network sniffer on the connection between our internal network and the PIX Inside interface, and also on the connection between the PIX Outside interface and our ISP. Outbound HTTP traffic is being passed to the ISP, but the return packets (with correct address, sequence number, and/or ack number) are being blocked by the PIX.
So I think I have a problem with the inspection map, or possibly the access list.
For the current test, I have a single laptop directly connected to the Inside interface, so routing to the Inside (network) is not an issue.
Here are the relevant parts of our configuration:
! for our test, we permit all traffic. Once we ! get this working, we'll ratchet things down
access-list permit_all extended permit ip any any
access-group permit_all in interface outside access-group permit_all in interface inside
! here is our class map inspection. This is ! just the default setting. I believe this is ! where our problem is.
class-map inspection_default match default-inspection-traffic
policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp
! I'm not sure if this is relavant to the issue at hand ! but I'm including in case it might
service-policy global_policy global