Startup Config has me stumped

Can anyone see any reason why the below configuration won't work
correctly? I thought it was the configuration I used fine for a week
but when I came in one morning all the ports were in stealth mode
instead of open. I can't seem to figure out the problem.

I changed the outside IP Addresses for the sake of security.

Thanks!!

Infotech

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password etqreMPNyt0AvaUj encrypted
passwd etqreMPNyt0AvaUj encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service sbs tcp
port-object eq www
port-object range domain domain
port-object eq https
port-object eq smtp
port-object range 3389 3389
port-object eq pop3
port-object eq pptp
object-group service airtimeserv tcp
port-object range 3389 3389
access-list outside_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.16.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.248
ip address inside 192.168.16.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.16.2 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.16.3 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.3 192.168.16.2 netmask
255.255.255.255 0 0
static (inside,outside) 192.168.0.4 192.168.16.3 netmask
255.255.255.255 0 0
conduit permit tcp host 192.168.0.5 object-group sbs any
conduit permit tcp host 192.168.0.6 object-group airtimeserv any
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route inside 192.168.0.0 255.255.0.0 69.15.203.154 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.16.38 \tftp-root
floodguard enable
telnet 192.168.16.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:08022323919c5c99cfdf0aa54b2275df

[OK]

 

:Can anyone see any reason why the below configuration won't work
:correctly? I thought it was the configuration I used fine for a week
:but when I came in one morning all the ports were in stealth mode
:instead of open.

IX Version 6.3(5)

:access-list outside_in permit icmp any any

:conduit permit tcp host 192.168.0.5 object-group sbs any
:conduit permit tcp host 192.168.0.6 object-group airtimeserv any

Never mix conduit and access-lists. Better yet, don't use
conduit at all: it is gone completely in PIX 7.0. Cisco stopped
trying for conduit compatability back around the 5.3 timeframe.

 

How do I successfuly change from using conduit to access lists?

Thanks!

 

:How do I successfuly change from using conduit to access lists?

As you have 6.3(5), you likely have access to CCO. Cisco provides
a tool in the PIX software download area that will do conversions.

Sometimes it's mostly a matter of reversing the conduit arguments into
access-list form. However, 'conduit' has a couple of strange interactions
with other commands that I have never understood (it appears to
do two different things depending on what else you have configured),
so I make it a policy not to try to rewrite conduits for other people:
only they know which of the two meanings of conduit they intended.

 

Thanks for the response.

I wasn't really asking for a conversion but an example of what an
access list is like. I think I have the idea though. I think it's to
start with this command:

access-list 100 permit tcp any host 192.168.0.3 eq www

Then after static NAT is defined, set the access group to the outside
interface with this command:

access-group 100 in interface outside

Thanks again.

 

:I wasn't really asking for a conversion but an example of what an
:access list is like. I think I have the idea though. I think it's to
:start with this command:

:access-list 100 permit tcp any host 192.168.0.3 eq www

:Then after static NAT is defined, set the access group to the outside
:interface with this command:

:access-group 100 in interface outside

Pretty much, but for something that is being applied to the outside
interface, the right-hand side should contain the public IP of
the host to be accessed, not the private IP. If you are doing
port forwarding for the IP of the outside interface, then instead
of using an IP address, use the phrase interface outside

access-list 100 permit tcp any host 123.45.67.89 eq www
access-list 100 permit tcp any interface outside eq smtp
static (inside,outside) 123.45.67.89 192.168.0.3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
access-group 100 in interface outside