Link to home
Start Free TrialLog in
Avatar of AGBrown
AGBrownFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Packets not being returned to server inside a PIX 506E

I have a server on a network inside a PIX 506E. I have an external device that I can ping from the PIX, and the external device responds, which can be seen on the PIX command line interface. I have a server inside the PIX which is attached to the PIX via a switch. The server can send a ping request out to the external device, which responds (as seen on the PIX command line by use of debug packet), however the response never gets sent back through to the internal server.

I am also having problems getting Internet Explorer on that internal server to open up websites by domain name (such as windowsupdate.microsoft.com). Some websites it will open, others it won't. nslookup can resolve a name for windowsupdate.microsoft.com, but IE seemingly can't. IE can open websites by IP address (like http://123.456.789.123/index.htm).

Does anyone have any idea what the problem might be, and how I can resolve it?
ASKER CERTIFIED SOLUTION
Avatar of pakitloss
pakitloss
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of AGBrown
AGBrown
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

The server is a standalone server, the NIC is setup the same way as another private network in the same colocation facility, and the other private network seems to work fine. Given that nslookup works for domain name resolution, this might be a problem with IE instead.

The icmp commands worked. Can you explain why I need to explicitly state inbound access commands for icmp if I'm only expecting a reply to icmp requests that originated inside the network?

It is useful to know that the problems are not related.
Avatar of pakitloss
pakitloss
Because there is no translation rule for ICMP by default on a PIX. Ok.... so now DNS.... if you think it may be IE then try downloading Firefox and installing it and see if it works.
Avatar of AGBrown
AGBrown
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

I just read up on the icmp as it was ringing bells but couldn't remember it properly. It would seem that its not that there's no translation rule, per se, but that although outbound icmp is permitted, the incoming reply is denied by default.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

W.r.t. the problems with IE, it would seem that I've been having DNS problems. I'm using another DNS server for the moment.

Thanks for the help

Andy