Solved

Packets not being returned to server inside a PIX 506E

Posted on 2006-11-27
4
240 Views
Last Modified: 2013-12-07
I have a server on a network inside a PIX 506E. I have an external device that I can ping from the PIX, and the external device responds, which can be seen on the PIX command line interface. I have a server inside the PIX which is attached to the PIX via a switch. The server can send a ping request out to the external device, which responds (as seen on the PIX command line by use of debug packet), however the response never gets sent back through to the internal server.

I am also having problems getting Internet Explorer on that internal server to open up websites by domain name (such as windowsupdate.microsoft.com). Some websites it will open, others it won't. nslookup can resolve a name for windowsupdate.microsoft.com, but IE seemingly can't. IE can open websites by IP address (like http://123.456.789.123/index.htm).

Does anyone have any idea what the problem might be, and how I can resolve it?
0
Comment
Question by:AGBrown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
pakitloss earned 500 total points
ID: 18022676
As for icmp try:

access-list inbound permit tcp any any eq echo
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any traceroute

If the server is a domain controller try configuring forwarders to point to your external DNS.
0
 
LVL 12

Author Comment

by:AGBrown
ID: 18022730
The server is a standalone server, the NIC is setup the same way as another private network in the same colocation facility, and the other private network seems to work fine. Given that nslookup works for domain name resolution, this might be a problem with IE instead.

The icmp commands worked. Can you explain why I need to explicitly state inbound access commands for icmp if I'm only expecting a reply to icmp requests that originated inside the network?

It is useful to know that the problems are not related.
0
 
LVL 4

Expert Comment

by:pakitloss
ID: 18024448
Because there is no translation rule for ICMP by default on a PIX. Ok.... so now DNS.... if you think it may be IE then try downloading Firefox and installing it and see if it works.
0
 
LVL 12

Author Comment

by:AGBrown
ID: 18029776
I just read up on the icmp as it was ringing bells but couldn't remember it properly. It would seem that its not that there's no translation rule, per se, but that although outbound icmp is permitted, the incoming reply is denied by default.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

W.r.t. the problems with IE, it would seem that I've been having DNS problems. I'm using another DNS server for the moment.

Thanks for the help

Andy
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question