Questions

Answer for:

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

Message 44 of 52

View entire thread
+
0 Votes
CG IT

DNS suffix options in the advanced option/DNS in the nic card properties, for Windows 7 machine, come into play in a Microsoft Active Directory environment. unlike Windows XP, Windows 7 machines really need the Active Directory domain name listed in the DNS suffix options in the nic card properties page to be able to find domain controllers to authenticate with and by inclusion, the Active Directory DNS server in which to resolve domain name queries.

In your PIX config, you have

dhcpd domain Mcleodusa.net
as the dhcp domain name. A whois lookup of mcleodusa.net produces this:
Registrant:
WINDSTREAM COMMUNICATIONS, INC.
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US

Domain name: MCLEODUSA.NET

Administrative Contact:
Inc., McLeodUSA
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US
281.465.1200
Technical Contact:
Inc., McLeodUSA
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US
281.465.1200

Registration Service Provider:
PAETEC,
800-340-2555
http://www.paetec.com
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 11-Apr-2012.
Record expires on 20-Oct-2012.
Record created on 21-Oct-1996.

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
NS2.MCLEODUSA.NET 209.253.113.11
NS3.MCLEODUSA.NET 209.253.113.


It's possible, but maybe not probable, clients are being told the DNS server is mcleodusa.net by the PIX firewall in which to resolved DNS queries. If mcleodusa.net is not your DNS servers then this might be the reason Windows 7 clients can't reach your external web site, as the DNS listed in the PIX cant resolve the query and doesn't forward the unresolved query, by virtual of rejecting queries.

BUT, if you have statically assigned DNS servers in clients, with another DNS server address, such as your ISP's DNS servers then this DNS option in DHCP on the PIX this shouldn't matter. The client computers will use the DNS servers that are configured.
BUT, the other difference with Windows 7 than Windows XP is Windows 7 supports IPv6 [and the PIX 506 doesn't] so, it's possible, but not probable, that Windows 7 is using IPv6, which is on by default, and using information obtained from the PIX such as DNS servers, which may be the wrong ones. A test is to turn off IPv6 on the Windows 7 boxes and only use IPv4 see if that makes a difference. It may or may not.

Lots of good information from all posters here and armed with that, you'll get a good idea of the information you need to discover, to narrow down the potential cause of the problem of your external web site, not displaying in Windows 7 machines.