Answer for:

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

Message 25 of 52

View entire thread
0 Votes

2 things come to mind now I've read some more details here about your issue.

I am assuming that the win XP and Win7 PCs are on the inside of the firewall, on the same subnet, connected to the same switch and are sharing the same DNS resolver. I am also assuming that the webserver you are having difficulty accessing is on the PIX's outside port, beyond the comcast gateway and that routing is fine between the PCs and your webserver (traceroute from the windows PCs to the webservers IP address).

1) have you tried clearing your translations on the PIX when the issue occurs? (Telnet to the pix, 'enable' and type your passsword, 'configure terminal' and 'clear xlate' - beware - this action kills all currently held translations across the PIX so connections may need to re-establish)

If this works the issue could be with the XLATE configuration you have. Try reducing the xlate timers.

2) If the XP machines can always access fine but the Win7 PCs can't the issue may not be with xlates, routing or (assumptions holding) the DNS resolution. Try adding a DNS fixup using a large value (1024 should do to start - again: telnet, enable, configure terminal, 'fixup protocol dns maximum-length 1024' ).

I notice you aren't using a fixup on your DNS protocol, hence the suggestion. I must admit though, if your DNS queries aren't traversing the PIX this fix wouldn't have any impact so I have to ask - where is the device that resolves your DNS queries? Ouside the PIX, Inside the PIX or in a DMZ?

I could be very wrong with these ideas as I can't get at my test PIX to test this theory (it's in use). Just thinking on the fly.