Answer for:

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

Message 30 of 52

View entire thread
0 Votes

On the CLEAR XLATE, translations are re-establised the moment computers request a connection so before you can type SHOW XLATE you'll sometimes find there are indeed lots of translations. Gotta be quick and on a quiet network to see this clear out properly :)

On my question about the Comvcast, sorry - I over complicated that . The key point is whether the Comcast router is NATting connections outbound. If you don't know, don't worry for now while we have other things to do.

On FIXUP, yes, that's safe to enter during a working day. DON'T save it to the startup-config until you know it's working right. If it causes issues for you either:
a) telnet and 'enable' on the PIX, type configure terminal [enter], and type 'no fixup protocol dns maximum-length 1024' [enter]
b) telnet and 'enable' on the PIX, type 'reload' [enter]. This will restart the PIX firewall and revert it to your saved startup-config file. ONLY DO THIS IF YOU KNOW YOUR STARTUP-CONFIG HAS ALL THE SETTINGS IN IT YOU NEED.
I only emphasise that as I once knew a cisco newbie who didn't realise that settings changes weren't stored by default on a Cisco device. he made changes month after month only ever editing the running-config of the device. When a power cut hit, he was at a loss as to why none of his routers worked any more (the running-configs cleared and the routers reverted to the startup-config files which were, obviously, default!).

On the access_list, as long as you don't mind internal systems pinging the firewall, the command I gave you is safe. Just remember to associate the access-list with an access-group with an interface. Damned PIX. never logical :)

To remove an access-list, access-group or pretty much any other config in the PIX simply retype the command again but put 'NO' in front of the command. So in this case:
'no access-list acl_inside permit icmp any any'

Easy enough when you've had a bit of time with it :)