Networks

check on the aix that the default gateway is configured corectly .
if necesary delete the default gateway and recreat it on the aix .
I had the same problem on my linux router .

Here is the command I had to use :
route add default gw <router ip>
my linux router could not get through our gateway router onto the internet .

Do I understand you correctly that you have the DMZ attched to the AIX box (via the 2nd NIC)? Which is inside the internal network (via the 1st NIC)??!!!

Three things:

1- Lets make debuggin easy: enable the logging on PIX, pointing to the AIX:

logging trap informational
logging facility local4 (or 20)
logging host inside <AIX IP>

Each time rejects some packet for any reason, it will log itin the AIX (don't forget to redirect the logging to a file, on tha AIX side).

2- this one is tricky, and not well documented. AIX 4.3.3 cames with Path MTU Discovery enabled by default. Before the first udp or tcp connection to a host, and then every 30 minutes, AIX will send an ICMP 'echo request' (ping) packet to the destination host, sized to the MTU of the routing interface, and waits for the 'echo reply' (pong) to analyze its fragmentation state, and so resolve the optimal MTU for that host. This is a time consuming operation, and usually useless when behind a firewall, being able to induce connections to timeout on early stages.

So, I suggest you to disable this feature, with the command "no" (I think stands for "Network Options"), as root:

no -o udp_pmtu_discover=0
no -o tcp_pmtu_discover=0

I this solves your problem, you can add this lines to the end of the /etc/rc.tcpip script.

3- Check if you are allowing ICMP packets to enter your network. AFAIK, PIX only maintains states for TCP and fakes it for UDP. If you want to be sure, only allow 'echo request', 'echo reply' and the 'host unreachable' group.

--Sedrez

This question was closed by the author