1. Home
  2. Cisco Systems
  3. Can't access some website from inside FW, but can from server in front of FW

Can't access some website from inside FW, but can from server in front of FW

Here's a weird scenario i'm facing recently.

I can't access three website (so far) from the LAN (behind a PIX), resulting in Page Can't Be Found. One problem site is

formatting link
However, I can access
formatting link
is in a different IP range, but not most of the links since it links back to
formatting link
I can ping
formatting link
as well as the others. (I have no problems access other URLS, ie yahoo, google, microsoft, etc etc.)

In a few trials, the top image banner would load, following by a long pause, then the "Page can't be found" error - probably due to timeout.

From a server in front of the PIX, I can access
formatting link
as well

as the two other sites that I couldn't from the LAN, so it seems it's the FW is doing something weird.

I have tried several systems on my LAN, on different floors and different building, all same subnet (I only have 1), used IE and FireFox; to troubleshoot if it's just an isolated case or throughout - all the same problem loading the page.

There hasn't been any router/firewall changes, nor DNS changes recently, I was able to access adobe.com a few weeks ago. No proxy used. No ACL preventing port 80 traffic, or restricting the problem URLs.

any ideas? thx

Reply to
whowhatwhenwhy
Loading thread data ...

Sounds exactly like an MTU problem.

Reply to
Walter Roberson

Hi Just for hit and trail purpose. Are you filtering active x or java on PIX.

CK

whowhatwhenwhy wrote:

Reply to
CK

Hi Just for hit and trail purpose. Are you filtering active x or java on PIX.

CK

whowhatwhenwhy wrote:

Reply to
CK

What version of Pix are you running?

Reply to
Brian V

Reply to
whowhatwhenwhy

not filtering active-x or java. other websites that use those, loads fine.

adobe.com enterprise.com usatoday.com are three sites that i know we're having problems with.

CK wrote:

Reply to
whowhatwhenwhy

my MTU's are 1500, got any suggested values?

thanks

Walter Robers> > >Here's a weird scenario i'm facing recently.

Reply to
whowhatwhenwhy

In article , whowhatwhenwhy top-posted, requiring editting for a comprehesible conversation:

Configure the PIX to allow in *all* icmp unreachable packets (which will include the subtype, Fragmentation Needed). Configure Path MTU Detection on the PC (you might find one of the "tweak" programs handy for that, such as one of the ones via dslreports). The problem should then take care of itself.

If you want to track the problem more closely, then from -outside- of the PIX, use ping with a packet length and don't-fragment set, and see what the cutoff is on the size of ping packets that you can get through. (Careful, on some ping implementations you are configuring the total packet length, and on others you are configuring the ping payload size instead.) Don't do this from inside the PIX because PIX 6.3 will block ping packets of 1000 bytes or longer.

Reply to
Walter Roberson

you mean? access-list out_access_in permit icmp any any unreachable

hmm...I already have on the PIX:

access-list out_access_in permit icmp any any unreachable access-list out_access_in permit icmp any any time-exceeded access-list out_access_in permit icmp any any source-quench access-list out_access_in permit icmp any any echo-reply access-list out_access_in permit icmp any any echo

my router has: access-list 110 permit icmp any any echo-reply access-list 110 permit icmp any any source-quench access-list 110 permit icmp any any packet-too-big access-list 110 permit icmp any any time-exceeded access-list 110 deny icmp any any log

and I already tested the "ping -f -l 1472" from the PC, which ping good.

Walter Robers> In article ,

comprehesible conversation:

Reply to
whowhatwhenwhy

CK, Thanks!

What you wrote lead me to check the router config, I had: ip inspect name inspect1 http java-list 15 timeout 3600

Once I removed it, the LAN systems can access

formatting link
and the other URLs that we've had probelms with.

Thanks again for the tip.

CK wrote:

Reply to
whowhatwhenwhy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.