1. Home
  2. Cisco Systems
  3. Weird problem with pix 6.3(5)

Weird problem with pix 6.3(5)

Hi all,

We switch to Cisco pix firewall 6.3(5) last week and have a very weird problem.

(1) No one from the "outside" can access our web server after the server runs a while, but people from the "inside" can access the web server no problem. (2) The problem is that after we restart our IIS 6.0 server, people from the "outside" can access the web server again.

At frist, it seems that it is the IIS 6.0 problem. However, people from the "inside" can still access the web server while other cannot.

I add the "no fix up protocol http 80", and I can see the "built inbound connection" in the log even when the web server is inaccessible from the "outside".

Any suggestions would be greatly appreciated.

cheers, RL

Reply to
Egghead
Loading thread data ...

ARP problems?

While the problem is happening, is the PIX able to ping to the IIS ?

Reply to
Walter Roberson

Hi here,

Thanks, will check the arp out? We cannot ping to the IIS from pix using the public address even it is up.

cheers, RL

Reply to
Egghead

You need to ping using the private address.

Reply to
Walter Roberson

Hi here,

Then, I remember we can ping from pix to our web server using the private address when we have that problem.

cheers, RL

Reply to
Egghead

Are you running Citrix with secure gateway?

/Martin

Reply to
Martin

What an evil word :)

No, we do not have citrix. Now, it seems the web server is at least up for over 24 hours,

Reply to
Egghead

Hi all,

We find out that we do not need to restart the PC. It can be fixed with "repair the network" in the server's network setting, which clear all the net cache (asp, netbt, dns). The server is accessable from "outside" again.

Reply to
Egghead

Hi all,

We can 100% reproduce the problem, here is the step:

(1) VPN to the Server. (2) work at the pix (web or telnet), and turn on the logging monitor the terminal (not sure we need the log yet) (3) let the log run a while

Then, the server cannot go "outside", and it is inaccessible from "outside."

Reply to
Egghead

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.