Can't access some website from inside FW, but can from server in front of FW

Discussion in 'Cisco' started by whowhatwhenwhy, Dec 15, 2006.

  1. Here's a weird scenario i'm facing recently.

    I can't access three website (so far) from the LAN (behind a PIX),
    resulting in Page Can't Be Found. One problem site is
    http://www.adobe.com. However, I can access http://createpdf.adobe.com,
    which is in a different IP range, but not most of the links since it
    links back to www.adobe.com. I can ping www.adobe.com as well as the
    others. (I have no problems access other URLS, ie yahoo, google,
    microsoft, etc etc.)

    In a few trials, the top image banner would load, following by a long
    pause, then the "Page can't be found" error - probably due to timeout.
    as the two other sites that I couldn't from the LAN, so it seems it's
    the FW is doing something weird.

    I have tried several systems on my LAN, on different floors and
    different building, all same subnet (I only have 1), used IE and
    FireFox; to troubleshoot if it's just an isolated case or throughout -
    all the same problem loading the page.

    There hasn't been any router/firewall changes, nor DNS changes
    recently, I was able to access adobe.com a few weeks ago. No proxy
    used. No ACL preventing port 80 traffic, or restricting the problem
    URLs.

    any ideas? thx
     
    whowhatwhenwhy, Dec 15, 2006
    #1
    1. Advertisements

  2. Sounds exactly like an MTU problem.
     
    Walter Roberson, Dec 15, 2006
    #2
    1. Advertisements

  3. whowhatwhenwhy

    CK Guest

    Hi
    Just for hit and trail purpose.
    Are you filtering active x or java on PIX.

    CK
     
    CK, Dec 15, 2006
    #3
  4. whowhatwhenwhy

    CK Guest

    Hi
    Just for hit and trail purpose.
    Are you filtering active x or java on PIX.

    CK
     
    CK, Dec 15, 2006
    #4
  5. whowhatwhenwhy

    Brian V Guest

    What version of Pix are you running?
     
    Brian V, Dec 15, 2006
    #5
  6. 6.3.1

     
    whowhatwhenwhy, Dec 15, 2006
    #6
  7. not filtering active-x or java. other websites that use those, loads
    fine.

    adobe.com
    enterprise.com
    usatoday.com
    are three sites that i know we're having problems with.
     
    whowhatwhenwhy, Dec 15, 2006
    #7
  8. my MTU's are 1500, got any suggested values?

    thanks
     
    whowhatwhenwhy, Dec 15, 2006
    #8
  9.  
    Walter Roberson, Dec 15, 2006
    #9
  10. you mean? access-list out_access_in permit icmp any any unreachable


    hmm...I already have on the PIX:

    access-list out_access_in permit icmp any any unreachable
    access-list out_access_in permit icmp any any time-exceeded
    access-list out_access_in permit icmp any any source-quench
    access-list out_access_in permit icmp any any echo-reply
    access-list out_access_in permit icmp any any echo

    my router has:
    access-list 110 permit icmp any any echo-reply
    access-list 110 permit icmp any any source-quench
    access-list 110 permit icmp any any packet-too-big
    access-list 110 permit icmp any any time-exceeded
    access-list 110 deny icmp any any log

    and I already tested the "ping -f -l 1472" from the PC, which ping
    good.


     
    whowhatwhenwhy, Dec 15, 2006
    #10
  11. CK, Thanks!

    What you wrote lead me to check the router config, I had:
    ip inspect name inspect1 http java-list 15 timeout 3600

    Once I removed it, the LAN systems can access www.adobe.com and the
    other URLs that we've had probelms with.

    Thanks again for the tip.
     
    whowhatwhenwhy, Dec 15, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.