Small Network with PIX 501 cannot access some public sites

Discussion in 'Cisco' started by youpet2000, Mar 6, 2005.

  1. youpet2000

    youpet2000 Guest

    Hi everyone,

    I have an unusual problem with our new Windows2003 Server network and a
    PIX501 connected to the Internet. For some reason, I cannot access
    some typical public sites such as Yahoo.com, CNN.com I get page not
    found. I can access mail.yahoo.com. I can also access alot of other
    public sites ebay.com, msn.com - all kinds of other sites. I've
    checked that the PIX is completely open inside interface to outside
    interface. I've contacted our ISP who checked DNS settings - all OK.
    Of course, since the new network and the PIX were implemented at the
    same time, I'm not sure which is the culprit. This behavior is very
    consistent and has been going on for months. McAffee enterprise is the
    virus protection and there does not seem to be a good link between OS
    on the clients. There is no software firewall in place, just the PIX.
    Does anyone have any ideas?

    Thanks in advance
    youpet
     
    youpet2000, Mar 6, 2005
    #1
    1. Advertisements

  2. :I have an unusual problem with our new Windows2003 Server network and a
    :pIX501 connected to the Internet. For some reason, I cannot access
    :some typical public sites such as Yahoo.com, CNN.com I get page not
    :found. I can access mail.yahoo.com. I can also access alot of other
    :public sites ebay.com, msn.com - all kinds of other sites.

    Sounds like an MTU problem. If you are using a VPN or if your
    internet connection uses PPPoE or other encapsulations, you can
    get exactly the effect you describe.

    There are three possible solutions:

    1) Lower the MTU on the PIX. This will affect everyone and will
    affect all types of packets.

    2) In newer PIX software, lower the value for
    sysopt connection tcpmss
    This will affect TCP only. UDP and icmp usually send smaller
    packets than TCP does, so changing the behaviour for TCP is
    often enough.

    3) If you are using W2K / XP then you can enable Path MTU
    Detection. Places like dslreports.com have short walk-throughs
    on how to do that.
    This will affect only the computer that you enable this on.
     
    Walter Roberson, Mar 6, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.