Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't get to windowsupdate.microsoft.com from inside DMZ

Greetings,

From my inside interface, users have no problem geting Microsoft updates. Not so from within my DMZ. Even though I have the PIX configured to allow the PC in the DMZ to start an outbound connection (i.e. browser can get to web servers on the Internet just fine), the "windowsupdate" page does not work. On a Sniffer, I can see what I assume is ActiveX trying to start return connections on high port numbers, in order to do the "scan for updates". Nevertheless, even though I tried to make it wide open for inbound connections to this particular PC, I still could not get it to work. Can anybody please tell me what I'm missing here?

THANKS,

-Mike Z-

Texas

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Can't get to windowsupdate.microsoft.com from inside DMZ

Mike,

Are you performing ActiveX filtering on the PIX for any interface? Have you tried to put this PC that does not work in the DMZ on the "Inside" network with the same result, or is it able to update accordingly?

What other inbound or outbound filters do you have setup for your Outside Interface, DMZ, and Inside interface?

There is probably just something simple that you haven't caught yet.

Good Luck

-Bryan

New Member

Re: Can't get to windowsupdate.microsoft.com from inside DMZ

Hey Bryan,

THANKS for the reply. Yea, I figure it's "something simple" too, but I'm running out of ideas at this point.

No, I'm not doing any Java or ActiveX filtering. Other than that, about the filtering I'm doing is "content filtering" using Websense.

The PC in question has a private address. On outbound connections, I'm NATing it to the same IP as the public address defined for inbound connections via a static statement.

I've not tried moving the PC out of the DMZ, because I don't want to have to take it down and change its' IP address.

Regards,

-Mike Z-

257
Views
0
Helpful
2
Replies
This widget could not be displayed.