I was under the impression that by default, conversations started on the inside of a PIX would go out and responses would be allowed in. And it does seem to work like this for various apps like Web, telnet, ftp and so forth. However, I am trying to get pcanywhere clients inside the PIX to connect to pcanywhere hosts outside the firewall and this does not work. Is there anything special I need to know about this particular operation? I know that my clients are sending out on TCP 5631 and UPD 5632 but I do not know what ports the host is trying to use to return data. In any case I would think that since the conversation is started on the inside that this would not be a problem and that the PIX would allow the return traffic. Any suggestions?
You are right, you do not need to open holes if the connection is initiated from inside-to-outside. Is it possible that when you connect to the outside client, the outside PC initiates a NEW a session on same ports back to inside, and since you do not have a static and access-list, it blocks it. Check the logs on the PIX if you get TCP 5631 and UDP 5632 denied for any inbound connection.
Another test to narrow down the possiblity to be on the ISP side:-
put a PCAnywhere PC on the inside subnet of the PIX, and another on the OUTSIDE subnet of the pix... see if you can then establish, if yes; then you know; the problem is on your ISP side. If not, then check if there is any firewall running on the PC itself where PCanywhere is installed.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...