Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

Pix deny access to few sites (exemple : www.cisco.com)

hello every body,

We have a PIX 515E DMZ. On the DMZ interface there's a Linux Squid proxy cache.

The squid server is unable to connect to some sites like : www.cisco.com, or www.yahoo.fr etc ...

But the squid server can access the site www.download.com

In other word some sites work, and some others don't work. I know that it is the PIX firewall who deny access to those site, because when I install the squid server directly on outside interface (internet) it work well.

I try to make some sniffing, I have noticed that the PIX sometimes send a ICMP message to the proxy cache server, which said "DF bit is set, fragmentation is needed).

On the PIX there is a rule which allow web access to any Web server.

thank you four your help

2 REPLIES
Gold

Re: Pix deny access to few sites (exemple : www.cisco.com)

Hi...

Can you post some of the syslogs for me pls, either post here or to me at jmia@ohgroup.co.uk

logging on

logging buffer debug

sho logging

Thanks/Regards,

Jay.

Re: Pix deny access to few sites (exemple : www.cisco.com)

Well, my first inclination here would be to take a look at your squid server and determine why it is sending packets to the PIX that are too big and have the DF bit set. Take a look and see if the MTU value on the interface has been changed to something smaller than 1500? I have a hard time believing that the Linix server would be sending ethernet packets bigger than 1500. But anyway...here is some more information on the MTU commands on the PIX:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1171325

Scott

242
Views
0
Helpful
2
Replies
CreatePlease to create content