We had a similar issue with our pix, and discovered that NAT was implicitly two way, so the issue went away when we removed the reverse NAT that our network guy had entered. Bob Higgins, MCSE Information Systems Server Administrator Chinook Health Region 960 19th Street South Lethbridge, Alberta T1J 1W5 www.chr.ab.ca <http://www.chr.ab.ca/> Phone: (403) 382-6338 Fax: (403) 382 6046 E-mail: bhiggins@xxxxxxxxx -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Boggan Sent: February 5, 2004 8:24 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: OT: Network IP routing issue no ICMP is open both ways. i can ping anything outside except for our external ips which would go out and then right back in again. it doesn't allow that. _________________________________ Michael Boggan Network Engineer/Citrix Admin Virtual Desktop Inc. Dallas, Texas Ph: (972) 960-6400 Fax: (972) 960-6445 email: mboggan@xxxxxxxxxxx http://www.virtualdesktopinc.com <http://www.virtualdesktopinc.com/> _________________________________ -----Original Message----- From: Evan Mann [mailto:emann@xxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, February 04, 2004 4:57 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: Network IP routing issue Do you have some kind of access-list deny'ing outbound ICMP? The pix does NOT block outbound ICMP (or anything for that matter) in it's out of the box config. Look for conduit commands or access-list commands with deny in them for ICMP ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Boggan Sent: Wednesday, February 04, 2004 4:58 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] OT: Network IP routing issue Ok here is something that is driving me nuts. We have internet access in our datacenter. Inside we have 10.10.99.x ip scheme. We use a pix firewall to do NAT from external ip to internal ip. We cannot ping or hit in anyway, the external ips from inside. For example. I have a webserver inside the firewall. From outside we can hit www.domain.com with no problems. But from inside we cannot hit www.domain.com or go to the external ip address. Is there some kind of routing or someway to fix this? Not being able to hit those addresses can be a severe problem for some of our internal wan clients. Thanks, _________________________________ Michael Boggan Network Engineer/Citrix Admin Virtual Desktop Inc. Dallas, Texas Ph: (972) 960-6400 Fax: (972) 960-6445 email: mboggan@xxxxxxxxxxx http://www.virtualdesktopinc.com <http://www.virtualdesktopinc.com> _________________________________