cisco PIX - web access problems

["Randy.Witlicki."<randy.witlicki () valley net>]

  Hello,

  This is the setup:  a cisco PIX firewall (running 4.1.2) with a
Bay networks ASN router inside of it talking to some ethernet and
token ring interfaces as well as a remote office with 1/2 of a T1
and a Bay ARN.  There is also a legacy "IWare" IPX to IP proxy inside
of the PIX.
  Now, here's the problem:
     A Windows NT 4.0 system (in this case at the remote site)
can use Netscape to get to about half of the web sites it tries to
get to.  The bottom of the screen status bar has a ...waiting for reply....
line but never gets any farther when it can't connect.
   In a case with a nearby web site which I know is up:
   The PIX syslog has two lines:
  <-18511608122> 302001 Built connection for faddr 206.34.181.100/90 gaddr
xxx.xxx.xxx.xxx laddr 192.168.20.20/1133
  <-1851608122> 304001 192.168.20.20 accessed URL 206.34.181.100:/ HTTP 1.0
  The PIX translation table will show something like:
Global xxx.xxx.xxx.xxx Local 192.168.20.20 nconns 1 econns 0 flags -
  TCP out 206.34.181.100:80 in 192.168.20.20:1049 idle 0:00:17 Bytes 7471
flags UHIO
   but the connection never returns any data to the web browser and there are
not any further log lines as it gets more http pages from the same site.
  From this same NT 4.0 system I can telnet, ftp and so on; the half of the
web sites that do work, work very well with no delay.  From the log file
entries at appears that there is not a DNS problem  (it resolves the name
right away).
  Some of the PCs at the remote office talk to the IWare proxy at the central
site, and when this NT 4.0 system couldn't reach altavista.digital.com, a
PC two cubicles down reached it quickly going through IWare.
  This does not appear to be an Identd or DNS problem (the PIX logs port 113
queries and none are logged in this case).

  I am looking for troubleshooting pointers.  Any PIX experts out there?

  -  Randy    randy.witlicki () valley net    Norwich,  Vermont  USA
 -