First thing is to troubleshoot and then when we know what it is, then figure out what to do at that point. ;-)
Can you disable IPTables to perform some testing with your outside client and then re-enable when done? See if you can download and upload with IPTables off.
Then, if that still doesn't work, put a rule in the PIX to temporarily allow all traffic from your outside test client IP Address to your server, see if that works.
If still no go, do both and then test.
68 isn't a code type, it's the icmp packet size for the reply that it's being admin-denied somewhere.
The tcpdump part that says:
zimbra.dsm.net unreachable - admin prohibited
is why I brought up icmp-unreachable theory.
admin-prohibited means it is either being blocked at the firewall(s) by rule or a builtin/external IDS somewhere or IDS setting on the pix, or something is blocking the icmp-unreachable message in which case, the "please fragment" icmp message isn't getting to the server.
If it's one or both of the firewalls, the above tests should either prove or eliminate them as suspects.
Also, by it working locally on the lan and not over the Internet also lends creadance to a firewall or networking issue somewhere.
Could I still be wrong? <shrug> Yup, but at least we'll know if it's a firewall(s) issue at your site or not.
Since it works locally though, unless you have some extensive rules in iptables, the issue is probably not going to be there but it's good to be sure anyway.
:-)
Scotty  |