I have a Windows 2003 server with latest services pack and fixes. The server is connected to a switch, then there is a firewall, and a router. The firewall is also setup for site-to-site VPN. The server's default gateway is set to the firewall. Lately I noticed the server cannot access internet, but it can be access from all the computers in the same subnet. Even on other network which is tunneling through VPN, it can be access, but for some reason it cannot access to internet. I cannot ping or browser or any other services. Before it was working fine, but now it just won't communicate. It simply request times out on any ping to any internet IP address. I have updated the NIC driver, and no luck. I have power off and power down the switch, no luck. In the firewall setting, the rule is allowed to go outside. In the log, it shows, it is pinging. There is no rule denied or blocked. I have flushed the ARP file using "nbtstat -R" and no luck. I have reboot the firewall several times and flushed it's arp and no luck. I rebooted the router and no luck. The server's firewall is turned off. I have scanned for av/spyware/malware and it is cleaned. I have changed the network card and no luck. However I changed it's IP address and it can connect to internet and respond to pings, but if I change it to the original IP, it won't connect to internet. What could be wrong here? thanks in advance Sean

It sounds like the firewall that is termination your site-to-site VPN is to blame here. In order for the firewall to decide which traffic needs to be sent through the tunnel, and which is routed to the Internet, an ACL is defined. It seems that whomever set up the ACL did not format it correctly and it is tunneling all outbound traffic from that particular server's IP address. Have your network/firewall admin configure the ACL using more specific destination network addresses so it does not mistakenly tunnel traffic destined for the Internet networks. This is a common problem really when junior "network guys" don't take the time to write very specific extended ACLs.Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+

Matt, Thanks for reply. The firewall is a Sonicwall pro 2040. It's not a cisco pix/asa where you can have configure ACLs. With sonicwall, there is only gui configuration for firewall for rule-based. The rule that is in place is allow LAN access WAN and all services. I've also disabled site-to-site VPN tunnel to see if it makes a difference. It did not. It still won't ping or communicate to internet with original IP, but only with new IP address. The only thing I can thing is something must be in the ISP router that prevent those IP address go out.

Hi azSean, The server changed the IP address and could connect Internet, the new IP was in same subnet as original IP and no change other settings? Make sure no IP (original IP) conflict in your network, and compare “tracert www.microsoft.com ” to check if it timeout on firewall IP. If yes, please visit www.sonicwall.com for some help. Regards, Rick Tan