Let me quickly explain our setup, we are running a cisco ASA 5510.  We have 2 linux proxy servers in the DMZ. Both Proxy servers have static NAT on the firewall.

50% of websites we go to through the firewall have no problems. The other 50% times out, we have found that this happens mostly to websites that are web 2.0 (like facebook) and redirect their traffic to other websites. We then decided to test using wget on the linux boxes. This bypasses the proxy component and is a simple download tool for linux. The same thing applies where direct connections to files work fine but redirection breaks.

WSG01-EXT is the proxy server. WSG01-PUBLIC-BROWSING is the outside NAT. Here I am trying to download a file.  http://download.winzip.com/winzip150.exe . The ip address I am connecting to and the ip address that responds is not the same one and it makes sense that the firewall blocks it as it sent no syn to that address, but how do i get around this?

Here are some relavant firewall logs.

WSG01-EXT    39701    92.123.154.73    80    Built outbound TCP connection 201329 for outside:92.123.154.73/80 (92.123.154.73/80) to DMZ-VLAN-15:WSG01-EXT/39701 (WSG01-PUBLIC-BROWSING/39701)

165.165.47.11    80    WSG01-PUBLIC-BROWSING    30737    Deny TCP (no connection) from 165.165.47.11/80 to WSG01-PUBLIC-BROWSING/30737 flags SYN ACK  on interface outside

Thanks in advance for all the replies and let me know if you need more information. I really hope this is just some kind of checkbox somewhere that I am missing.

S