What's actually in the packet stream to the remote host? Is there anything silly in there like IP based auth or some other half ass vendor stupidity?

Two things I would do. First, I would use a spanning port to sniff at the firewall traffic instead of using the method that Neb suggested simply because there have been times when I actually have done what he warns of even though I *thought* the filter was specific enough.

Second, I would see if there is a way to watch the conversation between the localhost and the remote host clear of your ISA and PIX. After seeing how that works, I would look for obvious stupidity. If none is apparent, then I would introduce the ISA and PIX one at a time to see if I can at least figure out where I need to dig deeper.

Anyway, fwiw.

--TH13