CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Unanswered Question
Jun 18th, 2007
User Badges:

Hi,


My network is as below.


Router

|

|

Firewall--SERVER DMZ

|

|

LAN


I have a peculiar problem wherin users accessing certain internet pages are getting page cannot be displayed error.

For example after accessing hp.com, when i go for downloading of the drivers the page always says it cannot be displayed.

I also checked the show conn detail , it was giving me a flag value of UIFRO, which is something to do with SUNRPC UDP packets not getting accepted.Can some one help me on how do i get this resolved.Am also attaching the present firewall config.Without the firewall its working fine.


regards.JKannnan



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 06/18/2007 - 06:03
User Badges:
  • Blue, 1500 points or more


why do you have a service policy applied to the outside interface?


your have an acl entry for 150 that is permit icmp any any, so you can take out all other ICMP acl entries for that acl.

srue Mon, 06/18/2007 - 07:06
User Badges:
  • Blue, 1500 points or more

also, try re-entering your global statement, without the netmask.

netkrish80 Tue, 06/19/2007 - 22:39
User Badges:

Hi,


Even after doing the changes as mentioned in link i am facing a problem in accessing drivers download page in HP.com.


Krishna.

guibarati Wed, 06/20/2007 - 03:53
User Badges:
  • Bronze, 100 points or more

Have you createad an "permit any any" for the access list that matches the tcp adjust? if not i think you should do so, because if you closed the access list on hp website ip address it could be a different address for drivers download area, so with an "any any" all the pages should be accessed.. if the mss is the problem ofcourse.

littledavewhite Thu, 06/21/2007 - 10:45
User Badges:

Hi Have you managed to sort this problem i also have the same issue with HP website and driver page through a ios firewall. I have tried taking the access list out and adjusting the ip tcp mss size on the inside ethernet interface, but still have the problem.

Manjunatha Jayaram Wed, 07/11/2007 - 20:51
User Badges:

Would the problem be related to the ios running in the ASA.Its running 7.0 version, should i try upgrading to 7.2 and check if its working fine.


regards...Jkannan

littledavewhite Thu, 07/12/2007 - 08:45
User Badges:

Problem solved.


Really simple in the end, i put a debug icmp on the box and noticed the redirect for the remote web site was a 192 network. I had a route for 192 pointing into my internal network, so this is why everything went pair shaped. Just show how you can go down the wrong path when sometimes the fix is quite simple.

littledavewhite Wed, 07/18/2007 - 05:37
User Badges:

Hi

In my senario i had users going to the HP web site, this was fine, when they attempt to go to the download driver site. The connection failed at this point. initially i thought it was an issue with MTU, but on further investigation i noticed the routing issue.


I have various 192 networks on my internal network and a static route of 192.0.0.0 255.0.0.0 pointing to my internal routers. When you get redirected to the driver site the router recieves an icmp redirect with the ip address of the HP download site. This site had a 192 address, hence the clash. So i have now changed my routing tables on the firewall and all is well. the blanket 192 network i had in thye routing table was a bad idea !!


Actions

This Discussion