cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
491
Views
0
Helpful
10
Replies

CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Hi,

My network is as below.

Router

|

|

Firewall--SERVER DMZ

|

|

LAN

I have a peculiar problem wherin users accessing certain internet pages are getting page cannot be displayed error.

For example after accessing hp.com, when i go for downloading of the drivers the page always says it cannot be displayed.

I also checked the show conn detail , it was giving me a flag value of UIFRO, which is something to do with SUNRPC UDP packets not getting accepted.Can some one help me on how do i get this resolved.Am also attaching the present firewall config.Without the firewall its working fine.

regards.JKannnan

10 Replies 10

srue
Level 7
Level 7

why do you have a service policy applied to the outside interface?

your have an acl entry for 150 that is permit icmp any any, so you can take out all other ICMP acl entries for that acl.

also, try re-entering your global statement, without the netmask.

guibarati
Level 4
Level 4

This is a "famous" problem of ASA or pix 7.X you can see how to fix in:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

I dont think you need do all the things the link says, but in the end of it it's the solution.

Please rate the post if help.

Hi,

Even after doing the changes as mentioned in link i am facing a problem in accessing drivers download page in HP.com.

Krishna.

Have you createad an "permit any any" for the access list that matches the tcp adjust? if not i think you should do so, because if you closed the access list on hp website ip address it could be a different address for drivers download area, so with an "any any" all the pages should be accessed.. if the mss is the problem ofcourse.

littledavewhite
Level 1
Level 1

Hi Have you managed to sort this problem i also have the same issue with HP website and driver page through a ios firewall. I have tried taking the access list out and adjusting the ip tcp mss size on the inside ethernet interface, but still have the problem.

Would the problem be related to the ios running in the ASA.Its running 7.0 version, should i try upgrading to 7.2 and check if its working fine.

regards...Jkannan

Problem solved.

Really simple in the end, i put a debug icmp on the box and noticed the redirect for the remote web site was a 192 network. I had a route for 192 pointing into my internal network, so this is why everything went pair shaped. Just show how you can go down the wrong path when sometimes the fix is quite simple.

How can an internal route be a cause for this problem.

regards...Jkannan

Hi

In my senario i had users going to the HP web site, this was fine, when they attempt to go to the download driver site. The connection failed at this point. initially i thought it was an issue with MTU, but on further investigation i noticed the routing issue.

I have various 192 networks on my internal network and a static route of 192.0.0.0 255.0.0.0 pointing to my internal routers. When you get redirected to the driver site the router recieves an icmp redirect with the ip address of the HP download site. This site had a 192 address, hence the clash. So i have now changed my routing tables on the firewall and all is well. the blanket 192 network i had in thye routing table was a bad idea !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: