06-18-2007 02:55 AM - edited 03-11-2019 03:31 AM
Hi,
My network is as below.
Router
|
|
Firewall--SERVER DMZ
|
|
LAN
I have a peculiar problem wherin users accessing certain internet pages are getting page cannot be displayed error.
For example after accessing hp.com, when i go for downloading of the drivers the page always says it cannot be displayed.
I also checked the show conn detail , it was giving me a flag value of UIFRO, which is something to do with SUNRPC UDP packets not getting accepted.Can some one help me on how do i get this resolved.Am also attaching the present firewall config.Without the firewall its working fine.
regards.JKannnan
06-18-2007 06:03 AM
why do you have a service policy applied to the outside interface?
your have an acl entry for 150 that is permit icmp any any, so you can take out all other ICMP acl entries for that acl.
06-18-2007 07:06 AM
also, try re-entering your global statement, without the netmask.
06-18-2007 09:13 AM
This is a "famous" problem of ASA or pix 7.X you can see how to fix in:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
I dont think you need do all the things the link says, but in the end of it it's the solution.
Please rate the post if help.
06-19-2007 10:39 PM
Hi,
Even after doing the changes as mentioned in link i am facing a problem in accessing drivers download page in HP.com.
Krishna.
06-20-2007 03:53 AM
Have you createad an "permit any any" for the access list that matches the tcp adjust? if not i think you should do so, because if you closed the access list on hp website ip address it could be a different address for drivers download area, so with an "any any" all the pages should be accessed.. if the mss is the problem ofcourse.
06-21-2007 10:45 AM
Hi Have you managed to sort this problem i also have the same issue with HP website and driver page through a ios firewall. I have tried taking the access list out and adjusting the ip tcp mss size on the inside ethernet interface, but still have the problem.
07-11-2007 08:51 PM
Would the problem be related to the ios running in the ASA.Its running 7.0 version, should i try upgrading to 7.2 and check if its working fine.
regards...Jkannan
07-12-2007 08:45 AM
Problem solved.
Really simple in the end, i put a debug icmp on the box and noticed the redirect for the remote web site was a 192 network. I had a route for 192 pointing into my internal network, so this is why everything went pair shaped. Just show how you can go down the wrong path when sometimes the fix is quite simple.
07-17-2007 11:03 PM
How can an internal route be a cause for this problem.
regards...Jkannan
07-18-2007 05:37 AM
Hi
In my senario i had users going to the HP web site, this was fine, when they attempt to go to the download driver site. The connection failed at this point. initially i thought it was an issue with MTU, but on further investigation i noticed the routing issue.
I have various 192 networks on my internal network and a static route of 192.0.0.0 255.0.0.0 pointing to my internal routers. When you get redirected to the driver site the router recieves an icmp redirect with the ip address of the HP download site. This site had a 192 address, hence the clash. So i have now changed my routing tables on the firewall and all is well. the blanket 192 network i had in thye routing table was a bad idea !!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: