04-30-2008 03:55 PM - edited 02-21-2020 02:00 AM
Hi
I have a problem... when I try to permit in a temporary role a web page (for example www.microsoft.com) the user can't open it and display security message but when i add the web ip the users can access.... the nac is working on real-ip layer 3...
thanks for your help
05-01-2008 05:47 AM
Hi,
Have you allowed DNS traffic to a trusted DNS host?
Cheers,
05-01-2008 02:40 PM
yes... i did it... :(
but its a default trusted dns policy... permit to all DNS Servers UDP port 53... is it correct? or i will type the IP address of my DNS manually?
05-02-2008 01:03 AM
No that's fine, as long as that rule applies to the role of the PC.
Try an nslookup on the PC. What's the output?
>nslookup www.cisco.com
05-07-2008 07:40 AM
hi...
in this moment im not in the company... the next friday i will try
thanks a lot!
05-07-2008 12:15 AM
Are u using a proxy server in your network?
Try enabling Parse Proxy checkbox under
CCA Servers-->Filter--> Roles--> Allowed hosts.
Try putting proxy server IP address and port number under CCA Servers---> Advanced ---> Proxy
05-07-2008 07:42 AM
hi
no... i dont have access to internet by proxy server... i have a firewall
:(
the nac server is working in layer 3 real ip gateway... when i put the ip address of the page for example www.symantec.com the users can access... but when i permit the access by host .symantec.com in all options like ends, contain, etc can't access...
05-08-2008 06:03 AM
Definitely sounds like DNS to me.
05-14-2008 09:37 AM
Hi
The result of the dns lookup in the host is the next:
*** Can't find server name for address 172.16.48.253: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 172.16.48.253
Non-authoritative answer:
Name: com.com.mx
Address: 74.52.164.242
Aliases: www.cisco.com.com.mx
The result of the nslookup in the CAS is the next
[root@CAS-MTY ~]# nslookup www.cisco.com
Server: 172.16.48.253
Address: 172.16.48.253#53
Non-authoritative answer:
Name: www.cisco.com
Address: 198.133.219.25
Help me
05-16-2008 02:56 PM
Additionally, I'd like to say that my configuration is Out-of-Band Real-IP Gateway, Does anybody knows if there's a restriction to manage host-based policies?
Regards
05-18-2008 05:10 AM
Thats how mine was setup as well and it should not make a difference. What happens if you try to allow 'all traffic' in your policy. Does it resolve then?
05-19-2008 01:21 AM
Additionally, could you post a screenshot of your traffic policy and the output from an ipconfig /all on the client?
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide