04-30-2008 03:55 PM - edited 02-21-2020 02:00 AM
Hi
I have a problem... when I try to permit in a temporary role a web page (for example www.microsoft.com) the user can't open it and display security message but when i add the web ip the users can access.... the nac is working on real-ip layer 3...
thanks for your help
05-01-2008 05:47 AM
Hi,
Have you allowed DNS traffic to a trusted DNS host?
Cheers,
05-01-2008 02:40 PM
yes... i did it... :(
but its a default trusted dns policy... permit to all DNS Servers UDP port 53... is it correct? or i will type the IP address of my DNS manually?
05-02-2008 01:03 AM
No that's fine, as long as that rule applies to the role of the PC.
Try an nslookup on the PC. What's the output?
>nslookup www.cisco.com
05-07-2008 07:40 AM
hi...
in this moment im not in the company... the next friday i will try
thanks a lot!
05-07-2008 12:15 AM
Are u using a proxy server in your network?
Try enabling Parse Proxy checkbox under
CCA Servers-->Filter--> Roles--> Allowed hosts.
Try putting proxy server IP address and port number under CCA Servers---> Advanced ---> Proxy
05-07-2008 07:42 AM
hi
no... i dont have access to internet by proxy server... i have a firewall
:(
the nac server is working in layer 3 real ip gateway... when i put the ip address of the page for example www.symantec.com the users can access... but when i permit the access by host .symantec.com in all options like ends, contain, etc can't access...
05-08-2008 06:03 AM
Definitely sounds like DNS to me.
05-14-2008 09:37 AM
Hi
The result of the dns lookup in the host is the next:
*** Can't find server name for address 172.16.48.253: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 172.16.48.253
Non-authoritative answer:
Name: com.com.mx
Address: 74.52.164.242
Aliases: www.cisco.com.com.mx
The result of the nslookup in the CAS is the next
[root@CAS-MTY ~]# nslookup www.cisco.com
Server: 172.16.48.253
Address: 172.16.48.253#53
Non-authoritative answer:
Name: www.cisco.com
Address: 198.133.219.25
Help me
05-16-2008 02:56 PM
Additionally, I'd like to say that my configuration is Out-of-Band Real-IP Gateway, Does anybody knows if there's a restriction to manage host-based policies?
Regards
05-18-2008 05:10 AM
Thats how mine was setup as well and it should not make a difference. What happens if you try to allow 'all traffic' in your policy. Does it resolve then?
05-19-2008 01:21 AM
Additionally, could you post a screenshot of your traffic policy and the output from an ipconfig /all on the client?
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: