ok, what the crap is going on?

Unanswered Question
Jul 14th, 2009

Here is the deal. I am certain that this doesnt belong in this category, but i trust the security people more than anyone.

I have a website that i cant access from a certain subinterface. I logged onto the guest VLAN and able to get to it.

It has always worked until the other day.

I know your might think it has to be a DNS issue, but i dont think that is the case. Let me reinterate there is NO WEBSENSE OR WEB MONITORING services on.BUT if it is a DNS issue, our dns is hosted on ONE server. a Windows 2003 server which host our dhcp and dns. How can a server hosting a dns prohibit access to only ONE website???

HOWEVER, on the guest VLAN, it is using the same outside subinterface as my vlan.

Crazy! What could it be! Help!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
branfarm1 Tue, 07/14/2009 - 16:21

Is it just the one website or is it more than one?

Also, are the connectivity issues limited to the one website, or is it more than just http?

cisco_himg Tue, 07/14/2009 - 16:24

Just one website..It DOES NOT come up with the "page cannot be displayed, it actually says "check your internet connection", but like i said, i can connect through every vlan that isnt on our domain. Isnt that weird??

I am totally out of ideas.

branfarm1 Tue, 07/14/2009 - 16:28

I guess the other question is whether or not there would be a good reason to block this website. If there's a good reason to block it, there are plenty of ways to block it without having websense or another filtering server configured. Do you have access to the Firewall config? Can you post a cleansed version?

branfarm1 Tue, 07/14/2009 - 16:32

Can you ping or traceroute to the website in question? Where does the traceroute stop?

cisco_himg Tue, 07/14/2009 - 16:36

ok...when i traceroute, it gets there.., when i ping, it gets there...


When i put the address in, like i said "check your internet connection", or go to BING, which is a microsoft search page. On the search page, i see the site, but when i click on it, it gives me the error message.

When I put the IP address in the browser, it goes to CPANEL, which is a web hosting site.

i am working on trying to get a config together, but i dont think it will help

branfarm1 Tue, 07/14/2009 - 16:45

Ok -- let's think about this from another perspective. You mentioned that the site works from any interface not "on your domain." Is there a reason this site would want to block your domain? If it's being hosted by a web hosting company, then there are mostly likely monthly bandwidth limits for the operators of the website in question. Could traffic from your organization be overwhelming their site and/or consuming their monthly allotment?

There are ways for the website admins to block your domain:

Here's an example using Apache and .htaccess files: http://www.techiecorner.com/95/block-ip-from-accessing-website-using-htaccess/

cisco_himg Tue, 07/14/2009 - 16:47

there is only one person (a physician) that uses this website..so i know he doesnt bog down there webserver.

Where is this file so i can check it? This sounds really good!

branfarm1 Tue, 07/14/2009 - 16:50

Well, it would be on the website's server, so you won't have access to it unfortunately. You could always email the admin of the website and ask if you've been blocked :)

Does your network have any kind of IPS/IDS system in place?

cisco_himg Tue, 07/14/2009 - 16:52

ok...yes we have both IPS, and IDS....

BUT, the guest VLAN is on the same subinterface on the Cisco ASA. which makes my vlan and the Guest Vlan have the same outside IP address. make sense? So they should be blocking my IP address.

What about tehe IPS/IDS?

branfarm1 Tue, 07/14/2009 - 16:58

So your internet traffic, whether from the guest VLAN or the non-guest VLAN, is NAT'd to the same external IP range (or address)?

I'm just throwing out idea's here... IPS can block traffic if it deems it malicious, but depending on the placement it would block the traffic no matter where it was accessed from. Unless the IPS was on a different path to the internet than the traffic from the guest Vlan...

cisco_himg Tue, 07/14/2009 - 17:00

yes...that is correct on the NAT question..

i checked IPS and nothing is being block or logged.

That was a very good idea though....Anything else i can check?

cisco_himg Tue, 07/14/2009 - 17:10

wow!..it worked....what the heck is that?? and how can i fix my problem now?


branfarm1 Tue, 07/14/2009 - 17:17

Hmm... So here's what we know:

1. Website works from guest vlan Y

2. Website does not work from Vlan X

3. Internal IP's and guest IP's are nat'd to the same external range.

4. Website works from Vlan X when viewing through a proxy service.

Just to clarify, are you NAT'ing to the same external range for both guest VLAN and trouble VLAN or are they unique ranges on the same outside network?

i.e. nat (guest) 1 x.x.x.x

nat (inside) 1 x.x.x.x

global (outside) 1 x.x.x.x

or nat (guest) 1 x.x.x.x

nat (inside) 2 x.x.x.x

global (outside) 1 x.x.x.x

global (outside) 2 x.x.x.x

If your outside IP's really do overlap for the different VLAN's, then I'm at a loss. Somewhere in your network there is something that is block that specific website. You can configure ASA's to block web traffic using modular policies and access-lists, so it's still possible the firewall is blocking it.

Another question I should've thought of earlier on, is it only one host on the trouble VLAN or all hosts on the trouble VLAN that can't access the website?

cisco_himg Tue, 07/14/2009 - 17:20

all hosts on the VLAN, (i atleast checked that) :)....

where do i look on the ASA to check out to see if the website is blocked...or the IP is blocked...

I do have a SNMP trap set up so they can email us. but that hasnt been touched in a year.

branfarm1 Tue, 07/14/2009 - 17:29

You'll want to look at these items:

-- Access-lists (show access-list)

--Service-policies (show service-policy )

--Config items related to class maps, policy maps, and service policies. (show run | begin class-map)

You could also try using the Packet tracer wizard in the ASDM to simulate traffic going through your ASA to see if the ASA would block it (ASDM > Tools menu > Packet Tracer).

cisco_himg Tue, 07/14/2009 - 17:32

i did the packet tracer from my workstation IP to the IP of the website and it says its allowed....

cisco_himg Tue, 07/14/2009 - 17:29

here is my asa config...keep in my the SMTP trap...

but the website i need to get to is..

www.healthyhuntington.org or

see attached...let me know if you see anything that might block that site.

branfarm1 Tue, 07/14/2009 - 17:45

You might consider "cleansing" that config a bit more... it has all usernames and passwords, IP's, etc still in place.

It also looks as if you do in fact have websense in place:

url-server (inside_vlan17) vendor websense host MN-IS-APPS1 timeout 30 protocol TCP version 4 connections 20

filter url http allow

filter https 443 allow

Am I interpreting this wrong?

cisco_himg Tue, 07/14/2009 - 17:49

yes i know.. i posted the wrong one..


websense is on the firewall...BUT if you look, the mn-is-apps1 is the machine who hosts the websense. but all websense policies are turned off on this machine...

branfarm1 Tue, 07/14/2009 - 17:54

What happens if you temporarily remove the RESTRICT_SMTP access list from the inside_vlan17?

Am I correct in assuming that inside_vlan17 is where the trouble is occuring?

cisco_himg Tue, 07/14/2009 - 17:55

yes that is correct....Vlan 17 is my vlan...

will it mess anything up?

cisco_himg Tue, 07/14/2009 - 17:56

but that access list only restricts email traffic....how would that help?

branfarm1 Tue, 07/14/2009 - 17:59

Again I'm just throwing out ideas here. That access list is the only thing filtering incoming traffic on the internal interface, and it specifically mentions that website address. Couldn't hurt to try it with it off just to make sure...

branfarm1 Tue, 07/14/2009 - 18:04

use this to remove the RESTRICT_SMTP access-list from the inside-vlan17 interface:

no access-group RESTRICT_SMTP in interface inside_vlan17

All that does is remove that access-list from that interface -- the access-list remains in the config.

branfarm1 Tue, 07/14/2009 - 18:30

Well friend, I'm afraid I'm out of ideas on this one...

Hopefully someone smarter will pick up the thread and solve your problem.

Once you figure it out, be sure and post it -- I'm interested to know the solution!


cisco_himg Tue, 07/14/2009 - 18:34

Hey no problem man!

I really appreciate you taking the time to help out. I should be paying you for the time tonight. I will definately keep you posted. Do you have an email i could keep in touch?

thanks again!


This Discussion