×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Accessing a website behind ASA5510

Unanswered Question
Sep 30th, 2014
User Badges:

I am having a problem with accessing one of the websites on a Cisco network. We have a Cisco 3750X with an ASA5510 in front of it, and multiple VLANs on the network. 

The particular website I am trying to access does not work on VLAN113 but works on other VLANs like 130 and 88, for example. All these VLANs share the same physical gateway, which is the ASA and all have the same public IP. There is no URL filtering in place and the only thing I can see that's different, is the DNS. The VLAN 130 and 88 use OpenDNS whereas the 113 uses local DNS server. I have tried changing the DNS to use Google and OpenDNS but nothing makes any different. Flushing DNS cache and deleting temp files makes no difference.

Any ideas?

 

Thanks in advance.

Dima

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
adamtodd16 Tue, 09/30/2014 - 11:12
User Badges:

Can you ping your ASA from the web server? 

Do you have a route from the ASA to that VLAN? 

Can you access the website internally via IP address?

Can you access the website internally by name?

Can you access the website externally via IP address?

 

Richard Burts Tue, 09/30/2014 - 15:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dima

 

It might be helpful if you would provide some information from your ASA. In particular it would help if we knew the each of its interfaces and their IP addresses and their security level associated with each of the vlans. It could possibly be an issue with traffic from a lower security level interface trying to go to a higher security level interface.

 

HTH

 

Rick

Dmitry Golovenkin Wed, 10/01/2014 - 01:18
User Badges:

Richard,

 

Here is the list. They all have the same security level, apart from the VLAN 66. However all the VLANs seem to access the website fine but the 113. 

 

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         188.x.x.x  YES CONFIG up                    up  

GigabitEthernet0/1         192.168.100.250 YES CONFIG up                    up  

GigabitEthernet0/1.1       unassigned      YES unset  administratively down down

GigabitEthernet0/1.21      192.168.21.250  YES CONFIG up                    up  

GigabitEthernet0/1.22      192.168.22.250  YES CONFIG up                    up  

GigabitEthernet0/1.55      10.88.0.250     YES CONFIG up                    up  

GigabitEthernet0/1.66      10.87.0.250     YES CONFIG up                    up  

GigabitEthernet0/1.95      unassigned      YES unset  up                    up  

GigabitEthernet0/1.100     192.168.108.250 YES CONFIG up                    up  

GigabitEthernet0/1.113     192.168.113.250 YES CONFIG up                    up  

GigabitEthernet0/1.115     192.168.115.250 YES CONFIG up                    up  

GigabitEthernet0/1.130     192.168.130.250 YES CONFIG up                    up  

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

GigabitEthernet0/4         unassigned      YES unset  administratively down down

GigabitEthernet0/5         10.1.0.1        YES unset  up                    up  

Internal-Control0/0        127.0.1.1       YES unset  up                    up  

Internal-Data0/0           unassigned      YES unset  down                  down

Internal-Data0/1           unassigned      YES unset  down                  down

Internal-Data0/2           unassigned      YES unset  up                    up  

Management0/0              unassigned      YES unset  administratively down down

Dmitry Golovenkin Mon, 10/06/2014 - 00:47
User Badges:

The problem was down to the server hosting the website that was blocking our IP address! All sorted now, thank you all for your help.

Richard Burts Mon, 10/06/2014 - 07:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dima

 

I am glad that you have resolved the issue. Thank you for posting back to the forum to let us know that it is solved and what the issue was. Perhaps it is helpful for us to be reminded that sometimes the problem is not in the device that we manage but is in the other device that we do not manage.

 

HTH

 

Rick

Dmitry Golovenkin Wed, 10/01/2014 - 01:14
User Badges:

I do not have access to the webserver to be able to do that as it's a shared host. 

It's just a general website hosted elsewhere in the country and other vlans can access it no problem and people outside can access it too. 

IP access does not work as it hosts multiple websites. 

 

Cheers

Richard Burts Wed, 10/01/2014 - 07:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is not clear to me whether this problem is an issue with IP forwarding to the server or is an issue with DNS. So from a device on vlan 113 where the webserver does not work please do a ping to the webserver name. The important thing here is whether the ping is able to resolve the name to an IP address or fails to resolve the name. Please do the ping and inform us of the results.

 

HTH

 

Rick

Dmitry Golovenkin Wed, 10/01/2014 - 09:28
User Badges:

Richard,

 

The name resolves to the same IP as it does outside the network. I've tried using different DNS servers and get the same result. All PCs do the same thing from that vlan. 

 

Cheers

adamtodd16 Wed, 10/01/2014 - 09:31
User Badges:

And assuming this is the only outside website you cannot reach?

Can you access it by typing the IP into your browser?

Dmitry Golovenkin Wed, 10/01/2014 - 09:33
User Badges:

As far as we know, yes thats the only website. Cannot access it via IP as it's on a shared host. 

adamtodd16 Wed, 10/01/2014 - 09:50
User Badges:

Can you try some other websites to confirm this? 

Richard Burts Wed, 10/01/2014 - 12:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If ping to the name of the webserver does resolve to the correct IP then it is hard for me to see how this would be a DNS problem. It does sound more like an IP forwarding issue. To figure out what it might be we would have to have information about the device doing the forwarding which I believe is an ASA.

 

HTH

 

Rick

Dmitry Golovenkin Thu, 10/02/2014 - 00:43
User Badges:

Other websites work fine, it's just this particular one that does not.

 

What information would you like, Richard?

Richard Burts Thu, 10/02/2014 - 04:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dima

 

As a starting point it might be interesting to see the output of

show run | inc 192.168.113

show run | inc <subnet_of_the_server>

Beyond that we would want to see how many interfaces on the ASA, how they are configured, any access lists that are used, any address translations that are configured.

 

HTH

 

Rick

Actions

This Discussion

Related Content