Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Hi,

My network is as below.

Router

|

|

Firewall--SERVER DMZ

|

|

LAN

I have a peculiar problem wherin users accessing certain internet pages are getting page cannot be displayed error.

For example after accessing hp.com, when i go for downloading of the drivers the page always says it cannot be displayed.

I also checked the show conn detail , it was giving me a flag value of UIFRO, which is something to do with SUNRPC UDP packets not getting accepted.Can some one help me on how do i get this resolved.Am also attaching the present firewall config.Without the firewall its working fine.

regards.JKannnan

10 REPLIES
Gold

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

why do you have a service policy applied to the outside interface?

your have an acl entry for 150 that is permit icmp any any, so you can take out all other ICMP acl entries for that acl.

Gold

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

also, try re-entering your global statement, without the netmask.

Bronze

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

This is a "famous" problem of ASA or pix 7.X you can see how to fix in:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

I dont think you need do all the things the link says, but in the end of it it's the solution.

Please rate the post if help.

New Member

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Hi,

Even after doing the changes as mentioned in link i am facing a problem in accessing drivers download page in HP.com.

Krishna.

Bronze

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Have you createad an "permit any any" for the access list that matches the tcp adjust? if not i think you should do so, because if you closed the access list on hp website ip address it could be a different address for drivers download area, so with an "any any" all the pages should be accessed.. if the mss is the problem ofcourse.

New Member

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Hi Have you managed to sort this problem i also have the same issue with HP website and driver page through a ios firewall. I have tried taking the access list out and adjusting the ip tcp mss size on the inside ethernet interface, but still have the problem.

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Would the problem be related to the ios running in the ASA.Its running 7.0 version, should i try upgrading to 7.2 and check if its working fine.

regards...Jkannan

New Member

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Problem solved.

Really simple in the end, i put a debug icmp on the box and noticed the redirect for the remote web site was a 192 network. I had a route for 192 pointing into my internal network, so this is why everything went pair shaped. Just show how you can go down the wrong path when sometimes the fix is quite simple.

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

How can an internal route be a cause for this problem.

regards...Jkannan

New Member

Re: CERTAIN INTERNET WEBPAGES NOT OPENING THRU THE ASA FIREWALL.

Hi

In my senario i had users going to the HP web site, this was fine, when they attempt to go to the download driver site. The connection failed at this point. initially i thought it was an issue with MTU, but on further investigation i noticed the routing issue.

I have various 192 networks on my internal network and a static route of 192.0.0.0 255.0.0.0 pointing to my internal routers. When you get redirected to the driver site the router recieves an icmp redirect with the ip address of the HP download site. This site had a 192 address, hence the clash. So i have now changed my routing tables on the firewall and all is well. the blanket 192 network i had in thye routing table was a bad idea !!

154
Views
0
Helpful
10
Replies