Re: ok, what the crap is going on? - Page 2

cisco_himg · ‎07-14-2009

Here is the deal. I am certain that this doesnt belong in this category, but i trust the security people more than anyone.

I have a website that i cant access from a certain subinterface. I logged onto the guest VLAN and able to get to it.

It has always worked until the other day.

I know your might think it has to be a DNS issue, but i dont think that is the case. Let me reinterate there is NO WEBSENSE OR WEB MONITORING services on.BUT if it is a DNS issue, our dns is hosted on ONE server. a Windows 2003 server which host our dhcp and dns. How can a server hosting a dns prohibit access to only ONE website???

HOWEVER, on the guest VLAN, it is using the same outside subinterface as my vlan.

Crazy! What could it be! Help!!!

cisco_himg · ‎07-14-2009

all hosts on the VLAN, (i atleast checked that) :)....

where do i look on the ASA to check out to see if the website is blocked...or the IP is blocked...

I do have a SNMP trap set up so they can email us. but that hasnt been touched in a year.

branfarm1 · ‎07-14-2009

You'll want to look at these items:

-- Access-lists (show access-list)

--Service-policies (show service-policy )

--Config items related to class maps, policy maps, and service policies. (show run | begin class-map)

You could also try using the Packet tracer wizard in the ASDM to simulate traffic going through your ASA to see if the ASA would block it (ASDM > Tools menu > Packet Tracer).

cisco_himg · ‎07-14-2009

i did the packet tracer from my workstation IP to the IP of the website and it says its allowed....

cisco_himg · ‎07-14-2009

here is my asa config...keep in my the SMTP trap...

but the website i need to get to is..

www.healthyhuntington.org or 74.55.0.178

see attached...let me know if you see anything that might block that site.

branfarm1 · ‎07-14-2009

You might consider "cleansing" that config a bit more... it has all usernames and passwords, IP's, etc still in place.

It also looks as if you do in fact have websense in place:

url-server (inside_vlan17) vendor websense host MN-IS-APPS1 timeout 30 protocol TCP version 4 connections 20

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Am I interpreting this wrong?

cisco_himg · ‎07-14-2009

yes i know.. i posted the wrong one..

BUT..

websense is on the firewall...BUT if you look, the mn-is-apps1 is the machine who hosts the websense. but all websense policies are turned off on this machine...

branfarm1 · ‎07-14-2009

What happens if you temporarily remove the RESTRICT_SMTP access list from the inside_vlan17?

Am I correct in assuming that inside_vlan17 is where the trouble is occuring?

cisco_himg · ‎07-14-2009

yes that is correct....Vlan 17 is my vlan...

will it mess anything up?

cisco_himg · ‎07-14-2009

but that access list only restricts email traffic....how would that help?

branfarm1 · ‎07-14-2009

Again I'm just throwing out ideas here. That access list is the only thing filtering incoming traffic on the internal interface, and it specifically mentions that website address. Couldn't hurt to try it with it off just to make sure...

cisco_himg · ‎07-14-2009

ok which one do i remove?

branfarm1 · ‎07-14-2009

use this to remove the RESTRICT_SMTP access-list from the inside-vlan17 interface:

no access-group RESTRICT_SMTP in interface inside_vlan17

All that does is remove that access-list from that interface -- the access-list remains in the config.

cisco_himg · ‎07-14-2009

nope..it didnt make a difference....

branfarm1 · ‎07-14-2009

Well friend, I'm afraid I'm out of ideas on this one...

Hopefully someone smarter will pick up the thread and solve your problem.

Once you figure it out, be sure and post it -- I'm interested to know the solution!

--Brandon

cisco_himg · ‎07-14-2009

Hey no problem man!

I really appreciate you taking the time to help out. I should be paying you for the time tonight. I will definately keep you posted. Do you have an email i could keep in touch?

thanks again!