07-14-2009 03:40 PM - edited 03-10-2019 01:38 PM
Here is the deal. I am certain that this doesnt belong in this category, but i trust the security people more than anyone.
I have a website that i cant access from a certain subinterface. I logged onto the guest VLAN and able to get to it.
It has always worked until the other day.
I know your might think it has to be a DNS issue, but i dont think that is the case. Let me reinterate there is NO WEBSENSE OR WEB MONITORING services on.BUT if it is a DNS issue, our dns is hosted on ONE server. a Windows 2003 server which host our dhcp and dns. How can a server hosting a dns prohibit access to only ONE website???
HOWEVER, on the guest VLAN, it is using the same outside subinterface as my vlan.
Crazy! What could it be! Help!!!
07-14-2009 05:20 PM
all hosts on the VLAN, (i atleast checked that) :)....
where do i look on the ASA to check out to see if the website is blocked...or the IP is blocked...
I do have a SNMP trap set up so they can email us. but that hasnt been touched in a year.
07-14-2009 05:29 PM
You'll want to look at these items:
-- Access-lists (show access-list)
--Service-policies (show service-policy
--Config items related to class maps, policy maps, and service policies. (show run | begin class-map)
You could also try using the Packet tracer wizard in the ASDM to simulate traffic going through your ASA to see if the ASA would block it (ASDM > Tools menu > Packet Tracer).
07-14-2009 05:32 PM
i did the packet tracer from my workstation IP to the IP of the website and it says its allowed....
07-14-2009 05:29 PM
here is my asa config...keep in my the SMTP trap...
but the website i need to get to is..
www.healthyhuntington.org or 74.55.0.178
see attached...let me know if you see anything that might block that site.
07-14-2009 05:45 PM
You might consider "cleansing" that config a bit more... it has all usernames and passwords, IP's, etc still in place.
It also looks as if you do in fact have websense in place:
url-server (inside_vlan17) vendor websense host MN-IS-APPS1 timeout 30 protocol TCP version 4 connections 20
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Am I interpreting this wrong?
07-14-2009 05:49 PM
yes i know.. i posted the wrong one..
BUT..
websense is on the firewall...BUT if you look, the mn-is-apps1 is the machine who hosts the websense. but all websense policies are turned off on this machine...
07-14-2009 05:54 PM
What happens if you temporarily remove the RESTRICT_SMTP access list from the inside_vlan17?
Am I correct in assuming that inside_vlan17 is where the trouble is occuring?
07-14-2009 05:55 PM
yes that is correct....Vlan 17 is my vlan...
will it mess anything up?
07-14-2009 05:56 PM
but that access list only restricts email traffic....how would that help?
07-14-2009 05:59 PM
Again I'm just throwing out ideas here. That access list is the only thing filtering incoming traffic on the internal interface, and it specifically mentions that website address. Couldn't hurt to try it with it off just to make sure...
07-14-2009 06:00 PM
ok which one do i remove?
07-14-2009 06:04 PM
use this to remove the RESTRICT_SMTP access-list from the inside-vlan17 interface:
no access-group RESTRICT_SMTP in interface inside_vlan17
All that does is remove that access-list from that interface -- the access-list remains in the config.
07-14-2009 06:18 PM
nope..it didnt make a difference....
07-14-2009 06:30 PM
Well friend, I'm afraid I'm out of ideas on this one...
Hopefully someone smarter will pick up the thread and solve your problem.
Once you figure it out, be sure and post it -- I'm interested to know the solution!
--Brandon
07-14-2009 06:34 PM
Hey no problem man!
I really appreciate you taking the time to help out. I should be paying you for the time tonight. I will definately keep you posted. Do you have an email i could keep in touch?
thanks again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: