Here is the deal. I am certain that this doesnt belong in this category, but i trust the security people more than anyone.
I have a website that i cant access from a certain subinterface. I logged onto the guest VLAN and able to get to it.
It has always worked until the other day.
I know your might think it has to be a DNS issue, but i dont think that is the case. Let me reinterate there is NO WEBSENSE OR WEB MONITORING services on.BUT if it is a DNS issue, our dns is hosted on ONE server. a Windows 2003 server which host our dhcp and dns. How can a server hosting a dns prohibit access to only ONE website???
HOWEVER, on the guest VLAN, it is using the same outside subinterface as my vlan.
Crazy! What could it be! Help!!!
Is it just the one website or is it more than one?
Also, are the connectivity issues limited to the one website, or is it more than just http?
Just one website..It DOES NOT come up with the "page cannot be displayed, it actually says "check your internet connection", but like i said, i can connect through every vlan that isnt on our domain. Isnt that weird??
I am totally out of ideas.
I guess the other question is whether or not there would be a good reason to block this website. If there's a good reason to block it, there are plenty of ways to block it without having websense or another filtering server configured. Do you have access to the Firewall config? Can you post a cleansed version?
ok...when i traceroute, it gets there.., when i ping, it gets there...
When i put the address in, like i said "check your internet connection", or go to BING, which is a microsoft search page. On the search page, i see the site, but when i click on it, it gives me the error message.
When I put the IP address in the browser, it goes to CPANEL, which is a web hosting site.
i am working on trying to get a config together, but i dont think it will help
Ok -- let's think about this from another perspective. You mentioned that the site works from any interface not "on your domain." Is there a reason this site would want to block your domain? If it's being hosted by a web hosting company, then there are mostly likely monthly bandwidth limits for the operators of the website in question. Could traffic from your organization be overwhelming their site and/or consuming their monthly allotment?
There are ways for the website admins to block your domain:
Here's an example using Apache and .htaccess files: http://www.techiecorner.com/95/block-ip-from-accessing-website-using-htaccess/
there is only one person (a physician) that uses this website..so i know he doesnt bog down there webserver.
Where is this file so i can check it? This sounds really good!
Well, it would be on the website's server, so you won't have access to it unfortunately. You could always email the admin of the website and ask if you've been blocked :)
Does your network have any kind of IPS/IDS system in place?
ok...yes we have both IPS, and IDS....
BUT, the guest VLAN is on the same subinterface on the Cisco ASA. which makes my vlan and the Guest Vlan have the same outside IP address. make sense? So they should be blocking my IP address.
What about tehe IPS/IDS?
So your internet traffic, whether from the guest VLAN or the non-guest VLAN, is NAT'd to the same external IP range (or address)?
I'm just throwing out idea's here... IPS can block traffic if it deems it malicious, but depending on the placement it would block the traffic no matter where it was accessed from. Unless the IPS was on a different path to the internet than the traffic from the guest Vlan...
yes...that is correct on the NAT question..
i checked IPS and nothing is being block or logged.
That was a very good idea though....Anything else i can check?
What about this: try accessing the website from the problem VLAN, through a web proxy service like Ninjacloak: http://ninjacloak.com/
What happens then?
Hmm... So here's what we know:
1. Website works from guest vlan Y
2. Website does not work from Vlan X
3. Internal IP's and guest IP's are nat'd to the same external range.
4. Website works from Vlan X when viewing through a proxy service.
Just to clarify, are you NAT'ing to the same external range for both guest VLAN and trouble VLAN or are they unique ranges on the same outside network?
i.e. nat (guest) 1 x.x.x.x
nat (inside) 1 x.x.x.x
global (outside) 1 x.x.x.x
or nat (guest) 1 x.x.x.x
nat (inside) 2 x.x.x.x
global (outside) 1 x.x.x.x
global (outside) 2 x.x.x.x
If your outside IP's really do overlap for the different VLAN's, then I'm at a loss. Somewhere in your network there is something that is block that specific website. You can configure ASA's to block web traffic using modular policies and access-lists, so it's still possible the firewall is blocking it.
Another question I should've thought of earlier on, is it only one host on the trouble VLAN or all hosts on the trouble VLAN that can't access the website?
all hosts on the VLAN, (i atleast checked that) :)....
where do i look on the ASA to check out to see if the website is blocked...or the IP is blocked...
I do have a SNMP trap set up so they can email us. but that hasnt been touched in a year.
You'll want to look at these items:
-- Access-lists (show access-list)
--Service-policies (show service-policy
--Config items related to class maps, policy maps, and service policies. (show run | begin class-map)
You could also try using the Packet tracer wizard in the ASDM to simulate traffic going through your ASA to see if the ASA would block it (ASDM > Tools menu > Packet Tracer).
here is my asa config...keep in my the SMTP trap...
but the website i need to get to is..
www.healthyhuntington.org or 188.8.131.52
see attached...let me know if you see anything that might block that site.
You might consider "cleansing" that config a bit more... it has all usernames and passwords, IP's, etc still in place.
It also looks as if you do in fact have websense in place:
url-server (inside_vlan17) vendor websense host MN-IS-APPS1 timeout 30 protocol TCP version 4 connections 20
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Am I interpreting this wrong?
yes i know.. i posted the wrong one..
websense is on the firewall...BUT if you look, the mn-is-apps1 is the machine who hosts the websense. but all websense policies are turned off on this machine...
What happens if you temporarily remove the RESTRICT_SMTP access list from the inside_vlan17?
Am I correct in assuming that inside_vlan17 is where the trouble is occuring?
Again I'm just throwing out ideas here. That access list is the only thing filtering incoming traffic on the internal interface, and it specifically mentions that website address. Couldn't hurt to try it with it off just to make sure...
use this to remove the RESTRICT_SMTP access-list from the inside-vlan17 interface:
no access-group RESTRICT_SMTP in interface inside_vlan17
All that does is remove that access-list from that interface -- the access-list remains in the config.
Well friend, I'm afraid I'm out of ideas on this one...
Hopefully someone smarter will pick up the thread and solve your problem.
Once you figure it out, be sure and post it -- I'm interested to know the solution!
Hey no problem man!
I really appreciate you taking the time to help out. I should be paying you for the time tonight. I will definately keep you posted. Do you have an email i could keep in touch?