Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ok, what the crap is going on?

Here is the deal. I am certain that this doesnt belong in this category, but i trust the security people more than anyone.

I have a website that i cant access from a certain subinterface. I logged onto the guest VLAN and able to get to it.

It has always worked until the other day.

I know your might think it has to be a DNS issue, but i dont think that is the case. Let me reinterate there is NO WEBSENSE OR WEB MONITORING services on.BUT if it is a DNS issue, our dns is hosted on ONE server. a Windows 2003 server which host our dhcp and dns. How can a server hosting a dns prohibit access to only ONE website???

HOWEVER, on the guest VLAN, it is using the same outside subinterface as my vlan.

Crazy! What could it be! Help!!!

30 REPLIES
Bronze

Re: ok, what the crap is going on?

Is it just the one website or is it more than one?

Also, are the connectivity issues limited to the one website, or is it more than just http?

Community Member

Re: ok, what the crap is going on?

Just one website..It DOES NOT come up with the "page cannot be displayed, it actually says "check your internet connection", but like i said, i can connect through every vlan that isnt on our domain. Isnt that weird??

I am totally out of ideas.

Bronze

Re: ok, what the crap is going on?

I guess the other question is whether or not there would be a good reason to block this website. If there's a good reason to block it, there are plenty of ways to block it without having websense or another filtering server configured. Do you have access to the Firewall config? Can you post a cleansed version?

Bronze

Re: ok, what the crap is going on?

Can you ping or traceroute to the website in question? Where does the traceroute stop?

Community Member

Re: ok, what the crap is going on?

ok...when i traceroute, it gets there.., when i ping, it gets there...

BUT!

When i put the address in, like i said "check your internet connection", or go to BING, which is a microsoft search page. On the search page, i see the site, but when i click on it, it gives me the error message.

When I put the IP address in the browser, it goes to CPANEL, which is a web hosting site.

i am working on trying to get a config together, but i dont think it will help

Bronze

Re: ok, what the crap is going on?

Ok -- let's think about this from another perspective. You mentioned that the site works from any interface not "on your domain." Is there a reason this site would want to block your domain? If it's being hosted by a web hosting company, then there are mostly likely monthly bandwidth limits for the operators of the website in question. Could traffic from your organization be overwhelming their site and/or consuming their monthly allotment?

There are ways for the website admins to block your domain:

Here's an example using Apache and .htaccess files: http://www.techiecorner.com/95/block-ip-from-accessing-website-using-htaccess/

Community Member

Re: ok, what the crap is going on?

there is only one person (a physician) that uses this website..so i know he doesnt bog down there webserver.

Where is this file so i can check it? This sounds really good!

Bronze

Re: ok, what the crap is going on?

Well, it would be on the website's server, so you won't have access to it unfortunately. You could always email the admin of the website and ask if you've been blocked :)

Does your network have any kind of IPS/IDS system in place?

Community Member

Re: ok, what the crap is going on?

ok...yes we have both IPS, and IDS....

BUT, the guest VLAN is on the same subinterface on the Cisco ASA. which makes my vlan and the Guest Vlan have the same outside IP address. make sense? So they should be blocking my IP address.

What about tehe IPS/IDS?

Bronze

Re: ok, what the crap is going on?

So your internet traffic, whether from the guest VLAN or the non-guest VLAN, is NAT'd to the same external IP range (or address)?

I'm just throwing out idea's here... IPS can block traffic if it deems it malicious, but depending on the placement it would block the traffic no matter where it was accessed from. Unless the IPS was on a different path to the internet than the traffic from the guest Vlan...

Community Member

Re: ok, what the crap is going on?

yes...that is correct on the NAT question..

i checked IPS and nothing is being block or logged.

That was a very good idea though....Anything else i can check?

Bronze

Re: ok, what the crap is going on?

What about this: try accessing the website from the problem VLAN, through a web proxy service like Ninjacloak: http://ninjacloak.com/

What happens then?

Community Member

Re: ok, what the crap is going on?

wow!..it worked....what the heck is that?? and how can i fix my problem now?

:)

Bronze

Re: ok, what the crap is going on?

Hmm... So here's what we know:

1. Website works from guest vlan Y

2. Website does not work from Vlan X

3. Internal IP's and guest IP's are nat'd to the same external range.

4. Website works from Vlan X when viewing through a proxy service.

Just to clarify, are you NAT'ing to the same external range for both guest VLAN and trouble VLAN or are they unique ranges on the same outside network?

i.e. nat (guest) 1 x.x.x.x

nat (inside) 1 x.x.x.x

global (outside) 1 x.x.x.x

or nat (guest) 1 x.x.x.x

nat (inside) 2 x.x.x.x

global (outside) 1 x.x.x.x

global (outside) 2 x.x.x.x

If your outside IP's really do overlap for the different VLAN's, then I'm at a loss. Somewhere in your network there is something that is block that specific website. You can configure ASA's to block web traffic using modular policies and access-lists, so it's still possible the firewall is blocking it.

Another question I should've thought of earlier on, is it only one host on the trouble VLAN or all hosts on the trouble VLAN that can't access the website?

Community Member

Re: ok, what the crap is going on?

all hosts on the VLAN, (i atleast checked that) :)....

where do i look on the ASA to check out to see if the website is blocked...or the IP is blocked...

I do have a SNMP trap set up so they can email us. but that hasnt been touched in a year.

Bronze

Re: ok, what the crap is going on?

You'll want to look at these items:

-- Access-lists (show access-list)

--Service-policies (show service-policy )

--Config items related to class maps, policy maps, and service policies. (show run | begin class-map)

You could also try using the Packet tracer wizard in the ASDM to simulate traffic going through your ASA to see if the ASA would block it (ASDM > Tools menu > Packet Tracer).

Community Member

Re: ok, what the crap is going on?

i did the packet tracer from my workstation IP to the IP of the website and it says its allowed....

Community Member

Re: ok, what the crap is going on?

here is my asa config...keep in my the SMTP trap...

but the website i need to get to is..

www.healthyhuntington.org or 74.55.0.178

see attached...let me know if you see anything that might block that site.

Bronze

Re: ok, what the crap is going on?

You might consider "cleansing" that config a bit more... it has all usernames and passwords, IP's, etc still in place.

It also looks as if you do in fact have websense in place:

url-server (inside_vlan17) vendor websense host MN-IS-APPS1 timeout 30 protocol TCP version 4 connections 20

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Am I interpreting this wrong?

Community Member

Re: ok, what the crap is going on?

yes i know.. i posted the wrong one..

BUT..

websense is on the firewall...BUT if you look, the mn-is-apps1 is the machine who hosts the websense. but all websense policies are turned off on this machine...

Bronze

Re: ok, what the crap is going on?

What happens if you temporarily remove the RESTRICT_SMTP access list from the inside_vlan17?

Am I correct in assuming that inside_vlan17 is where the trouble is occuring?

Community Member

Re: ok, what the crap is going on?

yes that is correct....Vlan 17 is my vlan...

will it mess anything up?

Community Member

Re: ok, what the crap is going on?

but that access list only restricts email traffic....how would that help?

Bronze

Re: ok, what the crap is going on?

Again I'm just throwing out ideas here. That access list is the only thing filtering incoming traffic on the internal interface, and it specifically mentions that website address. Couldn't hurt to try it with it off just to make sure...

Community Member

Re: ok, what the crap is going on?

ok which one do i remove?

Bronze

Re: ok, what the crap is going on?

use this to remove the RESTRICT_SMTP access-list from the inside-vlan17 interface:

no access-group RESTRICT_SMTP in interface inside_vlan17

All that does is remove that access-list from that interface -- the access-list remains in the config.

Community Member

Re: ok, what the crap is going on?

nope..it didnt make a difference....

Bronze

Re: ok, what the crap is going on?

Well friend, I'm afraid I'm out of ideas on this one...

Hopefully someone smarter will pick up the thread and solve your problem.

Once you figure it out, be sure and post it -- I'm interested to know the solution!

--Brandon

Community Member

Re: ok, what the crap is going on?

Hey no problem man!

I really appreciate you taking the time to help out. I should be paying you for the time tonight. I will definately keep you posted. Do you have an email i could keep in touch?

thanks again!

188
Views
0
Helpful
30
Replies
CreatePlease to create content