cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
8
Helpful
14
Replies

Accessing a website behind ASA5510

I am having a problem with accessing one of the websites on a Cisco network. We have a Cisco 3750X with an ASA5510 in front of it, and multiple VLANs on the network. 

The particular website I am trying to access does not work on VLAN113 but works on other VLANs like 130 and 88, for example. All these VLANs share the same physical gateway, which is the ASA and all have the same public IP. There is no URL filtering in place and the only thing I can see that's different, is the DNS. The VLAN 130 and 88 use OpenDNS whereas the 113 uses local DNS server. I have tried changing the DNS to use Google and OpenDNS but nothing makes any different. Flushing DNS cache and deleting temp files makes no difference.

Any ideas?

 

Thanks in advance.

Dima

14 Replies 14

adamtodd16
Level 3
Level 3

Can you ping your ASA from the web server? 

Do you have a route from the ASA to that VLAN? 

Can you access the website internally via IP address?

Can you access the website internally by name?

Can you access the website externally via IP address?

 

Dima

 

It might be helpful if you would provide some information from your ASA. In particular it would help if we knew the each of its interfaces and their IP addresses and their security level associated with each of the vlans. It could possibly be an issue with traffic from a lower security level interface trying to go to a higher security level interface.

 

HTH

 

Rick

HTH

Rick

Richard,

 

Here is the list. They all have the same security level, apart from the VLAN 66. However all the VLANs seem to access the website fine but the 113. 

 

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         188.x.x.x  YES CONFIG up                    up  

GigabitEthernet0/1         192.168.100.250 YES CONFIG up                    up  

GigabitEthernet0/1.1       unassigned      YES unset  administratively down down

GigabitEthernet0/1.21      192.168.21.250  YES CONFIG up                    up  

GigabitEthernet0/1.22      192.168.22.250  YES CONFIG up                    up  

GigabitEthernet0/1.55      10.88.0.250     YES CONFIG up                    up  

GigabitEthernet0/1.66      10.87.0.250     YES CONFIG up                    up  

GigabitEthernet0/1.95      unassigned      YES unset  up                    up  

GigabitEthernet0/1.100     192.168.108.250 YES CONFIG up                    up  

GigabitEthernet0/1.113     192.168.113.250 YES CONFIG up                    up  

GigabitEthernet0/1.115     192.168.115.250 YES CONFIG up                    up  

GigabitEthernet0/1.130     192.168.130.250 YES CONFIG up                    up  

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

GigabitEthernet0/4         unassigned      YES unset  administratively down down

GigabitEthernet0/5         10.1.0.1        YES unset  up                    up  

Internal-Control0/0        127.0.1.1       YES unset  up                    up  

Internal-Data0/0           unassigned      YES unset  down                  down

Internal-Data0/1           unassigned      YES unset  down                  down

Internal-Data0/2           unassigned      YES unset  up                    up  

Management0/0              unassigned      YES unset  administratively down down

The problem was down to the server hosting the website that was blocking our IP address! All sorted now, thank you all for your help.

Dima

 

I am glad that you have resolved the issue. Thank you for posting back to the forum to let us know that it is solved and what the issue was. Perhaps it is helpful for us to be reminded that sometimes the problem is not in the device that we manage but is in the other device that we do not manage.

 

HTH

 

Rick

HTH

Rick

I do not have access to the webserver to be able to do that as it's a shared host. 

It's just a general website hosted elsewhere in the country and other vlans can access it no problem and people outside can access it too. 

IP access does not work as it hosts multiple websites. 

 

Cheers

It is not clear to me whether this problem is an issue with IP forwarding to the server or is an issue with DNS. So from a device on vlan 113 where the webserver does not work please do a ping to the webserver name. The important thing here is whether the ping is able to resolve the name to an IP address or fails to resolve the name. Please do the ping and inform us of the results.

 

HTH

 

Rick

HTH

Rick

Richard,

 

The name resolves to the same IP as it does outside the network. I've tried using different DNS servers and get the same result. All PCs do the same thing from that vlan. 

 

Cheers

And assuming this is the only outside website you cannot reach?

Can you access it by typing the IP into your browser?

As far as we know, yes thats the only website. Cannot access it via IP as it's on a shared host. 

Can you try some other websites to confirm this? 

If ping to the name of the webserver does resolve to the correct IP then it is hard for me to see how this would be a DNS problem. It does sound more like an IP forwarding issue. To figure out what it might be we would have to have information about the device doing the forwarding which I believe is an ASA.

 

HTH

 

Rick

HTH

Rick

Other websites work fine, it's just this particular one that does not.

 

What information would you like, Richard?

Dima

 

As a starting point it might be interesting to see the output of

show run | inc 192.168.113

show run | inc <subnet_of_the_server>

Beyond that we would want to see how many interfaces on the ASA, how they are configured, any access lists that are used, any address translations that are configured.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco