I am having a problem with accessing one of the websites on a Cisco network. We have a Cisco 3750X with an ASA5510 in front of it, and multiple VLANs on the network.
The particular website I am trying to access does not work on VLAN113 but works on other VLANs like 130 and 88, for example. All these VLANs share the same physical gateway, which is the ASA and all have the same public IP. There is no URL filtering in place and the only thing I can see that's different, is the DNS. The VLAN 130 and 88 use OpenDNS whereas the 113 uses local DNS server. I have tried changing the DNS to use Google and OpenDNS but nothing makes any different. Flushing DNS cache and deleting temp files makes no difference.
Thanks in advance.
Can you ping your ASA from the web server?
Do you have a route from the ASA to that VLAN?
Can you access the website internally via IP address?
Can you access the website internally by name?
Can you access the website externally via IP address?
It might be helpful if you would provide some information from your ASA. In particular it would help if we knew the each of its interfaces and their IP addresses and their security level associated with each of the vlans. It could possibly be an issue with traffic from a lower security level interface trying to go to a higher security level interface.
Here is the list. They all have the same security level, apart from the VLAN 66. However all the VLANs seem to access the website fine but the 113.
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 188.x.x.x YES CONFIG up up
GigabitEthernet0/1 192.168.100.250 YES CONFIG up up
GigabitEthernet0/1.1 unassigned YES unset administratively down down
GigabitEthernet0/1.21 192.168.21.250 YES CONFIG up up
GigabitEthernet0/1.22 192.168.22.250 YES CONFIG up up
GigabitEthernet0/1.55 10.88.0.250 YES CONFIG up up
GigabitEthernet0/1.66 10.87.0.250 YES CONFIG up up
GigabitEthernet0/1.95 unassigned YES unset up up
GigabitEthernet0/1.100 192.168.108.250 YES CONFIG up up
GigabitEthernet0/1.113 192.168.113.250 YES CONFIG up up
GigabitEthernet0/1.115 192.168.115.250 YES CONFIG up up
GigabitEthernet0/1.130 192.168.130.250 YES CONFIG up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 10.1.0.1 YES unset up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset down down
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset administratively down down
The problem was down to the server hosting the website that was blocking our IP address! All sorted now, thank you all for your help.
I am glad that you have resolved the issue. Thank you for posting back to the forum to let us know that it is solved and what the issue was. Perhaps it is helpful for us to be reminded that sometimes the problem is not in the device that we manage but is in the other device that we do not manage.
I do not have access to the webserver to be able to do that as it's a shared host.
It's just a general website hosted elsewhere in the country and other vlans can access it no problem and people outside can access it too.
IP access does not work as it hosts multiple websites.
It is not clear to me whether this problem is an issue with IP forwarding to the server or is an issue with DNS. So from a device on vlan 113 where the webserver does not work please do a ping to the webserver name. The important thing here is whether the ping is able to resolve the name to an IP address or fails to resolve the name. Please do the ping and inform us of the results.
The name resolves to the same IP as it does outside the network. I've tried using different DNS servers and get the same result. All PCs do the same thing from that vlan.
If ping to the name of the webserver does resolve to the correct IP then it is hard for me to see how this would be a DNS problem. It does sound more like an IP forwarding issue. To figure out what it might be we would have to have information about the device doing the forwarding which I believe is an ASA.
As a starting point it might be interesting to see the output of
show run | inc 192.168.113
show run | inc <subnet_of_the_server>
Beyond that we would want to see how many interfaces on the ASA, how they are configured, any access lists that are used, any address translations that are configured.