Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Accessing a website behind ASA5510

I am having a problem with accessing one of the websites on a Cisco network. We have a Cisco 3750X with an ASA5510 in front of it, and multiple VLANs on the network. 

The particular website I am trying to access does not work on VLAN113 but works on other VLANs like 130 and 88, for example. All these VLANs share the same physical gateway, which is the ASA and all have the same public IP. There is no URL filtering in place and the only thing I can see that's different, is the DNS. The VLAN 130 and 88 use OpenDNS whereas the 113 uses local DNS server. I have tried changing the DNS to use Google and OpenDNS but nothing makes any different. Flushing DNS cache and deleting temp files makes no difference.

Any ideas?

 

Thanks in advance.

Dima

Everyone's tags (1)
14 REPLIES
Community Member

Can you ping your ASA from

Can you ping your ASA from the web server? 

Do you have a route from the ASA to that VLAN? 

Can you access the website internally via IP address?

Can you access the website internally by name?

Can you access the website externally via IP address?

 

Hall of Fame Super Gold

Dima It might be helpful if

Dima

 

It might be helpful if you would provide some information from your ASA. In particular it would help if we knew the each of its interfaces and their IP addresses and their security level associated with each of the vlans. It could possibly be an issue with traffic from a lower security level interface trying to go to a higher security level interface.

 

HTH

 

Rick

Community Member

Richard, Here is the list.

Richard,

 

Here is the list. They all have the same security level, apart from the VLAN 66. However all the VLANs seem to access the website fine but the 113. 

 

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         188.x.x.x  YES CONFIG up                    up  

GigabitEthernet0/1         192.168.100.250 YES CONFIG up                    up  

GigabitEthernet0/1.1       unassigned      YES unset  administratively down down

GigabitEthernet0/1.21      192.168.21.250  YES CONFIG up                    up  

GigabitEthernet0/1.22      192.168.22.250  YES CONFIG up                    up  

GigabitEthernet0/1.55      10.88.0.250     YES CONFIG up                    up  

GigabitEthernet0/1.66      10.87.0.250     YES CONFIG up                    up  

GigabitEthernet0/1.95      unassigned      YES unset  up                    up  

GigabitEthernet0/1.100     192.168.108.250 YES CONFIG up                    up  

GigabitEthernet0/1.113     192.168.113.250 YES CONFIG up                    up  

GigabitEthernet0/1.115     192.168.115.250 YES CONFIG up                    up  

GigabitEthernet0/1.130     192.168.130.250 YES CONFIG up                    up  

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

GigabitEthernet0/4         unassigned      YES unset  administratively down down

GigabitEthernet0/5         10.1.0.1        YES unset  up                    up  

Internal-Control0/0        127.0.1.1       YES unset  up                    up  

Internal-Data0/0           unassigned      YES unset  down                  down

Internal-Data0/1           unassigned      YES unset  down                  down

Internal-Data0/2           unassigned      YES unset  up                    up  

Management0/0              unassigned      YES unset  administratively down down

Community Member

The problem was down to the

The problem was down to the server hosting the website that was blocking our IP address! All sorted now, thank you all for your help.

Hall of Fame Super Gold

Dima I am glad that you have

Dima

 

I am glad that you have resolved the issue. Thank you for posting back to the forum to let us know that it is solved and what the issue was. Perhaps it is helpful for us to be reminded that sometimes the problem is not in the device that we manage but is in the other device that we do not manage.

 

HTH

 

Rick

Community Member

I do not have access to the

I do not have access to the webserver to be able to do that as it's a shared host. 

It's just a general website hosted elsewhere in the country and other vlans can access it no problem and people outside can access it too. 

IP access does not work as it hosts multiple websites. 

 

Cheers

Hall of Fame Super Gold

It is not clear to me whether

It is not clear to me whether this problem is an issue with IP forwarding to the server or is an issue with DNS. So from a device on vlan 113 where the webserver does not work please do a ping to the webserver name. The important thing here is whether the ping is able to resolve the name to an IP address or fails to resolve the name. Please do the ping and inform us of the results.

 

HTH

 

Rick

Community Member

Richard, The name resolves to

Richard,

 

The name resolves to the same IP as it does outside the network. I've tried using different DNS servers and get the same result. All PCs do the same thing from that vlan. 

 

Cheers

Community Member

And assuming this is the only

And assuming this is the only outside website you cannot reach?

Can you access it by typing the IP into your browser?

Community Member

As far as we know, yes thats

As far as we know, yes thats the only website. Cannot access it via IP as it's on a shared host. 

Community Member

Can you try some other

Can you try some other websites to confirm this? 

Hall of Fame Super Gold

If ping to the name of the

If ping to the name of the webserver does resolve to the correct IP then it is hard for me to see how this would be a DNS problem. It does sound more like an IP forwarding issue. To figure out what it might be we would have to have information about the device doing the forwarding which I believe is an ASA.

 

HTH

 

Rick

Community Member

Other websites work fine, it

Other websites work fine, it's just this particular one that does not.

 

What information would you like, Richard?

Hall of Fame Super Gold

Dima As a starting point it

Dima

 

As a starting point it might be interesting to see the output of

show run | inc 192.168.113

show run | inc <subnet_of_the_server>

Beyond that we would want to see how many interfaces on the ASA, how they are configured, any access lists that are used, any address translations that are configured.

 

HTH

 

Rick

108
Views
8
Helpful
14
Replies
CreatePlease to create content