Accesing outside hosted website from inside our network

is it possible that when setting the firewall to 'allow' this ip always that instead you mistakenly 'denied' it?

if you are running your own DNS servers you might take a look your domain through this site http://www.dnsreport.com/tools/dnsreport.ch?domain=www.formatech.com

is this the error you receive when you try to access the page? "No web site is configured at this address."
if so you might check out that pointer again
nslookup reports formatech.com >>209.209.51.86 however when I attempt to access the site using the ipadd that is the error that i get

if you are using your own DNS try switching to your ISP's DNS servers... if you can access that way, it would indicate that your own DNS server has the issue..
 
If still cannot access, then head to the PIX

We are using our ISPs DNS servers as forwarders. I get the same error ("No web site is configured at this address") inside and outside when using the IP add, but outside www.formatech.com works. Inside www.formatech.com does not work.

The 209.209.51.86 seems to be the right address.

I would say that your issue is probably with either your PIX or with DNS resolution.

If you open a browser and type http://209.209.51.86 it doesn't resolve to www.formatech.com which seems to say that whoever is hosting the site is hosting it on a webserver with other sites and is using host headers to go to your site.  

You're not going to be able to ping it or tracert to it, it's not accepting ICMP traffic.

DNS is correct externally:

Non-authoritative answer:
Name:    www.formatech.com
Address:  209.209.51.86

Honestly, all I can say is to check your DNS and PIX again....my setup is similar to yours, in that I'm using domain.com internally and externally, and have my www site hosted.  All I did was add the A record and was golden.

If you can set real time logging on the PIX and capture a test, you could see if the PIX is the issue.

I'd post a pointer question to this question in the firewalls channel...There are PIX guys in there.

PIX ASA algorithm will not allow you to browse your website by its DNS name from inside as it requires traffic redirection - and PIX doesn't work that way.

You have a few choices though - depending on where your DNS resides.

If you have internal DNS - the simplest solution is to create an A record for www.formatech.com - to the internal ip address of the webserver.

If you are using external DNS - by rights a PIX will not do it.  

There are 2 workarounds - you can use static dns nat statements or use the alias command.
Both of these will intercept the outgoing DNS lookup for 209.209.51.86 and redirect it internally to its inside ip address - its called DNS doctoring.

Let me know what way your DNS is and we can take it further

hope this helps

From what I can see, the web site is external not internal so the puiblic IP address should be fine.
I also assume that you can connect to other web sites correctly?

Do you have an access-list applied to your PIX on outgoing traffic or is it an open interface?
Is Cleaner correct in that you are using the same IP address scheme for both internal & external or the same domain name for both local and external?

When you perform a tracert, where does the trace finish?
If you perform an nslookup on one of your machines, is it returning the correct IP address?

nodisco,

His site is hosted externally, not internally.

I did create an A statement in our internal DNS (www.formatech.com 209.209.51.86) We use our ISPs DNS servers as forwarders. The funny thing, is it is intermittently working.... I just tried it, and it works.... I am at a loss

Our website is hosted externally, our private network is 192.168.10.0 and our public netwrok is 216.195.204.113. Our ISP DNS has a record for www.formatech.com 209.209.51.86 I have been working on getting this whacky problem fixed for a long time....

Thanks

Its working right now, with no changes made. weird intermittent issue.

What is your internal domain name?
Can you check to see if you have a local hosts file on your dns server?

When you perform a tracert, where does the trace finish?
If you perform an nslookup on one of your machines, is it returning the correct IP address?

I would look into 2 things:

1.  check with your ISP for any errors on their end on that web server.  Verify it doesn't go down a lot or get reset often.

2.  If you allow your DNS servers to send DNS requests out your firewall in general (as opposed to locking it down to just your ISP) then just get rid of the forwarders and let the Root Hints handle the external DNS queries.

In fact #2 is a great way to at least test if it is something strange.

bleh - sorry - missed the external hosting ref.

You could run NTOP on a machine monitoring packets going out on the PIX - it may enlighten as to what is happening this problem happens again.

Do you have a proxy server by any chance? There's no mention of it. Is it using the correct DNS? Does the website load from there, if it has a browser on it?

O well. I have asked twice. That will do me.

LOL at Keith..

Keith says, "WE NEED THE ABILITY TO BOLD OUR TEXT AND CHANGE ITS SIZE EE COMMUNITY!"

:D

lol, too many other questions where the askers don't ignore me to hang around forever. :)

Ok, I am new here @ EE, as you probably have already figured out....

Keith:
     My internal domain name is formatech.com  tracert times out 30 times. and nslookup on a local machine returns the correct internal DNS server address, and the correct machine address.

Rant:  No proxy server.

Thank you all for your ongoing help!

Dave

I still say you have it setup right and the issue is probably on the other end...

Can you test an external PC connecting to it at the same time that you CANNOT access it from internally (easier said than done, I know)?

:) Thanks Dave and welcome to EE.

At a cmd prompt on your server/workstation, can you perform a route print and post the results?
What is your external firewall and do you have administrative access on to it? If so, can you ping your external web site IP address from the firewall?

How does your LAN connect to the Internet? Does it pass through any routers etc before it hits the Internet?

If your network and the hosting provider are not on the same network there is always a slight (remote) chance of Internet routing issues. Customer of mine wasn't able to send mail to a company in South Africa, then it appeared that an entire network segment over there couldn't be reached. Our upstream ISP had to solve a routing issue.

The tracert info might be helpful, especially so you can see the difference between when it works, and when it doesn't.

FormaTech-PIX# ping 209.209.51.86
        209.209.51.86 NO response received -- 1000ms
        209.209.51.86 NO response received -- 1000ms
        209.209.51.86 NO response received -- 1000ms

tracert www.formatech.com

Tracing route to www.formatech.com [209.209.51.86]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.  
21     *        *        *     Request timed out.
22     *        *        *     Request timed out.
23     *        *        *     Request timed out.
24     *        *        *     Request timed out.
25     *        *        *     Request timed out.
26     *        *        *     Request timed out.
27     *        *        *     Request timed out.
28     *        *        *     Request timed out.
29     *        *        *     Request timed out.
30     *        *        *     Request timed out.

I ran the tracert, while i was on the site....

We have a PIX 506E with 6.3 (5) on it

Web hosting provider is in California, I am in Massachusetts. Different networks...

can you post a sanitised copy of your config? You may want to mask out the first two octets of your external IP addresses. As you cannot ping from the extremity of your network, it is either the PIX itself or as Cleaner suggests, an external influence.

Well, ICMP could be blocked by your firewall, so this is not conclusive... When you tracert to other sites, does that work? Otherwise tracert is of no use.

I can ping your website, btw, so it's accepting ICMP.

Our PIX config

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 999999999999999 encrypted
passwd 999999999999999 encrypted
hostname FormaTech-PIX
domain-name formatech.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.9 MAIL
name x.x.204.115 SMTP
access-list outside_access_in permit tcp 192.168.10.0 255.255.255.0 any
access-list outside_access_in permit tcp any host SMTP eq smtp
access-list outside_access_in permit tcp any host x.x.204.118 eq ftp
access-list outside_access_in permit tcp any host x.x.204.118 eq ftp-data
access-list vpn_in permit ip 192.168.10.0 255.255.255.0 10.0.10.0 255.255.255.0
pager lines 24
logging timestamp
logging console informational
logging monitor informational
logging buffered debugging
logging trap errors
logging facility 18
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.204.114 255.255.255.248
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.0.10.1-10.0.10.254
pdm location 192.168.10.4 255.255.255.255 inside
pdm location 192.168.10.5 255.255.255.255 inside
pdm location MAIL 255.255.255.255 inside
pdm location 192.168.10.21 255.255.255.255 inside
pdm location 192.168.10.254 255.255.255.255 inside
pdm location 192.168.10.6 255.255.255.255 outside
pdm location 192.168.10.0 255.255.255.0 outside
pdm location SMTP 255.255.255.255 outside
pdm location 192.168.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.204.116
nat (inside) 0 access-list vpn_in
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SMTP MAIL netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.204.113 1
route inside MAIL 255.255.255.255 192.168.10.1 1
route outside SMTP 255.255.255.255 x.x.204.114 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.21 255.255.255.255 inside
http 192.168.10.254 255.255.255.255 inside
http 192.168.10.55 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.10.21 TFTP-Root
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set formaencrypt esp-des esp-md5-hmac
crypto dynamic-map formatechdynamic 100 set transform-set formaencrypt
crypto map formatechmap 100 ipsec-isakmp dynamic formatechdynamic
crypto map formatechmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup FO17maVPN# address-pool vpnpool
vpngroup FO17maVPN# dns-server 192.168.10.34
vpngroup FO17maVPN# wins-server 192.168.10.25
vpngroup FO17maVPN# default-domain formatech.com
vpngroup FO17maVPN# split-tunnel vpn_in
vpngroup FO17maVPN# idle-time 1800
vpngroup FO17maVPN# password ********
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80

I cannot, to my astonishment,  tracert anything thing else either.... btw

"icmp deny any outside"

would that block tracert from working? Any PIX guru wants to comment on this? Otherwise your entire LAN has access to the outside world.


Since when do you have this problem, anyway?

yeah...his ICMP traffic is being blocked.  He won't be able to tracert, ping, etc. the outside world.

Not that there's anything wrong with that...other than maybe troubleshooting this issue.

You can "somewhat" figure out the traceroute by www.dnsstuff.com

Here's an output:

http://www.dnsstuff.com/tools/tracert.ch?ip=www.formatech.com

It's getting to Inreach's network, so it doesn't look like routing is an issue...at least outside of Formatech's network.

BTW, Formatech, I posted a request to edit your above post...(for a good reason)

"vpngroup FO17maVPN# dns-server 192.168.10.34"

I am no PIX expert and CCNA is as fas I got(and it's about to expire) but didnt you say you were using ISP's DNS? what is 192.168.10.34?

The subnet mask on your outside interface suggests that you can hook up another host to that subnet. Try connecting to your website using the ISP's DNS. If that works then it must be something on your LAN or PIX config.

If it still doesn't, you have ruled out any other errors and you have a convincing argument towards your ISP (or whoever manages x.x.204.113, your default gateway)

It's a legitimate question, ISP should help you out here.

forgive me experts if i'm way off

Just a question you said it's hosted so it's outside of your network?  You said that your ISP is 'forwarding' HTTP request to that IP.. the server isn't physically located in your network is it? From a dos or cmd prompt try this :

telnet 209.209.51.86 80

and see if it connects, screen should go blank, hit return a couple times and you should see:

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Thu, 23 Mar 2006 22:48:41 GMT
Content-Type: text/html
Content-Length: 87

<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>

Connection to host lost.

Jasfout:
That .34 entry is our internal DNS, when connecting in on VPN.  Using ISPs DNS as a forwarder. Local network has internal DNS.

Deadnight:
The telnetting returned exactly what you said it should.

so then the problem must be with an entry on your internal DNS server

Formatech,

If it works from time to time, do you have more than 1 DNS server internally?  Are they replicating correctly?

Try a DNS lookup on any client that isn't working right.

Also do an ipconfig /flushdns

on any client that isn't working right.



Like I said in the other thread you had about this, it's usually a simple A record entry for www pointing to the external IP and it works...so check for simple things.

I have 2 DNS servers internal, and they are replicating correctly. Both servers have the A record for www.formatech.com 209.209.51.86

Its working today, and I don't know what is causing it not to work.

As I said in my original post "
if you are using your own DNS try switching to your ISP's DNS servers... if you can access that way, it would indicate that your own DNS server has the issue.."

try switching your workstation to your ISP's DNS...can you then access the site?

uh...when its not working of course

"We are using our ISPs DNS servers as forwarders. I get the same error ("No web site is configured at this address") inside and outside when using the IP add, but outside www.formatech.com works. Inside www.formatech.com does not work."

it is definately a dns issue and not a routing issue

> it is definately a dns issue and not a routing issue

I do not agree with this conclusion, because the clients have shown to resolve the correct IP address for the website. There are no DNS resolution errors as far as I can tell:
Tracing route to www.formatech.com [209.209.51.86] over a maximum of 30 hops:

If you REALLY want to eliminate DNS... edit the %systemroot%\system32\drivers\etc\hosts file on a client pc, and add

209.209.51.86 <tab> www.formatech.com <enter>

to it. Formatech, have you seen the comment regarding testing from the public network, outside the PIX?

ah...missed that one

Thanks for the points!