?
Solved

Unable to access restricted websites - possible firewall issue?

Posted on 2009-02-18
25
Medium Priority
?
818 Views
Last Modified: 2012-05-06
Hi,

I've got a puzzling problem that I hope someone can help with.

My organisation's Internet access is provided through our connection to the Irish Government Network (IGN)

Two websites that we need to access are restricted to those within the IGN. We were previously able to access these sites (and should still be able to do so) but for the past few months have been unable to do so. I have been liaising with IGN tech support but they say that, as nothing has changed at their end, that it must be a local issue. Nothing (that I am aware of) has changed at this end either. However I just discovered an exception to the rule - I am able to access the restricted websites on one of our client PCs. Having examined all the network settings I can't see anything differant except:

- The primary DNS is differant -actaully incorrect. It is 192.169.10.11 instead of 192.168.10.11. For some reason this seems to work. The alternate DNS server is the same as other clients (this points to the IGN). However, if I change the primary DNS back to 192.168.10.11 then I can no longer accces the restricted websites. If I change the primary DNS on other clients to 192.169.10.11 I can't access any websites.

Things I've tried:

- Using a differant network card with standard default settings

- Turning Windows firewall on/off (normally on for all clients). Makes no differance either way.

- Telnetting to the sites. For one I get blank black screen (indicating a connection) and the other I get "Could not open connection 0: Connect failed"

- A tracerte indicates that the trace for one of these sites is not even getting to our router. It seems like our Firewall may be blocking it but I cannot locate anything in the firewall logs relating to these IP addresses of these websites and, as one client PC CAN access these websites then I don't think it's a firewall issue (I am the only one with access to the firewall and I didn't set/change any rules relating to these sites or the one client that can access the sites)

- Changing the IP address on the working client. The IP address (even though dynamic) is not reserved for this PC and even after releasing/ renewing the address it still works on that one PC.

- All clients are DHCP. No static IP addresses. NAT addressing. We don't use a proxy server.
0
Comment
Question by:sdower
  • 12
  • 8
  • 3
23 Comments
 
LVL 1

Expert Comment

by:troeland
ID: 23678530
Try doing a NSLOOKUP from the command prompt of the machine that works and then from one that doesn't.  I kind of looks like you have a DNS issue.


TJR
0
 

Author Comment

by:sdower
ID: 23680231
Hi,
Results of nslookup:

On machine that works:
For the primary DNS, 192.169.10.11 (which should be incorrect) I get the message "*** Can't find server name for address 192.169.10.11: Timed out"
For the secondary DNS (on the IGN) it finds and displays the server name and address
For the IP address of both affected websites it displays the server name and address

On other clients:

For the primary DNS, 192.168.10.11 (the correct address for our DNS server) I get "** Can't find server name for address 192.168.10.11: Non-existent domain"
For the secondary DNS (on the IGN), I get "*** Can't find server name for address xx: Timed out"
For both of the affected websites, I get:

Server (name): Unknown

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Both machines are on the same network.
0
 
LVL 1

Expert Comment

by:troeland
ID: 23680332
There is something acting up between your DNS and theirs.  The simplest fix might be to just create a hosts file on each of your workstations refrencing the IP to name.

You can find this file at C:\Windows\system32\drivers\etc\

It has examples for proper configurations.


TJR
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:sdower
ID: 23691004
Thanks. I've tried this but unfortunately it makes no differance.
0
 
LVL 1

Expert Comment

by:troeland
ID: 23691386
Try an LMHosts file an import it?

TJR
0
 

Author Comment

by:sdower
ID: 23711351
Hi,

Have tried an LMHosts file but this made no differance.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 23713086
If the only difference was in the DNS server, then it is obviously a DNS problem.

192.168.0.0/16 is an internal network, which means that DNS server is somewhere within your organization.  192.169.0.0/16, however, will be out on the internet.  That looks like a typo that just happened to point to a computer able to do DNS recursive calls

Go to the machine that is working, and attempt an nslookup for www.domain_U_want_to_reach.com.  If you get back a response, you'll see the IP as w.x.y.z.  Take that information to a machine that doesn't work, and edit %SYSTEMROOT%\system32\drivers\etc\hosts.  Put in the domain and IP, save the file, then open a command line prompt and run 'ipconfig /flushdns'.  Now that machine should be able to ping/nslookup the domain.
0
 

Author Comment

by:sdower
ID: 23720816
Hi routinet,

Have tried this on several PC's but no luck I'm afraid.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 23753330
What process did you follow (step-by-step, please), and what were the results?
0
 

Author Comment

by:sdower
ID: 23774020
I set-up the LMHosts file as per the instructions in the test file. I added the entries from the HOSTS file. Imported the LMHOSTS file via IP settings.

On the machine that is working, I did an NSLOOKUP for the sites I want to access, got the IP addresses, put that information into the HOSTS file on a machine that doesnt work.

Results = no change. I still cannot access those sites on any other machine.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 23792013
On the machine that doesn't work, what happens when you ping the IP?  What happens when you ping the name after making your adjustments to the HOSTS file?
0
 

Author Comment

by:sdower
ID: 23804684
Hi, I get "Request Timed Out" for both sites (IP address and name) on all machines that don't work (including the one with the LMHOSTS file set-up). This seems to be the case for most/ all other addresses/names even though I can access the websites.

However, on the machine that works I get a reply for one of the sites for both IP address and name. The other site is just an IP address and I get "Request Timed Out". There is nothing in the HOSTS file or LMHOSTS file on this machine.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 23813641
What is the default gateway on these machines, and what happens when you try to ping it?

Explain a little bit about your physical layer configuration.  At what point do these machines directly connect to the network?  How many devices are in between them and the default gateway?  Are there any intranet routers involved?  Where does your default gateway lead?
0
 

Author Comment

by:sdower
ID: 23835064
The default gateway is the same for all clients, including the one that works - this is our firewall (an internal IP address) which then points to our router (managed by the Goverment Network).

When I ping the gateway I get a reply on all clients.

All machines connect via switches to the firewall. There are no intranet routers.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 23843622
Please post the tracert results from a system that works and a system that doesn't work.  Include as much unedited information as you can without violating your security/privacy policies.

Have you ever used Wireshark?  If you can, try a capture from each system for both ping and a simple HTTP request.  

This is very much sounding like IGN cut you off, and your attempts to resolve with them were handled by a low-level tech who wanted you off the phone.  :)  The real oddity is why ONE system would work, and not the rest.  If the problem exists in your network, it will very likely be in the firewall, or in DHCP configuration.  That reminds me...please include as much information about your DHCP server as possible.  At a minimum, I would like to know the range of the active scopes, subnet masks, default gateway settings, and nameserver settings.
0
 

Author Comment

by:sdower
ID: 23869393
>This is very much sounding like IGN cut you off, and your attempts to resolve with them were handled >by a low-level tech who wanted you off the phone.  :)  
This is very much my thinking too!!

Here are the results of the tracert for both sites:
On sample PC that DOESN'T work:

C:>tracert 169.254.255.194

Tracing route to netwatch.vpn [169.254.255.194]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:>tracert 169.254.222.35

Tracing route to pcframework.gov.ie [169.254.222.35]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.


On PC that DOES work:

C:>tracert 169.254.255.194

Tracing route to netwatch.vpn [169.254.255.194]
over a maximum of 30 hops:

  1     7 ms     1 ms     1 ms  169.254.216.129
  2   156 ms   162 ms   144 ms  159.134.141.213
  3    35 ms    65 ms    63 ms  83.71.50.129
  4   114 ms   106 ms   119 ms  83.71.50.130
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:>tracert 169.254.222.35

Tracing route to monoframework.gov.ie [169.254.222.35]
over a maximum of 30 hops:

  1     3 ms     2 ms     2 ms  169.254.216.129
  2    42 ms    68 ms    88 ms  159.134.133.13
  3   155 ms    91 ms    40 ms  83.71.90.205
  4    43 ms    44 ms    38 ms  83.71.90.206
  5    45 ms    47 ms    53 ms  169.254.254.199
  6   137 ms   137 ms   134 ms  monoframework.gov.ie [169.254.222.35]

Trace complete.
   

I've never used wireshark.I'm not an expert on DHCP so I hope this is the correct information:
Scope: 192.168.10.100 - 192.168.10.253
Subnet mask: 255.255.255.0
Lease duration: 8 hours
address pool: 192.168.10.100 - 192.168.10.129
Default gateway: 192.168.10.6 (this is our firewall)
DNS domain name: ncte.ie    
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 23875978
Curious...your DHCP server hands out 192.168.* addresses.  What are the ipconfig returns on those systems?  The 169.254.* addresses are APIPA addresses.  Are you sure those are correct?

Run 'ipconfig /all' once on each system (working and not-working), and post those results here.
0
 

Author Comment

by:sdower
ID: 23991535
Hi,

Apologies for the delay in posting this information. Had other sisues to deal with. Here are the results of the ipconfig /all:

ON PC that works:

C:>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : AnnePhelan
        Primary Dns Suffix  . . . . . . . : ncte.ie
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ncte.ie
                                            ncte.ie

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : ncte.ie
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
        Physical Address. . . . . . . . . : 00-08-74-AD-F3-8A
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.150
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.6
        DHCP Server . . . . . . . . . . . : 192.168.10.11
        DNS Servers . . . . . . . . . . . : 192.169.10.11
                                            169.254.254.203
        Primary WINS Server . . . . . . . : 192.168.10.11
        Lease Obtained. . . . . . . . . . : 23 March 2009 11:43:54
        Lease Expires . . . . . . . . . . : 31 March 2009 11:43:54



On Sample PC that doesn't work :

C:>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : NCTETEST1
        Primary Dns Suffix  . . . . . . . : ncte.ie
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ncte.ie
                                            ncte.ie

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : ncte.ie
        Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit E
thernet NIC
        Physical Address. . . . . . . . . : 00-1E-8C-90-81-D9
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.137
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.6
        DHCP Server . . . . . . . . . . . : 192.168.10.11
        DNS Servers . . . . . . . . . . . : 169.254.254.203
                                            192.168.10.11
        Primary WINS Server . . . . . . . : 192.168.10.11
        Lease Obtained. . . . . . . . . . : 23 March 2009 11:43:20
        Lease Expires . . . . . . . . . . : 31 March 2009 11:43:20
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 23997814
The only difference I see is the order of the DNS servers, and I'm not sure that makes a difference.  When you run nslookup on each box, what comes up as the default DNS server?  Do you see any difference in connectivity if you force NCTETEST1 to use only 192.168.10.11 for DNS?  Is 169.254.254.203 a real system?  On your network or elsewhere?  Can both systems find (ping) the default gateway?
0
 

Author Comment

by:sdower
ID: 24107283
NSlookup:

On AnnePhelan I get:

DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 192.169.10.11: Timed out
Default Server:  cwint.gn.gov.ie
Address:  169.254.254.203

Note that 192.169.10.11 is actually an incorrect address (probably a typo when setting up) - this should be 192.168.10.11.


on NCTETEST1 I get:

*** Can't find server name for address 192.168.10.11: Non-existent domain
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 169.254.254.203: Timed out
*** Can't find server name for address 192.168.10.11: Non-existent domain
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 169.254.253.203: Timed out
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.10.11


If I change the order of DNS servers it makes no differance on either PC. If I force NCTETEST1 to use 169.254.253.203 (which AnnePhelan must be using as 192.169.10.11 is invalid) then I can get one of the Government websites (but now the secure part) but cannot access any other website.

169.254.254.203 is a Gov DNS server outside our network. As the default gateway is a local address within our network then this server would not be able to find it. 192.168.10.11 can find the gateway. The gateway is our firewall which is connected to the Gov Network managed router.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 24120653
On NCTETEST1, do you have any other problems with connectivity?

I can only think of a couple possible problems at this point:

1) the network card on NCTETEST1 is dying.  If this is the case, you should see connection issues everywhere you go, not just on intranet or parallel networks.  I'm not inclined to believe this since DHCP is apparently working just fine.

2) That system is being filtered somewhere in the network layer, probably by a router or firewall, or possibly misconfiguration...I'm a little curious about the 169.254.254.203 vs 169.254.253.203.  For that matter, I'm a little curious as to why your DNS server is on an APIPA to begin with...

3) Possibly an infection of some sort?  A packet capture would tell you if the requests are malformed or something similar.

I recommend doing a packet capture just to see what is actually going out on the wire, and to see if any responses are coming back at all.  Another oddity is your previous tracert results.  The first hop should always be to your default gateway.  Not only is your first hop going somewhere else, it's going somewhere else on an entirely different network.
0
 

Author Comment

by:sdower
ID: 24202880
Hi,

1) NCTETEST1 is representative of all clients on our network except AnnePhelan which is the exception, so I think it's unlikely that all other network cards are faulty. In any case I have previously tried using another network card on NCTETEST1 but this makes no difference.

2) I though this might be the case, but as Im the only one who should have access to our firewall I can't see how. There is only our firewall between this (and all clients) and the router (which is managed by the Gov Network meaning I have no access) and I couldn't find anything in the firewall logs indicating this. I don't know where 169.254.253.203 comes from. When I did a subsequent nslookup today this didn't show up:

DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 169.254.254.203: Timed out
*** Can't find server name for address 192.168.10.11: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  169.254.254.203

Im don't know why the DNS server is on APIPA - Im guess this was set-up by default, but what difference does this make? As far as I can see all addresses are being allocated by the DNS server.

3) Again, its unlikely that all but 1 client would be infected. In any case I have thoroughly scanned NCTETEST1 and cannot find anything infections. What do you recommend Im use for packet capture?
0
 

Accepted Solution

by:
sdower earned 0 total points
ID: 25605325
Hi,

I'm closing this question as I've been unable to find a resolution to this issue. Thanks for all your help.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month14 days, 18 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question