Can't Get to a Website
Cisco ASA. The website we want to get to (www.fixme.com) resolves to 77.77.77.116
The ASA has an IP of 88.88.88.141
An internal PC has the IP of 192.168.12.57
I find these lines in the ASA:
access-list capin extended permit ip host 192.168.12.57 host 77.77.77.116
access-list capin extended permit ip host 77.77.77.116 host 192.168.12.57
access-list capout extended permit ip host 88.88.88.141 host 77.77.77.116
access-list capout extended permit ip host 77.77.77.116 host 88.88.88.141
Even if I remove all these lines, a ping of www.fixme.com resolves properly (77.77.77.116) but the pings are not answered.
Any ideas?
The ASA has an IP of 88.88.88.141
An internal PC has the IP of 192.168.12.57
I find these lines in the ASA:
access-list capin extended permit ip host 192.168.12.57 host 77.77.77.116
access-list capin extended permit ip host 77.77.77.116 host 192.168.12.57
access-list capout extended permit ip host 88.88.88.141 host 77.77.77.116
access-list capout extended permit ip host 77.77.77.116 host 88.88.88.141
Even if I remove all these lines, a ping of www.fixme.com resolves properly (77.77.77.116) but the pings are not answered.
Any ideas?
ASKER
I should have clarified! fixme.com is an example.
The website resolves properly and answers pings outside the firewall (i.e. from public hotspots, home, library, etc.) so it has to be something with my ASA...
The website resolves properly and answers pings outside the firewall (i.e. from public hotspots, home, library, etc.) so it has to be something with my ASA...
Sorry, 77.77.77.116 isn't reachable from my connection.... See my original post.
Is 77.77.77.116 also an example?
Is 77.77.77.116 also an example?
ASKER
Yes, the IPs and all are examples. I try to avoid posting real IPs as malware and spam harvesters love to find them and then do bad things to them!
OK, apologies. Thought we may have a simple problem of incorrect DNS etc. That's not the case. As I don't do ASA, I'll stand down, and apologise for jumping in.
add
access-list capout extended permit ip host 192.168.12.57 host 77.77.77.116
access-list capout extended permit ip host 192.168.12.57 host 77.77.77.116
I am guessing that the access-list on the external interface is capout. Add the following entry:
access-list capout ext permit ip host 77.77.77.116 host <external_ip_of_PC>
access-list capout ext permit ip host 77.77.77.116 host <external_ip_of_PC>
ASKER
JRoyse, I tried your suggestion and still no go.
Mystique, the external IP is 77.77.77.116, so I think you may have meant for the same exact setup as JRoyse.
Here's what's weird...there is no need for those 4 lines in the ASA config. This domain should be resolved and loaded the same as any other. Yet it won't load inside the building. Once you get on a network outside the building, it comes right up.
Is there any kind of testing I can do from the ASA? Even a ping of the IP from within the ASA fails....
Mystique, the external IP is 77.77.77.116, so I think you may have meant for the same exact setup as JRoyse.
Here's what's weird...there is no need for those 4 lines in the ASA config. This domain should be resolved and loaded the same as any other. Yet it won't load inside the building. Once you get on a network outside the building, it comes right up.
Is there any kind of testing I can do from the ASA? Even a ping of the IP from within the ASA fails....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Put in the private Ip of the source in the packet tracer command
ASKER
Mystique, it all looks good (I think). Before I paste in the output, see if this causes you to think of something else:
If I run a traceroute from off the network, I get all the way there. The second to last hop is liquidweb, the very last hop is host.ez2ba.com. If I run the traceroute internally, I get to liquidweb, then it just starts timing out, it never does that final hop to host.ez2ba.com.
Maybe the ASA views this as some sort of redirect and doesn't like it? Maybe the webhost at host.ez2ba.com for some reason is denying my IP?
Anyway, here's the output: (I changed one or 2 IPs to protect things):
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (74.74.186.151 [Interface PAT])
translate_hits = 344516, untranslate_hits = 9350
Additional Information:
Dynamic translate 192.168.12.74/4444 to 74.74.186.151/60234 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 347622, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
If I run a traceroute from off the network, I get all the way there. The second to last hop is liquidweb, the very last hop is host.ez2ba.com. If I run the traceroute internally, I get to liquidweb, then it just starts timing out, it never does that final hop to host.ez2ba.com.
Maybe the ASA views this as some sort of redirect and doesn't like it? Maybe the webhost at host.ez2ba.com for some reason is denying my IP?
Anyway, here's the output: (I changed one or 2 IPs to protect things):
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (74.74.186.151 [Interface PAT])
translate_hits = 344516, untranslate_hits = 9350
Additional Information:
Dynamic translate 192.168.12.74/4444 to 74.74.186.151/60234 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 347622, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Its all looking good here. I am not sure about the traceroute. What about the captures? Did you get to try that?
ASKER
The capture was able to show me that the webhoster was blocking my public NAT address. Once I inquired as to why, and got them to unblock it, life is good.
ping 77.77.77.116
Pinging 77.77.77.116 with 32 bytes of data:
Reply from 77.77.64.106: Destination host unreachable.
Reply from 77.77.64.106: Destination host unreachable.
ping www.fixme.com
Pinging fixme.com [209.81.96.132] with 32 bytes of data:
Reply from 209.81.96.132: bytes=32 time=140ms TTL=117
Reply from 209.81.96.132: bytes=32 time=139ms TTL=117
Reply from 209.81.96.132: bytes=32 time=139ms TTL=117
Reply from 209.81.96.132: bytes=32 time=138ms TTL=117
Was Fixme.com an example, or is your DNS screwed?