tflai
asked on
Unable to connect to one particular site
Hi,
Recently I am not able to connect to a particular site. I am able to ping and trace route www.google.com and www.yahoo.com on the Cisco ASA. But for this particular website, I am not able to do either. However, if I plug directly to the external router connected to ISP, then I have no problem connected to the site. The site itself is not the problem.
What kind steps I can take to see if the site is blocked somehow? I checked all the access listson the ASA, but I don't see anything that may be blocking the site.
Thanks.
Recently I am not able to connect to a particular site. I am able to ping and trace route www.google.com and www.yahoo.com on the Cisco ASA. But for this particular website, I am not able to do either. However, if I plug directly to the external router connected to ISP, then I have no problem connected to the site. The site itself is not the problem.
What kind steps I can take to see if the site is blocked somehow? I checked all the access listson the ASA, but I don't see anything that may be blocking the site.
Thanks.
Keith Brown
My guess, is that it is a DNS issue. Do you have DNS caching enabled? It is possible for ASA to cache DNS info, and if things change and the cache is not updated, old information will be used when trying to goto a site.
when you lookup the site's IP address (nslookup www.sitex.com) and then tracert to that IP, where does the trace stop? Does it stop at your FW or does it go to the 'net?
if you try to access the site from somewhere else have you confirmed that its working?
if you try to access the site from somewhere else have you confirmed that its working?
ASKER
When I did nslookup of the site on my machine, I get the correct IP address. If I did trace route on ASA, I just got it is not traceable. When I ping from the ASA, I just got timeout and no successful ping attempts. I can connect to this site from our external connection. So site is not the problem.
I am trying to troubleshoot it from ASA logging and packet tracing without too much sucess. Please let me know if you have some tips or knowledge in these areas.
Thanks.
I am trying to troubleshoot it from ASA logging and packet tracing without too much sucess. Please let me know if you have some tips or knowledge in these areas.
Thanks.
ASKER
We also have Cisco botnet filter enabled on this ASA firewall. I have whitelisted the site, but I still cannot connec to this site.
I am using ASDM. Where can I check DNS caching information? Or do I need to use CLI?
Thanks.
I am using ASDM. Where can I check DNS caching information? Or do I need to use CLI?
Thanks.
There are viruses that can block sites that you, as a user, can use to update windows security patches, access microsoft web sites, update any Antivirus updates, etc...
There are two ways to do this:
one is through DNS poisoning, and your host file record will be filled with web sites and ficticious IPs.
The second is through a bunch of registry edits.
There are two ways to do this:
one is through DNS poisoning, and your host file record will be filled with web sites and ficticious IPs.
The second is through a bunch of registry edits.
the correct address when you do nslookup/ping then I don't think it's a DNS problem.
It sounds to me like a routing or firewall rule issue...
by any chance is the public IP of this site in the same IP subnet as your ASA? For example if the subnet mask is not correct on the public interface of the ASA then that would prevent you from accessing some sites
It sounds to me like a routing or firewall rule issue...
by any chance is the public IP of this site in the same IP subnet as your ASA? For example if the subnet mask is not correct on the public interface of the ASA then that would prevent you from accessing some sites
ASKER
I just found on the ASA log the following message - Deny IP spoof from (x.x.x.x) to (IP address of the site) on interface DMZ. Any idea on how I can fix the problem?
Thanks.
Thanks.
when you tried to ping it from the asa which interface did you use as the source? try it using the internal/LAN and external/WAN interface and check the logs
ASKER
I found SYN Timeout events whenever I tried to connect to this site.
ASKER
I get "Teardown TCP connection for External:x.x.x.x/80 to DMZ:x.x.x.x duration 0:00:30 bytes 0 SYN Timeout" in the ASA log.
it almost sounds like the external IP youre trying to hit is configured on the dmz interface of the ASA
are you using the dmz interface? check it's IP settings
are you using the dmz interface? check it's IP settings
ASKER
The interesting problem is that most of our external web links, Google, Yahoo, MSN, etc are working. I am thinking of rebooting the ASA to clear the cache and stuff to see if that would fix the problem.
if your tracert never hops past the ASA then it definitely seems to be either a routing problem or ACL problem on the ASA itself for that public IP range the website it on
did you check the interface settings on the DMZ interface? not close to this public IP at all?
did you check the interface settings on the DMZ interface? not close to this public IP at all?
ASKER
The DMZ has IP address of 207.x.x.x and the website IP is 198.x.x.x. So looks like that is not the source of the problem.
Thanks.
Thanks.
are there any vpn tunnels on the ASA? just wondering if the ranges or targets assigned to those tunnels overlap.
if you use ASDM to manage the ASA, goto 'Device Setup' then Routing and see if there are any routes relevant to the 207 network
then I would go to the menus: Tools - Packet Tracer, and select your external interface, choose icmp for the protocol, 'echo' for the type, and use one of you internal IPs as the source, and then the IP of the webserver as the destination. It will go through a series or steps and hopefully show where/why it's not connecting.
ASKER
If I do a nslookup, I will get a slight different IP addresses for the website: x.x.232.x (internally) and x.x.234.x (externally). Perhaps that is causing the problem? Do I need to ensure they are the same and how can I do that? Thanks
well that isn't good...the website would normally have only 1 ip address whether you are internal or external.
if you do this:
nslookup
>server 4.2.2.2
>www.xxxxx.com (or whatever)
what is the IP address you get back? That is the one in the public ('real') world. cna you go to that IP in a browser?
if that works then you need to figure out why you are resolving the name incorrectly internally...
try:
ipconfig /flushdns
check your local (internal) assuming that is what you're using
check your hosts file
if you do this:
nslookup
>server 4.2.2.2
>www.xxxxx.com (or whatever)
what is the IP address you get back? That is the one in the public ('real') world. cna you go to that IP in a browser?
if that works then you need to figure out why you are resolving the name incorrectly internally...
try:
ipconfig /flushdns
check your local (internal) assuming that is what you're using
check your hosts file
ASKER
Somehow if I manually change the DNS server IP address to the external ISP IP. the the site will work.
ASKER
It's strange since I remove all the DNS forwarder IP addresses except the ISP's DNS. I am still having problem connecting to the site. Shouldn't it be the same as using ISP's DNS?
Please help. Thanks.
Please help. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thought it sounded like a DNS problem. Can be quite common.
seems to me I suggested flushing your DNS cache after helping you discover the internal and external IPs were not in sync...but whatever.
ASKER
JammyPak, I tried IPConfig /FlushDNS even before your suggestion and that did not work for me at all. I found a way to manully flush the DNS cache on the DNS server.
ASKER
I found the actual solution.
While he specifically stated to try ipconfig /dnsflush, the premise that the DNS cache needed to be flushed, irregardless of system, was suggested more than once.