Solved

Cannot reach website inside our domain with 0 restrictions, but can from outside our network. Please help!

Posted on 2016-10-26
40
34 Views
Last Modified: 2016-10-27
Site: https://sftp.bpas.com/
Accessible outside our network not inside
Equipment: Cisco ASA. No restrictions outbound
Two outbound connection possibilities: CNYwireless, Time Warner. Doesn't work via either.
From inside our network I get:
"This site can’t be reached

The webpage at https://sftp.bpas.com/ might be temporarily down or it may have moved permanently to a new web address."
DNS is working fine. Nslookup fine.
Tracert hits our gateway, and outside fine and then dies (as if it doesn't know how to get back...). All other sites are fine.
Not a cert issue or individual or Browser issue....
0
Comment
Question by:admitech
  • 15
  • 13
  • 11
  • +1
40 Comments
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
Sorry to ask the obvious but....

Did it ever work? If so, when did it stop and what changed between now and the last time it worked? Is there a piece of gear turned off, unplugged or dead?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You need DNS doctoring.

At the end of the static nat statement for that server, add the keyword "dns".
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
For doctoring to work, you'll also need to route all DNS queries and replies through the ASA so they can be translated. Additionally, DNS inspection must be turned on on the ASA. You could also implement u-turning which tells the ASA to doctor both the source and destination IP.

More detail here: https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
This only is a concern when internal DNS is configured to hand  out a public IP instead of the internal.

I've yet to see that happen.
0
 

Author Comment

by:admitech
Comment Utility
No this never worked. Stepped on this landmine.  DNS seems to be fine from all devices including the ASA so would DNS inspection/u-turning assist with this still? It seems to get out but not return.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
What is your DNS server while inside the network?

Is it external?
   if yes, add the "dns" keyword to the end of the static statement and you're done
   if no, then it's internal
     does your internal server forward queries outside for the domain?
          if yes, then you're done after you add the "dns" keyword
          if no, does your server give you a public IP?
              if no, you're done (and you should be able to reach it)
              if yes, change it to the inside IP
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
@Jan
Interesting. I was under the impression that you needed to pass all your DNS queries through the ASA for doctoring to work regardless of where DNS lookups were taking place. I learned something today. Thanks, Jan!

@admitech
Yes, either method should fix your issue.
0
 

Author Comment

by:admitech
Comment Utility
Wouldn't let me edit the last comment. I mentioned U-turning to our Sr. Net Admin and he looked at me like I had 3 heads....

Jan: let me run through that list. Great if this then this...lol! Thanks!
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
Ha! You should let your senior admin fix it then. Be sure to save a copy of your config first!
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
Or hire Jan. She's available for gigs.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Well, the flow chart says that if the packets hit the firewall to go to an outside address and that address is a static NAT with "dns", the ASA should swap the IP in the packets and send it back.
0
 

Author Comment

by:admitech
Comment Utility
Lol,  unfortunately I arrived at "if no, you're done (and you should be able to reach it)" and cannot!
0
 

Author Comment

by:admitech
Comment Utility
Jan/Gilnov:

Want to paste the config. You guys can probably figure it out in two seconds?!
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
sh run nat

copy and paste the nat entry for the web server into notepad
copy and paste it again

on the first line, you will insert "no" at the beginning.

on the second line, you will add "dns" to the end.

copy both lines and paste in configuration mode in to the ASA (no quotes).  save it.

to remove a static entry that is in use will require that you clear the translation first.  my recommendation is to do this during a non-peak period -- like before the office opens or whenever traffic to that server is low.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
send it via EE message, please don't post it here.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
If that server is hosted internally (and it sounds like it is), why not use a split DNS configuration to resolve sftp.bpas.com to the server's internal address? Then you don't have to modify the router/firewall config at all, as that traffic will stay inside your network.

The simplest way to do this will be to create a forward lookup zone named sftp.bpas.com in your internal DNS, then create a blank host record in that zone. Give that record the server's internal IP address. Flush the resolver cache on a client (ipconfig /flushdns) and test from that client.
0
 

Author Comment

by:admitech
Comment Utility
its in an external webpage outside of our organization and not associated with us. Sorry if I confused!
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
We'll, that does shed a different light. Can we assume all PC's inside your LAN have the same problem (or at least all PC's you checked)? What about your domain controller (assuming it's also your internal DNS server)? Where are your PC's getting their EXTERNAL DNS queries served (e.g. do they just check with the DC and the DC handles external lookups or do all machines go directly to an external DNS provider, including the DC/DNS server)?

Also, you said tracert dies but where does the trace stop? Can you tell if it ever leaves your carrier's network?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
It's does not appear to be with the ASA and it's not DNS.
0
 

Author Comment

by:admitech
Comment Utility
Gilnov:

Yes you are right. None of the PCs on the network can get there. They check with the DC/DNS. DNS appears fine all around. Tracert dies after it leaves the carrier's network it seems.....
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 6

Expert Comment

by:gilnov
Comment Utility
I haven't see your config. Is port 22 open on both the internal and external interfaces? Does the remote site use different/non-standard ports for SSH/SFTP? If so, are those ports open on your ASA?
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
Also, can you confirm for certain that people inside can NOT access the site AT THE SAME TIME that people outside your LAN can access the site? That is to say, have you ruled out the possibility that the site might actually be temporarily unavailable?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
It's not an ASA issue.  This is an issue reaching an https _remote_ site.
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
@Jan
It would seem to be something on the OP's network though since the site is accessible from other networks, wouldn't you agree?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
I cannot rule that out yet.
0
 

Author Comment

by:admitech
Comment Utility
Yep as Jan said this is not a site to site. The site we are trying to reach is an investment site that HR from a lot of companies do business with but not apart of our network, etc. It seems to be an HTTPs issue but cannot figure out why. Last place it dies here (on a tracert)
 106 ms    90 ms    27 ms  ae-1-4.bar2.buffalo1.level3.net [4.69.140.241]
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
The purpose of the traceroute is to see if you made it off-net to rule out an internal problem.   You do and that the traceroute dies may only mean that it is blocked in the path.
0
 

Author Comment

by:admitech
Comment Utility
Yes. True, just wanted to show last hop is outside of us and seemingly our carrier....Nevermind that I included that lol.
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
@admitech
So all we know at this point is your packets are getting out but responses are not coming back from that site.
Are other ssh/sftp sites affected?
Have you tried connecting from inside your network with PuTTY SFTP or similar client (i.e. a client other than a web browser)?
0
 

Author Comment

by:admitech
Comment Utility
@gilnov
Exactly.
No other sites are affected but this ONE. That we know of; apparently this is a year long issue that I stepped on but not giving up until this is fixed.
@Jan @gilnov
I tried Putty with Jan. Jan what was your conclusion on this other than obviously we proved:
Not the ASA, not DNS?

By the way guys I totally appreciate you sticking with me on this! I've got a 10am meeting with the "big dogs" so well see what suggestions we get BUT considering this has been known not working for a year I am not expecting much! And of course now its urgent! You know how that works! Good ole IT!
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
DNS works and he getting the correct IP address.

Packet-tracer on the ASA shows the flows permitted.

Traceroute shows the packets making it several hops -- way off net before they time out.

There has to be a filter in routing toward the destination or at the destination server that needs to be updated is my best guess.
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
Have you contacted your ISP(s) to see if they can offer any insight into why the route is being blocked?
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 450 total points
Comment Utility
It's not being blocked at their end.  Like I mentioned above -- it's way off-net.
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
I was thinking maybe the ISP could peer deeper into the connection attempt from their perspective and shed additional light on what happens when it leaves their edge where it times out.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 450 total points
Comment Utility
It has no control over routers that other providers own and manage.
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
True enough but they might be able to see the reason the connection is timing out. Probably not but it can't hurt to ask. We're still trying to find the edges of the problem.
0
 
LVL 6

Assisted Solution

by:gilnov
gilnov earned 50 total points
Comment Utility
You could also try to contact BPAS for help: http://bpas.com/contact_us_existingppt.htm

They may have seen others with the same issue and know exactly what to do.
0
 

Author Comment

by:admitech
Comment Utility
@Gilnov and @Jan

I love you both. Seriously owe you guys whatever you drink. A lot of work to find out that after contacting bpas for the 20th time I found the right guy who says "OH, HEY! you are blocked! Too many logon failures! They removed my ip and "TA DA"!!! It works!
I'm going to go out on a limb and say the Time Warner IP is on the block list too!
0
 

Author Closing Comment

by:admitech
Comment Utility
Thanks so much for going ABOVE AND WAY BEYOND. Jan you better keep in touch I owe you for your efforts!
0
 
LVL 6

Expert Comment

by:gilnov
Comment Utility
Happy to be of assistance. Write down the person or at least the department you spoke with at BPAS. If you were blocked for too many failed logons once, it's very likely you'll end up being blocked again.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now