• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 59
  • Last Modified:

Cannot reach website inside our domain with 0 restrictions, but can from outside our network. Please help!

Site: https://sftp.bpas.com/
Accessible outside our network not inside
Equipment: Cisco ASA. No restrictions outbound
Two outbound connection possibilities: CNYwireless, Time Warner. Doesn't work via either.
From inside our network I get:
"This site can’t be reached

The webpage at https://sftp.bpas.com/ might be temporarily down or it may have moved permanently to a new web address."
DNS is working fine. Nslookup fine.
Tracert hits our gateway, and outside fine and then dies (as if it doesn't know how to get back...). All other sites are fine.
Not a cert issue or individual or Browser issue....
0
admitech
Asked:
admitech
  • 15
  • 13
  • 11
  • +1
3 Solutions
 
gilnovSystems AdministratorCommented:
Sorry to ask the obvious but....

Did it ever work? If so, when did it stop and what changed between now and the last time it worked? Is there a piece of gear turned off, unplugged or dead?
0
 
Jan SpringerCommented:
You need DNS doctoring.

At the end of the static nat statement for that server, add the keyword "dns".
0
 
gilnovSystems AdministratorCommented:
For doctoring to work, you'll also need to route all DNS queries and replies through the ASA so they can be translated. Additionally, DNS inspection must be turned on on the ASA. You could also implement u-turning which tells the ASA to doctor both the source and destination IP.

More detail here: https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
Jan SpringerCommented:
This only is a concern when internal DNS is configured to hand  out a public IP instead of the internal.

I've yet to see that happen.
0
 
admitechAuthor Commented:
No this never worked. Stepped on this landmine.  DNS seems to be fine from all devices including the ASA so would DNS inspection/u-turning assist with this still? It seems to get out but not return.
0
 
Jan SpringerCommented:
What is your DNS server while inside the network?

Is it external?
   if yes, add the "dns" keyword to the end of the static statement and you're done
   if no, then it's internal
     does your internal server forward queries outside for the domain?
          if yes, then you're done after you add the "dns" keyword
          if no, does your server give you a public IP?
              if no, you're done (and you should be able to reach it)
              if yes, change it to the inside IP
0
 
gilnovSystems AdministratorCommented:
@Jan
Interesting. I was under the impression that you needed to pass all your DNS queries through the ASA for doctoring to work regardless of where DNS lookups were taking place. I learned something today. Thanks, Jan!

@admitech
Yes, either method should fix your issue.
0
 
admitechAuthor Commented:
Wouldn't let me edit the last comment. I mentioned U-turning to our Sr. Net Admin and he looked at me like I had 3 heads....

Jan: let me run through that list. Great if this then this...lol! Thanks!
0
 
gilnovSystems AdministratorCommented:
Ha! You should let your senior admin fix it then. Be sure to save a copy of your config first!
0
 
gilnovSystems AdministratorCommented:
Or hire Jan. She's available for gigs.
0
 
Jan SpringerCommented:
Well, the flow chart says that if the packets hit the firewall to go to an outside address and that address is a static NAT with "dns", the ASA should swap the IP in the packets and send it back.
0
 
admitechAuthor Commented:
Lol,  unfortunately I arrived at "if no, you're done (and you should be able to reach it)" and cannot!
0
 
admitechAuthor Commented:
Jan/Gilnov:

Want to paste the config. You guys can probably figure it out in two seconds?!
0
 
Jan SpringerCommented:
sh run nat

copy and paste the nat entry for the web server into notepad
copy and paste it again

on the first line, you will insert "no" at the beginning.

on the second line, you will add "dns" to the end.

copy both lines and paste in configuration mode in to the ASA (no quotes).  save it.

to remove a static entry that is in use will require that you clear the translation first.  my recommendation is to do this during a non-peak period -- like before the office opens or whenever traffic to that server is low.
0
 
Jan SpringerCommented:
send it via EE message, please don't post it here.
0
 
DrDave242Commented:
If that server is hosted internally (and it sounds like it is), why not use a split DNS configuration to resolve sftp.bpas.com to the server's internal address? Then you don't have to modify the router/firewall config at all, as that traffic will stay inside your network.

The simplest way to do this will be to create a forward lookup zone named sftp.bpas.com in your internal DNS, then create a blank host record in that zone. Give that record the server's internal IP address. Flush the resolver cache on a client (ipconfig /flushdns) and test from that client.
0
 
admitechAuthor Commented:
its in an external webpage outside of our organization and not associated with us. Sorry if I confused!
0
 
gilnovSystems AdministratorCommented:
We'll, that does shed a different light. Can we assume all PC's inside your LAN have the same problem (or at least all PC's you checked)? What about your domain controller (assuming it's also your internal DNS server)? Where are your PC's getting their EXTERNAL DNS queries served (e.g. do they just check with the DC and the DC handles external lookups or do all machines go directly to an external DNS provider, including the DC/DNS server)?

Also, you said tracert dies but where does the trace stop? Can you tell if it ever leaves your carrier's network?
0
 
Jan SpringerCommented:
It's does not appear to be with the ASA and it's not DNS.
0
 
admitechAuthor Commented:
Gilnov:

Yes you are right. None of the PCs on the network can get there. They check with the DC/DNS. DNS appears fine all around. Tracert dies after it leaves the carrier's network it seems.....
0
 
gilnovSystems AdministratorCommented:
I haven't see your config. Is port 22 open on both the internal and external interfaces? Does the remote site use different/non-standard ports for SSH/SFTP? If so, are those ports open on your ASA?
0
 
gilnovSystems AdministratorCommented:
Also, can you confirm for certain that people inside can NOT access the site AT THE SAME TIME that people outside your LAN can access the site? That is to say, have you ruled out the possibility that the site might actually be temporarily unavailable?
0
 
Jan SpringerCommented:
It's not an ASA issue.  This is an issue reaching an https _remote_ site.
0
 
gilnovSystems AdministratorCommented:
@Jan
It would seem to be something on the OP's network though since the site is accessible from other networks, wouldn't you agree?
0
 
Jan SpringerCommented:
I cannot rule that out yet.
0
 
admitechAuthor Commented:
Yep as Jan said this is not a site to site. The site we are trying to reach is an investment site that HR from a lot of companies do business with but not apart of our network, etc. It seems to be an HTTPs issue but cannot figure out why. Last place it dies here (on a tracert)
 106 ms    90 ms    27 ms  ae-1-4.bar2.buffalo1.level3.net [4.69.140.241]
0
 
Jan SpringerCommented:
The purpose of the traceroute is to see if you made it off-net to rule out an internal problem.   You do and that the traceroute dies may only mean that it is blocked in the path.
0
 
admitechAuthor Commented:
Yes. True, just wanted to show last hop is outside of us and seemingly our carrier....Nevermind that I included that lol.
0
 
gilnovSystems AdministratorCommented:
@admitech
So all we know at this point is your packets are getting out but responses are not coming back from that site.
Are other ssh/sftp sites affected?
Have you tried connecting from inside your network with PuTTY SFTP or similar client (i.e. a client other than a web browser)?
0
 
admitechAuthor Commented:
@gilnov
Exactly.
No other sites are affected but this ONE. That we know of; apparently this is a year long issue that I stepped on but not giving up until this is fixed.
@Jan @gilnov
I tried Putty with Jan. Jan what was your conclusion on this other than obviously we proved:
Not the ASA, not DNS?

By the way guys I totally appreciate you sticking with me on this! I've got a 10am meeting with the "big dogs" so well see what suggestions we get BUT considering this has been known not working for a year I am not expecting much! And of course now its urgent! You know how that works! Good ole IT!
0
 
Jan SpringerCommented:
DNS works and he getting the correct IP address.

Packet-tracer on the ASA shows the flows permitted.

Traceroute shows the packets making it several hops -- way off net before they time out.

There has to be a filter in routing toward the destination or at the destination server that needs to be updated is my best guess.
0
 
gilnovSystems AdministratorCommented:
Have you contacted your ISP(s) to see if they can offer any insight into why the route is being blocked?
0
 
Jan SpringerCommented:
It's not being blocked at their end.  Like I mentioned above -- it's way off-net.
0
 
gilnovSystems AdministratorCommented:
I was thinking maybe the ISP could peer deeper into the connection attempt from their perspective and shed additional light on what happens when it leaves their edge where it times out.
0
 
Jan SpringerCommented:
It has no control over routers that other providers own and manage.
0
 
gilnovSystems AdministratorCommented:
True enough but they might be able to see the reason the connection is timing out. Probably not but it can't hurt to ask. We're still trying to find the edges of the problem.
0
 
gilnovSystems AdministratorCommented:
You could also try to contact BPAS for help: http://bpas.com/contact_us_existingppt.htm

They may have seen others with the same issue and know exactly what to do.
0
 
admitechAuthor Commented:
@Gilnov and @Jan

I love you both. Seriously owe you guys whatever you drink. A lot of work to find out that after contacting bpas for the 20th time I found the right guy who says "OH, HEY! you are blocked! Too many logon failures! They removed my ip and "TA DA"!!! It works!
I'm going to go out on a limb and say the Time Warner IP is on the block list too!
0
 
admitechAuthor Commented:
Thanks so much for going ABOVE AND WAY BEYOND. Jan you better keep in touch I owe you for your efforts!
0
 
gilnovSystems AdministratorCommented:
Happy to be of assistance. Write down the person or at least the department you spoke with at BPAS. If you were blocked for too many failed logons once, it's very likely you'll end up being blocked again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 15
  • 13
  • 11
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now