Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cannot reach website inside our domain with 0 restrictions, but can from outside our network. Please help!

Posted on 2016-10-26
40
Medium Priority
?
54 Views
Last Modified: 2016-10-27
Site: https://sftp.bpas.com/
Accessible outside our network not inside
Equipment: Cisco ASA. No restrictions outbound
Two outbound connection possibilities: CNYwireless, Time Warner. Doesn't work via either.
From inside our network I get:
"This site can’t be reached

The webpage at https://sftp.bpas.com/ might be temporarily down or it may have moved permanently to a new web address."
DNS is working fine. Nslookup fine.
Tracert hits our gateway, and outside fine and then dies (as if it doesn't know how to get back...). All other sites are fine.
Not a cert issue or individual or Browser issue....
0
Comment
Question by:admitech
  • 15
  • 13
  • 11
  • +1
40 Comments
 
LVL 7

Expert Comment

by:gilnov
ID: 41860375
Sorry to ask the obvious but....

Did it ever work? If so, when did it stop and what changed between now and the last time it worked? Is there a piece of gear turned off, unplugged or dead?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860403
You need DNS doctoring.

At the end of the static nat statement for that server, add the keyword "dns".
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860436
For doctoring to work, you'll also need to route all DNS queries and replies through the ASA so they can be translated. Additionally, DNS inspection must be turned on on the ASA. You could also implement u-turning which tells the ASA to doctor both the source and destination IP.

More detail here: https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860445
This only is a concern when internal DNS is configured to hand  out a public IP instead of the internal.

I've yet to see that happen.
0
 

Author Comment

by:admitech
ID: 41860446
No this never worked. Stepped on this landmine.  DNS seems to be fine from all devices including the ASA so would DNS inspection/u-turning assist with this still? It seems to get out but not return.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860455
What is your DNS server while inside the network?

Is it external?
   if yes, add the "dns" keyword to the end of the static statement and you're done
   if no, then it's internal
     does your internal server forward queries outside for the domain?
          if yes, then you're done after you add the "dns" keyword
          if no, does your server give you a public IP?
              if no, you're done (and you should be able to reach it)
              if yes, change it to the inside IP
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860464
@Jan
Interesting. I was under the impression that you needed to pass all your DNS queries through the ASA for doctoring to work regardless of where DNS lookups were taking place. I learned something today. Thanks, Jan!

@admitech
Yes, either method should fix your issue.
0
 

Author Comment

by:admitech
ID: 41860465
Wouldn't let me edit the last comment. I mentioned U-turning to our Sr. Net Admin and he looked at me like I had 3 heads....

Jan: let me run through that list. Great if this then this...lol! Thanks!
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860471
Ha! You should let your senior admin fix it then. Be sure to save a copy of your config first!
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860476
Or hire Jan. She's available for gigs.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860477
Well, the flow chart says that if the packets hit the firewall to go to an outside address and that address is a static NAT with "dns", the ASA should swap the IP in the packets and send it back.
0
 

Author Comment

by:admitech
ID: 41860478
Lol,  unfortunately I arrived at "if no, you're done (and you should be able to reach it)" and cannot!
0
 

Author Comment

by:admitech
ID: 41860484
Jan/Gilnov:

Want to paste the config. You guys can probably figure it out in two seconds?!
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860487
sh run nat

copy and paste the nat entry for the web server into notepad
copy and paste it again

on the first line, you will insert "no" at the beginning.

on the second line, you will add "dns" to the end.

copy both lines and paste in configuration mode in to the ASA (no quotes).  save it.

to remove a static entry that is in use will require that you clear the translation first.  my recommendation is to do this during a non-peak period -- like before the office opens or whenever traffic to that server is low.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860488
send it via EE message, please don't post it here.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 41860564
If that server is hosted internally (and it sounds like it is), why not use a split DNS configuration to resolve sftp.bpas.com to the server's internal address? Then you don't have to modify the router/firewall config at all, as that traffic will stay inside your network.

The simplest way to do this will be to create a forward lookup zone named sftp.bpas.com in your internal DNS, then create a blank host record in that zone. Give that record the server's internal IP address. Flush the resolver cache on a client (ipconfig /flushdns) and test from that client.
0
 

Author Comment

by:admitech
ID: 41860566
its in an external webpage outside of our organization and not associated with us. Sorry if I confused!
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860745
We'll, that does shed a different light. Can we assume all PC's inside your LAN have the same problem (or at least all PC's you checked)? What about your domain controller (assuming it's also your internal DNS server)? Where are your PC's getting their EXTERNAL DNS queries served (e.g. do they just check with the DC and the DC handles external lookups or do all machines go directly to an external DNS provider, including the DC/DNS server)?

Also, you said tracert dies but where does the trace stop? Can you tell if it ever leaves your carrier's network?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860796
It's does not appear to be with the ASA and it's not DNS.
0
 

Author Comment

by:admitech
ID: 41860871
Gilnov:

Yes you are right. None of the PCs on the network can get there. They check with the DC/DNS. DNS appears fine all around. Tracert dies after it leaves the carrier's network it seems.....
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860883
I haven't see your config. Is port 22 open on both the internal and external interfaces? Does the remote site use different/non-standard ports for SSH/SFTP? If so, are those ports open on your ASA?
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860888
Also, can you confirm for certain that people inside can NOT access the site AT THE SAME TIME that people outside your LAN can access the site? That is to say, have you ruled out the possibility that the site might actually be temporarily unavailable?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860889
It's not an ASA issue.  This is an issue reaching an https _remote_ site.
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41860896
@Jan
It would seem to be something on the OP's network though since the site is accessible from other networks, wouldn't you agree?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860899
I cannot rule that out yet.
0
 

Author Comment

by:admitech
ID: 41860902
Yep as Jan said this is not a site to site. The site we are trying to reach is an investment site that HR from a lot of companies do business with but not apart of our network, etc. It seems to be an HTTPs issue but cannot figure out why. Last place it dies here (on a tracert)
 106 ms    90 ms    27 ms  ae-1-4.bar2.buffalo1.level3.net [4.69.140.241]
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41860905
The purpose of the traceroute is to see if you made it off-net to rule out an internal problem.   You do and that the traceroute dies may only mean that it is blocked in the path.
0
 

Author Comment

by:admitech
ID: 41860911
Yes. True, just wanted to show last hop is outside of us and seemingly our carrier....Nevermind that I included that lol.
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41861036
@admitech
So all we know at this point is your packets are getting out but responses are not coming back from that site.
Are other ssh/sftp sites affected?
Have you tried connecting from inside your network with PuTTY SFTP or similar client (i.e. a client other than a web browser)?
0
 

Author Comment

by:admitech
ID: 41862168
@gilnov
Exactly.
No other sites are affected but this ONE. That we know of; apparently this is a year long issue that I stepped on but not giving up until this is fixed.
@Jan @gilnov
I tried Putty with Jan. Jan what was your conclusion on this other than obviously we proved:
Not the ASA, not DNS?

By the way guys I totally appreciate you sticking with me on this! I've got a 10am meeting with the "big dogs" so well see what suggestions we get BUT considering this has been known not working for a year I am not expecting much! And of course now its urgent! You know how that works! Good ole IT!
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41862195
DNS works and he getting the correct IP address.

Packet-tracer on the ASA shows the flows permitted.

Traceroute shows the packets making it several hops -- way off net before they time out.

There has to be a filter in routing toward the destination or at the destination server that needs to be updated is my best guess.
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41862493
Have you contacted your ISP(s) to see if they can offer any insight into why the route is being blocked?
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1800 total points
ID: 41862498
It's not being blocked at their end.  Like I mentioned above -- it's way off-net.
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41862514
I was thinking maybe the ISP could peer deeper into the connection attempt from their perspective and shed additional light on what happens when it leaves their edge where it times out.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1800 total points
ID: 41862526
It has no control over routers that other providers own and manage.
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41862531
True enough but they might be able to see the reason the connection is timing out. Probably not but it can't hurt to ask. We're still trying to find the edges of the problem.
0
 
LVL 7

Assisted Solution

by:gilnov
gilnov earned 200 total points
ID: 41862722
You could also try to contact BPAS for help: http://bpas.com/contact_us_existingppt.htm

They may have seen others with the same issue and know exactly what to do.
0
 

Author Comment

by:admitech
ID: 41862917
@Gilnov and @Jan

I love you both. Seriously owe you guys whatever you drink. A lot of work to find out that after contacting bpas for the 20th time I found the right guy who says "OH, HEY! you are blocked! Too many logon failures! They removed my ip and "TA DA"!!! It works!
I'm going to go out on a limb and say the Time Warner IP is on the block list too!
0
 

Author Closing Comment

by:admitech
ID: 41862920
Thanks so much for going ABOVE AND WAY BEYOND. Jan you better keep in touch I owe you for your efforts!
0
 
LVL 7

Expert Comment

by:gilnov
ID: 41862984
Happy to be of assistance. Write down the person or at least the department you spoke with at BPAS. If you were blocked for too many failed logons once, it's very likely you'll end up being blocked again.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question