Website Issue

I got to the site without issue.

Have you tried this command from a computer on the problem network:

tracert  pacu.techrn.com

Select allOpen in new window

Please post the result.

it's not even getting out.  I'm stumped on this one because I've put an exception in the Websense firewall.  Put an exemption in the firewall and I can get to it from outside too!  This makes no sense and I can't pin down what is blocking it and it was working in the morning.  Nothing on my end has changed.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

N:\>tracert pacu.techrn.com

Tracing route to pacu.techrn.com [206.188.193.172]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *

Trace  route most likely fails because you have ICMP blocked.

Now where is this site in relation ship to you?  Meaning is this on the public Internet at some other location or is this a host that you/your company hosts?

Does the guest network go through either Websense or ASA?

Although I know what Websense is, I have never used it.  What type of logging does it have? Can you run packet captures from it?  Can you run a packet capture on the ASA?

I can reach site from guest network.  I tried pinging site via the ASA but still no response.  The guests network is a separate open network. this site is not hosted by my company it's an off site place.  I'm just not sure what to do on the ASA in order to open this up.  I don't think it's the Websense because when I test the filter on the websense for this site it says allowed.  I put the following command in the ASA filter url except x.x.x.x (inside network)  255.255.255.255  206.188.193.172 255.255.255.255 allow.  It's not a site to site vpn so there's no nating. When I do a wireshark it appears it's reaching the site but it's getting disconnected for whatever reason (I think)

Can you save the packet capture with just the traffic to/from the problem web site and post.  It a little hard to see what is going on with just a screen shot.

Do you do any content filtering?  It almost looks like something in the path is dropping packets which could be due to content or even packet size.

That worked!  I'm not sure why when I was allowing my network to bypass it did not but good to know to use 0.0.0.0 255.255.255.255 instead of my network. thanks!  By allowing 0.0.0.0 am I allowing more than just my network?

If your Websense product comes with the V-Series appliance then you should have the Content Gateway for proxy and there you should be able to tunnel the website or do the ARM Static Bypass if you configured ASA with the Content Gateway for WCCP transparent proxy also. The other thing with Exceptions is, it will not work with the site if the site is being identified with a category that is being blocked according to your Policy in the Master Database. The trick is to uncheck the option under the "Advance" at the bottom of the Exception's editor page on the Triton console.

Just read one of your posts.  Using "0.0.0.0 255.255.255.255" says to allow any IP address.  

You stated you had "x.x.x.x  255.255.255.255", where x.x.x.x is  your inside network.  Using "x.x.x.x  255.255.255.255" allows only the specific IP address x.x.x.x because you have a subnet mask of 255.255.255.255 which identifies a single host.  If you want the whole subnet, then you would need to replace 255.255.255.255. with the subnet mask of your network.  

If you wanted to restrict to a specific IP address you would use x.x.x.x 255.255.255.255 where x.x.x.x is the specific IP address you want to allow.

Yes I found that out.  I sometime forget that cisco is much different than Microsoft. My thinking was 255.255.255.255 is broadcast and would allow everything.  That's what my mistake was. Thanks.