https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751705#M1013163 <P>I can send you tonight</P> <P>is it that i use wrong subnet ?</P> <P>because class B is above 128</P> <P>i use class A with class B subnet</P> <P>&nbsp;</P> Fri, 23 Nov 2018 00:21:57 GMT Maivoko 2018-11-23T00:21:57Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751308#M1012954 <P>I remove firepower service policy at outside</P> <P>and only apply at inside4</P> <P>&nbsp;</P> <P>Allow country United States</P> <P>&nbsp;</P> <P>Traditional ASA itself inside4 allow UDP 53 and TCP 53 and any IP address with TCP 443 and 80</P> <P>but can not browse duckduckgo</P> <P>&nbsp;</P> <P>Attached setting</P> <P>&nbsp;</P> Tue, 12 Mar 2019 14:06:44 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751308#M1012954 Maivoko 2019-03-12T14:06:44Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751330#M1013149 <P>Even though duckduckgo is US-based, it (and most other globally accessed services) is served up by regional content providers.</P> <P>&nbsp;</P> <P>For instance, when I do an nslookup on it from my home in Malaysia, I get:</P> <P>&nbsp;</P> <PRE>Name: duckduckgo.com Addresses: 54.254.135.186 46.51.219.131 </PRE> <P>A whois search reveals those two addresses to be in Japan and Europe.</P> Thu, 22 Nov 2018 10:06:07 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751330#M1013149 Marvin Rhoads 2018-11-22T10:06:07Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751332#M1013150 <P>correct me if i am wrong in your setup.</P> <P>&nbsp;</P> <P>your remove the access-list for inspection (firepower from outside) and applied it to inside4 which i assume is your inside network with security level 100.</P> <P>for example</P> <P>Interface gigX/X</P> <P>&nbsp;nameif inside4</P> <P>&nbsp;security level 100</P> <P>&nbsp;ip address x.x.x.x x.x.x.x</P> <P>&nbsp;no shut</P> <P>!</P> <P>object network inside4</P> <P>&nbsp;subnet x.x.x.x x.x.x.x</P> <P>&nbsp;nat (inside4,outside) dynamic interface dns</P> <P>if this is the case than you dont need the access-list as dynamic nat will take care of nat.</P> <P>&nbsp;</P> <P>could you please run a command</P> <P>packet tracer input tcp inside x.x.x.x 12345 duck.com 443 detail</P> <P>&nbsp;</P> <P>duck.com just put the ip address of duckduck</P> <P>once you provide the output we have an understanding what happening here.</P> <P>&nbsp;</P> <P>Regards</P> Thu, 22 Nov 2018 10:10:01 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751332#M1013150 Sheraz.Salim 2018-11-22T10:10:01Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751343#M1013151 <P>Which United States search engine do not have content providers? And IP address is fixed at United States?</P> <P>&nbsp;</P> <P>if have content provider, country option will select more countries, it force me to use protect license to use IPS policy and application level Filter&nbsp;</P> <P>if not use protect license, country filter is useless in base license</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>moreover I find default ssl policy , will it have influence to it? can it decrpt google https?</P> Thu, 22 Nov 2018 10:28:32 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751343#M1013151 Maivoko 2018-11-22T10:28:32Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751346#M1013152 <P>ssl decryption on ASA model are not recommended. as it consume a lot of cpu of the box. if you have FTD 900 on ward yes. but i guess this is not the case for you.&nbsp;</P> Thu, 22 Nov 2018 10:32:06 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751346#M1013152 Sheraz.Salim 2018-11-22T10:32:06Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751355#M1013153 <P>Country filters are mostly useful for incoming traffic. They are not an effective way to get around any local or regionally-hosted search engines.</P> <P>&nbsp;</P> <P>SSL decryption is increasingly not useful of outbound communications. Many web sites (especially Google, iTunes, Dropbox etc.) actively take measures to prevent man-in-the-middle decryption. Even when they do not you have to setup a PKI and distribute trust of the root CA to all your clients.</P> <P>&nbsp;</P> <P>SSL decryption is mostly useful when you are decrypting incoming traffic to a server whose private key you control.</P> Thu, 22 Nov 2018 10:46:14 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751355#M1013153 Marvin Rhoads 2018-11-22T10:46:14Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751368#M1013154 <P>Which web site is fixed IP address in United States for testing connection?</P> <P>&nbsp;</P> <P>if not using country filter,</P> <P>is application filter useful for google and google drive and google email and amazon cloud only at home ?</P> <P>&nbsp;</P> <P>because I can press cache link in google web to indirectly browse web</P> Thu, 22 Nov 2018 11:16:35 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751368#M1013154 Maivoko 2018-11-22T11:16:35Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751374#M1013155 <P>What is your goal?</P> <P>&nbsp;</P> <P>If you want a US-only website then don't try with a globally-used search engine or other software as a service. Instead use something like a US-based university (something US-based with .edu domain) .</P> Thu, 22 Nov 2018 11:26:15 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751374#M1013155 Marvin Rhoads 2018-11-22T11:26:15Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751430#M1013156 <P>Attached screen capture</P> Thu, 22 Nov 2018 13:25:15 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751430#M1013156 Maivoko 2018-11-22T13:25:15Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751454#M1013158 <P>Though dhcp and NAT to access point is subnet different from 192.168.1.0</P> <P>&nbsp;</P> <P>but access point itself dhcp is using 192.168.1.0&nbsp;</P> <P>&nbsp;</P> <P>will it conflict with inside itself?</P> <P>&nbsp;</P> <P>should I change access point dhcp address ?</P> <P>i discover ASDM not sync with console configuration&nbsp;</P> <P>&nbsp;</P> <P>my product is made in Mexico , do it have problem?</P> Thu, 22 Nov 2018 13:56:17 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751454#M1013158 Maivoko 2018-11-22T13:56:17Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751538#M1013161 nothing to worry if the product is made in Mexico. this is normal.<BR />could you send me you nat rules.<BR /><BR />show run nat<BR />show run nat detail<BR />and also show us what is the interface setting of inside6<BR />!<BR />i noted access-list is dropping the packet. we need to understand what config you have made up for inside6 Thu, 22 Nov 2018 15:44:40 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751538#M1013161 Sheraz.Salim 2018-11-22T15:44:40Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751705#M1013163 <P>I can send you tonight</P> <P>is it that i use wrong subnet ?</P> <P>because class B is above 128</P> <P>i use class A with class B subnet</P> <P>&nbsp;</P> Fri, 23 Nov 2018 00:21:57 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751705#M1013163 Maivoko 2018-11-23T00:21:57Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751712#M1013165 <P>Inside 7 use wrong subnet class B</P> <P>but I can connect to remote Amazon host</P> <P>&nbsp;</P> <P>then i do similar at inside6 but can not surf internet</P> Fri, 23 Nov 2018 00:55:59 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3751712#M1013165 Maivoko 2018-11-23T00:55:59Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3752261#M1013168 <P>I can surf internet now&nbsp;</P> <P>but I discover two wrong things</P> <P>first can not use tcp and UDP Tag together In ASA access policy , so I separate rules to google dns</P> <P>&nbsp;</P> <P>second . I need to remove service policy of firepower at inside_6</P> <P>&nbsp;</P> <P>Another thing is I used packet tracer to test it, it always show drop packet at access policy even if I can surf internet and can connect internet but why the test is wrong?</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 25 Nov 2018 01:00:02 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3752261#M1013168 Maivoko 2018-11-25T01:00:02Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3753537#M1013170 seems like your access group is wrong you mind to send the config Tue, 27 Nov 2018 13:45:05 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3753537#M1013170 Sheraz.Salim 2018-11-27T13:45:05Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3753548#M1013172 <P>you have configured</P> <P>/////////////////////////////////////////////////////////////////////////////////////</P> <P>access-group inside_6_access_in_1 in interface inside_6</P> <P>access-list inside_6_access_in_in extended deny ip any any log</P> <P>////////////////////////////////////////////////////////////////////////////////////</P> <P>what is inside_6, what address it has?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Nov 2018 13:54:02 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3753548#M1013172 Sheraz.Salim 2018-11-27T13:54:02Z https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3754051#M1013173 <P>inside6 is NAT address, subnet for wireless access point to get ip address at WAN point</P> <P>&nbsp;</P> <P>and DHCP the above subnet<SPAN>&nbsp;for wireless access point to get ip address at WAN point</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 28 Nov 2018 03:48:58 GMT https://community.cisco.com/t5/network-security/can-not-browse-duckduckgo/m-p/3754051#M1013173 Maivoko 2018-11-28T03:48:58Z