cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3273
Views
0
Helpful
16
Replies

Can not browse duckduckgo

Maivoko
Level 1
Level 1

I remove firepower service policy at outside

and only apply at inside4

 

Allow country United States

 

Traditional ASA itself inside4 allow UDP 53 and TCP 53 and any IP address with TCP 443 and 80

but can not browse duckduckgo

 

Attached setting

 

16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

Even though duckduckgo is US-based, it (and most other globally accessed services) is served up by regional content providers.

 

For instance, when I do an nslookup on it from my home in Malaysia, I get:

 

Name:    duckduckgo.com
Addresses:  54.254.135.186
	  46.51.219.131

A whois search reveals those two addresses to be in Japan and Europe.

Which United States search engine do not have content providers? And IP address is fixed at United States?

 

if have content provider, country option will select more countries, it force me to use protect license to use IPS policy and application level Filter 

if not use protect license, country filter is useless in base license

 

 

moreover I find default ssl policy , will it have influence to it? can it decrpt google https?

ssl decryption on ASA model are not recommended. as it consume a lot of cpu of the box. if you have FTD 900 on ward yes. but i guess this is not the case for you. 

please do not forget to rate.

Country filters are mostly useful for incoming traffic. They are not an effective way to get around any local or regionally-hosted search engines.

 

SSL decryption is increasingly not useful of outbound communications. Many web sites (especially Google, iTunes, Dropbox etc.) actively take measures to prevent man-in-the-middle decryption. Even when they do not you have to setup a PKI and distribute trust of the root CA to all your clients.

 

SSL decryption is mostly useful when you are decrypting incoming traffic to a server whose private key you control.

Which web site is fixed IP address in United States for testing connection?

 

if not using country filter,

is application filter useful for google and google drive and google email and amazon cloud only at home ?

 

because I can press cache link in google web to indirectly browse web

What is your goal?

 

If you want a US-only website then don't try with a globally-used search engine or other software as a service. Instead use something like a US-based university (something US-based with .edu domain) .

Sheraz.Salim
VIP Alumni
VIP Alumni

correct me if i am wrong in your setup.

 

your remove the access-list for inspection (firepower from outside) and applied it to inside4 which i assume is your inside network with security level 100.

for example

Interface gigX/X

 nameif inside4

 security level 100

 ip address x.x.x.x x.x.x.x

 no shut

!

object network inside4

 subnet x.x.x.x x.x.x.x

 nat (inside4,outside) dynamic interface dns

if this is the case than you dont need the access-list as dynamic nat will take care of nat.

 

could you please run a command

packet tracer input tcp inside x.x.x.x 12345 duck.com 443 detail

 

duck.com just put the ip address of duckduck

once you provide the output we have an understanding what happening here.

 

Regards

please do not forget to rate.

Attached screen capture

Though dhcp and NAT to access point is subnet different from 192.168.1.0

 

but access point itself dhcp is using 192.168.1.0 

 

will it conflict with inside itself?

 

should I change access point dhcp address ?

i discover ASDM not sync with console configuration 

 

my product is made in Mexico , do it have problem?

nothing to worry if the product is made in Mexico. this is normal.
could you send me you nat rules.

show run nat
show run nat detail
and also show us what is the interface setting of inside6
!
i noted access-list is dropping the packet. we need to understand what config you have made up for inside6
please do not forget to rate.

I can send you tonight

is it that i use wrong subnet ?

because class B is above 128

i use class A with class B subnet

 

Inside 7 use wrong subnet class B

but I can connect to remote Amazon host

 

then i do similar at inside6 but can not surf internet

I can surf internet now 

but I discover two wrong things

first can not use tcp and UDP Tag together In ASA access policy , so I separate rules to google dns

 

second . I need to remove service policy of firepower at inside_6

 

Another thing is I used packet tracer to test it, it always show drop packet at access policy even if I can surf internet and can connect internet but why the test is wrong?

 

 

seems like your access group is wrong you mind to send the config
please do not forget to rate.
Review Cisco Networking for a $25 gift card