Re: Can not browse duckduckgo

Maivoko · ‎11-22-2018

I remove firepower service policy at outside

and only apply at inside4

Allow country United States

Traditional ASA itself inside4 allow UDP 53 and TCP 53 and any IP address with TCP 443 and 80

but can not browse duckduckgo

Attached setting

Marvin Rhoads · ‎11-22-2018

Even though duckduckgo is US-based, it (and most other globally accessed services) is served up by regional content providers.

For instance, when I do an nslookup on it from my home in Malaysia, I get:

Name:    duckduckgo.com
Addresses:  54.254.135.186
	  46.51.219.131

A whois search reveals those two addresses to be in Japan and Europe.

Maivoko · ‎11-22-2018

Which United States search engine do not have content providers? And IP address is fixed at United States?

if have content provider, country option will select more countries, it force me to use protect license to use IPS policy and application level Filter

if not use protect license, country filter is useless in base license

moreover I find default ssl policy , will it have influence to it? can it decrpt google https?

Sheraz.Salim · ‎11-22-2018

ssl decryption on ASA model are not recommended. as it consume a lot of cpu of the box. if you have FTD 900 on ward yes. but i guess this is not the case for you.

please do not forget to rate.

Marvin Rhoads · ‎11-22-2018

Country filters are mostly useful for incoming traffic. They are not an effective way to get around any local or regionally-hosted search engines.

SSL decryption is increasingly not useful of outbound communications. Many web sites (especially Google, iTunes, Dropbox etc.) actively take measures to prevent man-in-the-middle decryption. Even when they do not you have to setup a PKI and distribute trust of the root CA to all your clients.

SSL decryption is mostly useful when you are decrypting incoming traffic to a server whose private key you control.

Maivoko · ‎11-22-2018

Which web site is fixed IP address in United States for testing connection?

if not using country filter,

is application filter useful for google and google drive and google email and amazon cloud only at home ?

because I can press cache link in google web to indirectly browse web

Marvin Rhoads · ‎11-22-2018

What is your goal?

If you want a US-only website then don't try with a globally-used search engine or other software as a service. Instead use something like a US-based university (something US-based with .edu domain) .

Sheraz.Salim · ‎11-22-2018

correct me if i am wrong in your setup.

your remove the access-list for inspection (firepower from outside) and applied it to inside4 which i assume is your inside network with security level 100.

for example

Interface gigX/X

nameif inside4

security level 100

ip address x.x.x.x x.x.x.x

no shut

!

object network inside4

subnet x.x.x.x x.x.x.x

nat (inside4,outside) dynamic interface dns

if this is the case than you dont need the access-list as dynamic nat will take care of nat.

could you please run a command

packet tracer input tcp inside x.x.x.x 12345 duck.com 443 detail

duck.com just put the ip address of duckduck

once you provide the output we have an understanding what happening here.

Regards

please do not forget to rate.

Maivoko · ‎11-22-2018

Attached screen capture

Maivoko · ‎11-22-2018

Though dhcp and NAT to access point is subnet different from 192.168.1.0

but access point itself dhcp is using 192.168.1.0

will it conflict with inside itself?

should I change access point dhcp address ?

i discover ASDM not sync with console configuration

my product is made in Mexico , do it have problem?

Sheraz.Salim · ‎11-22-2018

nothing to worry if the product is made in Mexico. this is normal.
could you send me you nat rules.

show run nat
show run nat detail
and also show us what is the interface setting of inside6
!
i noted access-list is dropping the packet. we need to understand what config you have made up for inside6

please do not forget to rate.

Maivoko · ‎11-22-2018

I can send you tonight

is it that i use wrong subnet ?

because class B is above 128

i use class A with class B subnet

Maivoko · ‎11-22-2018

Inside 7 use wrong subnet class B

but I can connect to remote Amazon host

then i do similar at inside6 but can not surf internet

Maivoko · ‎11-24-2018

I can surf internet now

but I discover two wrong things

first can not use tcp and UDP Tag together In ASA access policy , so I separate rules to google dns

second . I need to remove service policy of firepower at inside_6

Another thing is I used packet tracer to test it, it always show drop packet at access policy even if I can surf internet and can connect internet but why the test is wrong?

Sheraz.Salim · ‎11-27-2018

seems like your access group is wrong you mind to send the config

please do not forget to rate.