cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
0
Helpful
4
Replies

why can't access same websites on restricted PC?

CCCC_12345
Beginner
Beginner

Has ASA5510-K8 as firewall, has access rules setup for restricted PCs:

  • Source: IP range of these PCs 192.168.x.0/24
  • Destination: publicPC
  • Service: tcp/http
  • Interface: inside
  • Action: permit

On those PCs, users can only browse the websites that are in favorites, but some of them are working, some are not.

Test on unrestricted PC, websites that can’t be accessed from public PCs can be access on regular PCs , either by address or IP.

Checked GPO setting, don’t see anything wrong there.


Can anyone please tell me what wrong and where should I start troubleshooting? Thx.

4 Replies 4

cadet alain
Mentor
Mentor

Hi,

on unrestricted PC do a ping  www.xxxxx to get the IP of the site not working on restricted PC then add an entry in the hosts file for this url and flush the dns cache of the PC and try browsing.If it is working then it is a DNS problem and you'll have to modify your ACL for DNS queries.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

kind of figure out the cause, in ASA, there are whole bunch access rules, for restricted PCs, one of ASA rule put all accessible websites under that rule, but websites there are based on IP addresses but not web address (www.xxxx.xx), for those inaccessible websites, their IP addresses are not valid anymore, so now my question is how do I find the accurate IP address of a website.

The IP I got from unrestricted PC by PING is not accurate/valid either, for example, I can access a website from unrestricted PC, and using ping, got the IP of this website, but just can’t use this IP to browse to the website which mean the IP is inaccurate or invalid (they are all done on unrestricted PC),

Tried on some nslookup websites such as WHOIS, always got “the website you put in is invalid”.

Do I have to contact every website webmaster to get the valid IP? It’s too much work.

All helps are appreciated. thx

Hi,

in this case use a proxy.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

figured out a easier way:

in CMD

nslookup

set type=a

type in www.xxxxxx.xxx

got the accurate IP, change the IP in ASA access rule --> apply, working.

thx for response.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: