Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1123
Views
0
Helpful
4
Replies

why can't access same websites on restricted PC?

CCCC_12345
Level 1
Level 1

‎11-19-2012 02:24 PM - edited ‎03-11-2019 05:25 PM

Has ASA5510-K8 as firewall, has access rules setup for restricted PCs:

  • Source: IP range of these PCs 192.168.x.0/24
  • Destination: publicPC
  • Service: tcp/http
  • Interface: inside
  • Action: permit

On those PCs, users can only browse the websites that are in favorites, but some of them are working, some are not.

Test on unrestricted PC, websites that can’t be accessed from public PCs can be access on regular PCs , either by address or IP.

Checked GPO setting, don’t see anything wrong there.


Can anyone please tell me what wrong and where should I start troubleshooting? Thx.

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎11-19-2012 11:23 PM

Hi,

on unrestricted PC do a ping  www.xxxxx to get the IP of the site not working on restricted PC then add an entry in the hosts file for this url and flush the dns cache of the PC and try browsing.If it is working then it is a DNS problem and you'll have to modify your ACL for DNS queries.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

CCCC_12345
Level 1
Level 1
In response to cadet alain

‎11-20-2012 11:46 AM

kind of figure out the cause, in ASA, there are whole bunch access rules, for restricted PCs, one of ASA rule put all accessible websites under that rule, but websites there are based on IP addresses but not web address (www.xxxx.xx), for those inaccessible websites, their IP addresses are not valid anymore, so now my question is how do I find the accurate IP address of a website.

The IP I got from unrestricted PC by PING is not accurate/valid either, for example, I can access a website from unrestricted PC, and using ping, got the IP of this website, but just can’t use this IP to browse to the website which mean the IP is inaccurate or invalid (they are all done on unrestricted PC),

Tried on some nslookup websites such as WHOIS, always got “the website you put in is invalid”.

Do I have to contact every website webmaster to get the valid IP? It’s too much work.

All helps are appreciated. thx

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to CCCC_12345

‎11-20-2012 12:36 PM

Hi,

in this case use a proxy.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

CCCC_12345
Level 1
Level 1
In response to cadet alain

‎11-20-2012 02:29 PM

figured out a easier way:

in CMD

nslookup

set type=a

type in www.xxxxxx.xxx

got the accurate IP, change the IP in ASA access rule --> apply, working.

thx for response.

0 Helpful
Review Cisco Networking for a $25 gift card
Top