Here is the deal. I am certain that this doesnt belong in this category, but i trust the security people more than anyone.
I have a website that i cant access from a certain subinterface. I logged onto the guest VLAN and able to get to it.
It has always worked until the other day.
I know your might think it has to be a DNS issue, but i dont think that is the case. Let me reinterate there is NO WEBSENSE OR WEB MONITORING services on.BUT if it is a DNS issue, our dns is hosted on ONE server. a Windows 2003 server which host our dhcp and dns. How can a server hosting a dns prohibit access to only ONE website???
HOWEVER, on the guest VLAN, it is using the same outside subinterface as my vlan.
Crazy! What could it be! Help!!!
Just one website..It DOES NOT come up with the "page cannot be displayed, it actually says "check your internet connection", but like i said, i can connect through every vlan that isnt on our domain. Isnt that weird??
I am totally out of ideas.
I guess the other question is whether or not there would be a good reason to block this website. If there's a good reason to block it, there are plenty of ways to block it without having websense or another filtering server configured. Do you have access to the Firewall config? Can you post a cleansed version?
ok...when i traceroute, it gets there.., when i ping, it gets there...
When i put the address in, like i said "check your internet connection", or go to BING, which is a microsoft search page. On the search page, i see the site, but when i click on it, it gives me the error message.
When I put the IP address in the browser, it goes to CPANEL, which is a web hosting site.
i am working on trying to get a config together, but i dont think it will help
Ok -- let's think about this from another perspective. You mentioned that the site works from any interface not "on your domain." Is there a reason this site would want to block your domain? If it's being hosted by a web hosting company, then there are mostly likely monthly bandwidth limits for the operators of the website in question. Could traffic from your organization be overwhelming their site and/or consuming their monthly allotment?
There are ways for the website admins to block your domain:
Here's an example using Apache and .htaccess files: http://www.techiecorner.com/95/block-ip-from-accessing-website-using-htaccess/
there is only one person (a physician) that uses this website..so i know he doesnt bog down there webserver.
Where is this file so i can check it? This sounds really good!
Well, it would be on the website's server, so you won't have access to it unfortunately. You could always email the admin of the website and ask if you've been blocked :)
Does your network have any kind of IPS/IDS system in place?
ok...yes we have both IPS, and IDS....
BUT, the guest VLAN is on the same subinterface on the Cisco ASA. which makes my vlan and the Guest Vlan have the same outside IP address. make sense? So they should be blocking my IP address.
What about tehe IPS/IDS?
So your internet traffic, whether from the guest VLAN or the non-guest VLAN, is NAT'd to the same external IP range (or address)?
I'm just throwing out idea's here... IPS can block traffic if it deems it malicious, but depending on the placement it would block the traffic no matter where it was accessed from. Unless the IPS was on a different path to the internet than the traffic from the guest Vlan...
yes...that is correct on the NAT question..
i checked IPS and nothing is being block or logged.
That was a very good idea though....Anything else i can check?
What about this: try accessing the website from the problem VLAN, through a web proxy service like Ninjacloak: http://ninjacloak.com/
What happens then?
Hmm... So here's what we know:
1. Website works from guest vlan Y
2. Website does not work from Vlan X
3. Internal IP's and guest IP's are nat'd to the same external range.
4. Website works from Vlan X when viewing through a proxy service.
Just to clarify, are you NAT'ing to the same external range for both guest VLAN and trouble VLAN or are they unique ranges on the same outside network?
i.e. nat (guest) 1 x.x.x.x
nat (inside) 1 x.x.x.x
global (outside) 1 x.x.x.x
or nat (guest) 1 x.x.x.x
nat (inside) 2 x.x.x.x
global (outside) 1 x.x.x.x
global (outside) 2 x.x.x.x
If your outside IP's really do overlap for the different VLAN's, then I'm at a loss. Somewhere in your network there is something that is block that specific website. You can configure ASA's to block web traffic using modular policies and access-lists, so it's still possible the firewall is blocking it.
Another question I should've thought of earlier on, is it only one host on the trouble VLAN or all hosts on the trouble VLAN that can't access the website?