09-30-2014 09:02 AM - edited 03-05-2019 06:53 AM
I am having a problem with accessing one of the websites on a Cisco network. We have a Cisco 3750X with an ASA5510 in front of it, and multiple VLANs on the network.
The particular website I am trying to access does not work on VLAN113 but works on other VLANs like 130 and 88, for example. All these VLANs share the same physical gateway, which is the ASA and all have the same public IP. There is no URL filtering in place and the only thing I can see that's different, is the DNS. The VLAN 130 and 88 use OpenDNS whereas the 113 uses local DNS server. I have tried changing the DNS to use Google and OpenDNS but nothing makes any different. Flushing DNS cache and deleting temp files makes no difference.
Any ideas?
Thanks in advance.
Dima
09-30-2014 11:12 AM
Can you ping your ASA from the web server?
Do you have a route from the ASA to that VLAN?
Can you access the website internally via IP address?
Can you access the website internally by name?
Can you access the website externally via IP address?
09-30-2014 03:15 PM
Dima
It might be helpful if you would provide some information from your ASA. In particular it would help if we knew the each of its interfaces and their IP addresses and their security level associated with each of the vlans. It could possibly be an issue with traffic from a lower security level interface trying to go to a higher security level interface.
HTH
Rick
10-01-2014 01:18 AM
Richard,
Here is the list. They all have the same security level, apart from the VLAN 66. However all the VLANs seem to access the website fine but the 113.
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 188.x.x.x YES CONFIG up up
GigabitEthernet0/1 192.168.100.250 YES CONFIG up up
GigabitEthernet0/1.1 unassigned YES unset administratively down down
GigabitEthernet0/1.21 192.168.21.250 YES CONFIG up up
GigabitEthernet0/1.22 192.168.22.250 YES CONFIG up up
GigabitEthernet0/1.55 10.88.0.250 YES CONFIG up up
GigabitEthernet0/1.66 10.87.0.250 YES CONFIG up up
GigabitEthernet0/1.95 unassigned YES unset up up
GigabitEthernet0/1.100 192.168.108.250 YES CONFIG up up
GigabitEthernet0/1.113 192.168.113.250 YES CONFIG up up
GigabitEthernet0/1.115 192.168.115.250 YES CONFIG up up
GigabitEthernet0/1.130 192.168.130.250 YES CONFIG up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 10.1.0.1 YES unset up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset down down
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset administratively down down
10-06-2014 12:47 AM
The problem was down to the server hosting the website that was blocking our IP address! All sorted now, thank you all for your help.
10-06-2014 07:47 AM
Dima
I am glad that you have resolved the issue. Thank you for posting back to the forum to let us know that it is solved and what the issue was. Perhaps it is helpful for us to be reminded that sometimes the problem is not in the device that we manage but is in the other device that we do not manage.
HTH
Rick
10-01-2014 01:14 AM
I do not have access to the webserver to be able to do that as it's a shared host.
It's just a general website hosted elsewhere in the country and other vlans can access it no problem and people outside can access it too.
IP access does not work as it hosts multiple websites.
Cheers
10-01-2014 07:40 AM
It is not clear to me whether this problem is an issue with IP forwarding to the server or is an issue with DNS. So from a device on vlan 113 where the webserver does not work please do a ping to the webserver name. The important thing here is whether the ping is able to resolve the name to an IP address or fails to resolve the name. Please do the ping and inform us of the results.
HTH
Rick
10-01-2014 09:28 AM
Richard,
The name resolves to the same IP as it does outside the network. I've tried using different DNS servers and get the same result. All PCs do the same thing from that vlan.
Cheers
10-01-2014 09:31 AM
And assuming this is the only outside website you cannot reach?
Can you access it by typing the IP into your browser?
10-01-2014 09:33 AM
As far as we know, yes thats the only website. Cannot access it via IP as it's on a shared host.
10-01-2014 09:50 AM
Can you try some other websites to confirm this?
10-01-2014 12:22 PM
If ping to the name of the webserver does resolve to the correct IP then it is hard for me to see how this would be a DNS problem. It does sound more like an IP forwarding issue. To figure out what it might be we would have to have information about the device doing the forwarding which I believe is an ASA.
HTH
Rick
10-02-2014 12:43 AM
Other websites work fine, it's just this particular one that does not.
What information would you like, Richard?
10-02-2014 04:42 AM
Dima
As a starting point it might be interesting to see the output of
show run | inc 192.168.113
show run | inc <subnet_of_the_server>
Beyond that we would want to see how many interfaces on the ASA, how they are configured, any access lists that are used, any address translations that are configured.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide