Blocked website?

COSH · ‎04-08-2022

Hi,

First, I'm not very good with networking let alone Cisco networking and CLI. I have a decent understanding of networking concepts and can navigate but no where close to networking engineering level.

I have a site that cannot access https://cfars.doj.ca.gov. They are behind a Sonicwall NSA which I've tried disabling all security services but did not help. I ultimately configured an available interface on the NSA so I can test directly with my laptop while all NSA security services were enabled - I can access the site without issues. I return everything back to normal and ran a tracert and it seems to get to the Cisco switch stack as it hits the IP of the VLAN IP (gateway). I log into the switch stack and run a traceroute to the website - the traffic doesn't seem to be leaving the switch. Over 30 hops, they all time out. I ran a ping command from the CLI and get 100% failure. I can see that it does at resolve DNS but doesn't do anything else beyond that.

Where should I be looking to troubleshoot next?

MHM Cisco World · ‎04-08-2022

...

COSH · ‎04-08-2022

The model for the switch is WS-C3750X-48T-S. I'm not certain that these feature a firewall. Apologies if I misunderstood you. I'm doing a lot of poking around and reviewed the ACL IP list. It doesn't appear that the IP for that website is explicitly listed.

MHM Cisco World · ‎04-08-2022

1-in access-list add
deny any any at end of access-list

2-show ip access-list
you will see all ACL line

3-do trace route

4-show ip access-list
see if the deny any any match counter increase or not.

Jon Marshall · ‎04-09-2022

The switch does not have a firewall but it can have acls as you seem to be discussing.

The traceroute may show no hops because firewalls tend not to respond to traceroute so you may be misreading the results unless there are other L3 devices betweent the switch and the firewall.

If there is an acl on the L3 vlan interface that may be blocking the traffic, it depends.

Can you post a quick hand drawn topologu showing the switch, firewall and any other relevant network devices plus the configuration of the switch .

Jon

marce1000 · ‎06-09-2022

@MHM Cisco World Seriously again ....

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

johnlloyd_13 · ‎04-09-2022

hi,

ping and traceroute could be block in a FW or a layer 3 device (ACL). could you give a brief network toplogy?

are you able to bypass the sonicwall FW? i.e. configure a spare switch port and configure a direct internet VLAN?

COSH · ‎04-11-2022

Hi everyone,

Thanks for all of your insights. I was able to resolve the issue! For whatever reason, I was led to look at the IP Routing table. This is where I found the subnet of the website with the description "167.10.0.0/16 is variably subnetted, 20 subnets, 2 masks." Below it were routes for IP's in the subnet going out to the Sonicwall LAN interface. Some googling explained how to set a route for the website's IP so I mirrored the other IP's then I was able to traceroute and access the website. Although it works I don't feel so great not knowing what "167.10.0.0/16 is variably subnetted, 20 subnets, 2 masks" means and why it's there - I'll have to dig into this a little more.