Can't access URL

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi there,

We have 30 users network on W2K Server that is running DNS and DHCP. We're also using CISCO 501 PIX Firewall.

Now, there's an URL (http://www.dtsc.ca.gov/) that we're trying to access from our workstations. And we can't. But I can access it from the server console.

Any ideas?

Thanks a lot.
oleg
 
In osliva <[email protected]> posted a question
Then Kevin replied below:
: Hi there,
:
: We have 30 users network on W2K Server that is running DNS and DHCP.
: We're also using CISCO 501 PIX Firewall.
:
: Now, there's an URL (http://www.dtsc.ca.gov/) that we're trying to
: access from our workstations. And we can't. But I can access it from
: the server console.
:
: Any ideas?
:
: Thanks a lot.
: oleg

From the workstations does the name resolve using nslookup?
Are the Workstations and the DC using the same DNS in TCP/IP properties?
 
Hi Kevin,

- Yes, it resolves with the nslookup.
- All our workstations use the same DNS servers as our DC.

Thanks,
oleg

----- Kevin D. Goodknecht [MVP] wrote: -----

In osliva <[email protected]> posted a question
Then Kevin replied below:
: Hi there,
:
: We have 30 users network on W2K Server that is running DNS and DHCP.
: We're also using CISCO 501 PIX Firewall.
:
: Now, there's an URL (http://www.dtsc.ca.gov/) that we're trying to
: access from our workstations. And we can't. But I can access it from
: the server console.
:
: Any ideas?
:
: Thanks a lot.
: oleg

From the workstations does the name resolve using nslookup?
Are the Workstations and the DC using the same DNS in TCP/IP properties?
 
In osliva <[email protected]> posted a question
Then Kevin replied below:
: Hi Kevin,
:
: - Yes, it resolves with the nslookup.
: - All our workstations use the same DNS servers as our DC.
:
This would just about have to be a rule in the firewall or a networking
issue. Can you ping the IP and the URL?(www.dtsc.ca.gov)
Probably not DNS, unless you are behind the same NAT device (router) as the
web site.
 
Well, I can't ping either from DC nor from my workstation. Tracert times out somewhere in the middle.

thanks,
oleg

----- Kevin D. Goodknecht [MVP] wrote: -----

In osliva <[email protected]> posted a question
Then Kevin replied below:
: Hi Kevin,
:
: - Yes, it resolves with the nslookup.
: - All our workstations use the same DNS servers as our DC.
:
This would just about have to be a rule in the firewall or a networking
issue. Can you ping the IP and the URL?(www.dtsc.ca.gov)
Probably not DNS, unless you are behind the same NAT device (router) as the
web site.
 
In osliva <[email protected]> posted a question
Then Kevin replied below:
: Well, I can't ping either from DC nor from my workstation. Tracert
: times out somewhere in the middle.
:
Sorry for the delay getting back I was out all day yesterday securing a
wireless network.

I checked that site they have ICMP disabled (pretty common these days) so
tracert and ping won't work.

Since the name resolves using nslookup the problem is not DNS, I am
suspecting a firewall rule in your PIX firewall is causing this.
You will need to take a close look at the rules and see what connections
will be denied based on the source and destination IP.
The source IP is 165.235.111.236 and the destination IP is the IP of you
router or workstation. I can't say for sure this is the problem, I myself
have put rules in to block access to certain sites and ended up blocking
other sites because I mistyped the mask.
 
Thank you for getting back to me Kevin.

I don't know if a blocked address is the case here. We don't have any external IP addresses restrictions in our PIX firlewall. Furthermore, our DC is behind the same PIX as the rest of the workstations and still can access this site...

Thank you,
oleg

----- Kevin D. Goodknecht [MVP] wrote: -----

In osliva <[email protected]> posted a question
Then Kevin replied below:
: Well, I can't ping either from DC nor from my workstation. Tracert
: times out somewhere in the middle.
:
Sorry for the delay getting back I was out all day yesterday securing a
wireless network.

I checked that site they have ICMP disabled (pretty common these days) so
tracert and ping won't work.

Since the name resolves using nslookup the problem is not DNS, I am
suspecting a firewall rule in your PIX firewall is causing this.
You will need to take a close look at the rules and see what connections
will be denied based on the source and destination IP.
The source IP is 165.235.111.236 and the destination IP is the IP of you
router or workstation. I can't say for sure this is the problem, I myself
have put rules in to block access to certain sites and ended up blocking
other sites because I mistyped the mask.
 
In
osliva said:
Thank you for getting back to me Kevin.

I don't know if a blocked address is the case here. We don't have any
external IP addresses restrictions in our PIX firlewall. Furthermore,
our DC is behind the same PIX as the rest of the workstations and
still can access this site...

Thank you,
oleg
Click to expand...


If you have traffic shaping enabled on the PIX, that will cause it. Seen
this a couple times mentioned in this forum to be the source of an issue.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top