[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Win 2003/Exchange server network connection good but no internet connection

Posted on 2006-06-07
8
Medium Priority
?
473 Views
Last Modified: 2008-03-10
Have a 2003 server as a Domain controller and running Exchange.
After our ISP changed our public IP address  and their DNS Servers Address's, we updated out records with network solutions, and changed the DNS Fowarders on the server, and the NATing in our router (Cisco1841) everything looks right and we now have access to the internet on everything except the server.
Can ping internal address's from the Server, but not external, can ping the router.
From  work stations we can ping both internally and externally.

Any ideas where to look?
0
Comment
Question by:SCCHIS
8 Comments
 
LVL 5

Expert Comment

by:shankshank
ID: 16854007
Make sure the network settings in control panel for the NIC is set properly to the new DNS records also

on the server do a ipconfig /flushdns

If the workstations are set to use the domain controller for DNS, and they can see the internet fine, but the server doesn't, I think that means the server itself is doing a lookup on the old DNS server addresses, and the flush should fix that
0
 

Expert Comment

by:cfreyman
ID: 16854012
Can you ping the default gateway from the server?  Can you set up a syslog server and see what warnings are logged when you try to generate traffic from the server to the internet?  If it is an ACL issue, you'll be notified.

Can you provide your cisco config with all public IP's and passwords removed?
0
 
LVL 3

Expert Comment

by:GizmoKid
ID: 16854240
Check NATing on your router for the server.
Check Forwarders in your DNS configured correctly or not.
On your TCP/IP Properties give primary DNS your own DNS server IP.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Accepted Solution

by:
livedrive777 earned 2000 total points
ID: 16855313
From the issue described it sounds like you also cannot ping public addresses, not just public hostnames.  If that is indeed the case then there are really only two things to look at: 1) Make sure your default gateway is set correctly on your server, and 2) Check the NAT entries on yoru firewall/router.  In most cases you will have a global NAT for all of your workstations to get to the internet and a STATIC NAT for your server so that you can allow traffic into a specific IP for it (like email, etc...)  Try deleting that STATIC NAT entry in your firewall.  On some firewalls you may have to clear the current NAT translations as well by using a command something like "clear xlate" (that is for a PIX).  Now try and surf the internet from the server.  If that then works then it is possible you have a routing problem for that specific IP you were using for your server.

If you have a config of your firewall to post I might have more specific info.
0
 

Author Comment

by:SCCHIS
ID: 16855322
NIC is set properly,  flushdns didn't help.
Can ping the gateway and anything else internal to the network, not sure how to set up syslog, (on the router, right?)
Only thing changed int the NATing was the old Public IP to the new, and it was all working before, same with the forwarders, just added the new ones, took out the old ones, in TCP/IP Properties primary DNS is our own
DNS server IP.

Config below  (hope I got everything out)

!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip ips notify SDEE
no ip domain lookup
ip name-server 10.57.9.250
ip name-server xx.xx.x.xx
ip name-server xx.xx.x.xx
!
!
!
!
username xxxxxx password xxxxxxxxx
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxx address xx.xx.x.xx no-xauth
crypto isakmp key xxxxxxxxxxxxxx address xx.xx.x.xx no-xauth
crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group scch
 key xxxxxxxxxxx
 dns 10.57.9.250
 pool ippool
 acl 108
!
crypto isakmp client configuration group meditech
 key xxxxxxxxxxxx
 dns 10.57.9.250
 pool newpool
 acl 109
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set site esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map SDM_CMAP_1 xxxxxx ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
 set peer xx.xx.x.xx
 set transform-set site
 match address 120
crypto map clientmap 2 ipsec-isakmp
 set peer xx.xx.x.xx
 set transform-set ESP-3DES-SHA
 match address 140
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet0/0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0/1
 description $FW_INSIDE$$ETH-LAN$
 ip address 10.57.4.1 255.255.240.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 ip policy route-map static
 speed auto
 full-duplex
 no cdp enable
 no mop enabled
!
ip local pool ippool 192.168.1.1 192.168.1.10
ip local pool newpool 192.168.2.1 192.168.2.10
ip classless
ip route 10.57.16.0 255.255.255.0 10.57.7.20
!
ip http server
ip http access-class 1
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip nat inside source static tcp 10.57.9.250 25 xx.xx.x.xx 25 route-map SDM_RMAP_4

extendable
ip nat inside source static tcp 10.57.9.250 80 xx.xx.x.xx 80 extendable
ip nat inside source static tcp 10.57.9.110 81 xx.xx.x.xx 81 route-map SDM_RMAP_1

extendable
ip nat inside source static tcp 10.57.9.110 443 xx.xx.x.xx 443 route-map SDM_RMAP_3

extendable
!
ip access-list extended sdm_fastethernet0/0_in
 remark SDM_ACL Category=1
 remark SMTP
 permit tcp any eq smtp host 10.57.9.250 eq smtp
ip access-list extended sdm_fastethernet0/1_out
 remark SDM_ACL Category=1
 permit icmp any any
!
logging xx.xx.x.xx
access-list 1 permit 10.57.9.3
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit xx.xx.x.xx
access-list 1 permit 192.168.1.12
access-list 1 permit xx.xx.x.xx
access-list 56 permit 10.57.9.250
access-list 100 permit tcp any host 10.57.9.110 eq www
access-list 100 permit tcp any host 10.57.9.250 eq smtp
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.10
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.9
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.8
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.7
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.6
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.5
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.4
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.3
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.2
access-list 101 deny   ip host 10.57.9.110 host 192.168.1.1
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.10
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.9
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.8
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.7
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.6
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.5
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.4
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.3
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.2
access-list 101 deny   ip host 10.57.9.110 host 192.168.2.1
access-list 101 permit ip host 10.57.9.110 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 remark smtp
access-list 102 permit tcp any host 10.57.9.3 eq smtp
access-list 102 permit udp host 6xx.xx.x.xx eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit ip host xx.xx.x.xx any
access-list 102 permit ip host 10.57.9.3 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 10.57.0.0 0.0.15.255 any
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip xx.xxx.xx.0 0.0.15.255 xx.xx.255.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.10
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.9
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.8
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.7
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.6
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.5
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.4
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.3
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.2
access-list 104 deny   ip host 10.57.9.250 host 192.168.1.1
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.10
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.9
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.8
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.7
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.6
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.5
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.4
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.3
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.2
access-list 104 deny   ip host 10.57.9.250 host 192.168.2.1
access-list 104 permit ip host 10.57.9.250 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.10
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.9
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.8
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.7
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.6
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.5
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.4
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.3
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.2
access-list 105 deny   ip host 10.57.9.110 host 192.168.1.1
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.10
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.9
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.8
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.7
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.6
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.5
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.4
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.3
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.2
access-list 105 deny   ip host 10.57.9.110 host 192.168.2.1
access-list 105 permit ip host 10.57.9.110 any
access-list 106 remark SDM_ACL Category=2
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.10
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.9
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.8
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.7
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.6
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.5
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.4
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.3
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.2
access-list 106 deny   ip host 10.57.9.250 host 192.168.1.1
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.10
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.9
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.8
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.7
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.6
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.5
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.4
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.3
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.2
access-list 106 deny   ip host 10.57.9.250 host 192.168.2.1
access-list 106 permit ip host 10.57.9.250 any
access-list 108 permit ip 10.57.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 109 permit ip host 10.57.4.51 192.168.2.0 0.0.0.255
access-list 111 deny   tcp host 10.57.9.250 eq smtp any
access-list 111 deny   tcp host 10.57.9.250 eq www any
access-list 111 deny   ip host 10.57.9.110 any
access-list 111 deny   ip host 10.57.4.51 192.168.2.0 0.0.0.255
access-list 111 deny   ip 10.57.9.0 0.0.0.255 172.17.17.0 0.0.0.255
access-list 111 deny   ip 10.57.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 111 deny   ip host 10.57.4.51 host xx.xx.x.xx
access-list 111 deny   ip host 10.57.4.51 host xx.xx.x.xx
access-list 111 deny   ip host 10.57.4.51 host xx.xx.x.xx
access-list 111 permit ip 10.57.0.0 0.0.15.255 any
access-list 111 permit ip 10.57.16.0 0.0.0.255 any
access-list 120 permit ip 10.57.9.0 0.0.0.255 xx.xx.xxx.0 0.0.0.255
access-list 121 permit ip 10.57.9.0 0.0.0.255 xx.xx.xxx.0 0.0.0.255
access-list 131 remark SDM_ACL Category=17
access-list 131 remark IPSec Rule
access-list 131 permit ip xx.xx.xxx.0 0.0.0.255 xx.xxx.xx.0 0.0.15.255
access-list 131 permit udp any host 10.57.4.1 eq non500-isakmp
access-list 131 permit udp any host 10.57.4.1 eq isakmp
access-list 131 permit esp any host 10.57.4.1
access-list 131 permit ahp any host 10.57.4.1
access-list 131 permit udp host 10.57.9.250 eq domain any
access-list 131 deny   udp any any eq tftp
access-list 131 deny   udp any any eq ntp
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   tcp any any eq 137
access-list 131 deny   udp any any eq netbios-ns
access-list 131 deny   udp any any eq netbios-dgm
access-list 131 deny   tcp any any eq 138
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq netbios-ss
access-list 131 deny   tcp any any eq 445
access-list 131 deny   udp any any eq 445
access-list 131 deny   tcp any any eq 593
access-list 131 deny   udp any any range 995 999
access-list 131 deny   tcp any any eq 1034
access-list 131 deny   tcp any any eq 1434
access-list 131 deny   tcp any any eq 1604
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 1604
access-list 131 deny   tcp any any range 3127 3198
access-list 131 deny   udp any any range 3127 3198
access-list 131 deny   tcp any any eq 4444
access-list 131 deny   tcp any any eq 5554
access-list 131 deny   tcp any any eq 9996
access-list 131 permit ip any any
access-list 140 permit ip host 10.57.4.51 host xx.xx.x.xx
access-list 140 permit ip host 10.57.4.51 host xx.xx.x.xx
access-list 140 permit ip host 10.57.4.51 host xx.xx.x.xx
route-map static permit 10
 match ip address 121
 set interface Loopback1
!
route-map SDM_RMAP_4 permit 1  
 match ip address 106
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
route-map SDM_RMAP_3 permit 1
 match ip address 105
!
route-map nonat permit 10
 match ip address 111
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password vtpadmin1
 transport input all
 transport output all
!
no process cpu extended
no process cpu autoprofile hog
end
0
 
LVL 5

Expert Comment

by:Computerguy107
ID: 16858692
I am not going to read that much
0
 

Author Comment

by:SCCHIS
ID: 16860892
Ummm.... OK, I'm not really sure why someone would post to say they're not going to read a post, but OK :)
Seriously though, I actually posted the config because two other members who were trying to to help asked to see it.

Later.
0
 

Author Comment

by:SCCHIS
ID: 16861323
Points to livedrive777, you got it exactly right.

Thanks a Lot !

(and to everyone else also)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question