Why won't web pages won't load thru DMZ, but loads thru internal network using Cisco 2801?

Experts,

Having problems with getting our DMZ to connect to the web.

The details:
-Small corporate office using a single Cisco 2801 managed by an ISP vendor, both for our internal private network and DMZ setup.
-Internal network is connected to FE 0/0, DMZ to FE 0/1.
-Internal works perfect, yet the DMZ will not allow web pages to connect
-DMZ has never worked, was in the process of being implemented but never finished when I arrived at this company
-Verified FTP server by placing it on internal side and pages load and FTP works. Also connected a different computer with same result
-Tested by connecting directly to FE 0/1 no switch is connected
-Tried both static IP and DHCP
-DHCP will resolve IP, subnet, gateway, DNS. All which are confirmed by ISP as being valid
-Can ping web addresses using IP only, will not ping domain names
-Web pages will not load if using IP web address in place of FQDN
-Using a Barracuda firewall appliance, but have since had device turned off for testing
-DNS is provided by our external ISP vendor
-Internal network uses an internal DNS which has always worked

This is what I received back from our ISP/Cisco vendor. The IPs are valid but are crossed out

permit IP host 176.x.x.x any
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 deny   tcp any eq smtp any eq smtp                                           BLOCKS SMTP outbound
 remark Auto generated by SDM for NTP (123) x.x.x.x
 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
 permit ip any any

Basically anything out except SMTP at this point.

What Im mainly looking for are some descriptive troubleshooting ideas that can confirm where the problem might be, as our ISP seems to be dropping the ball.

Thanks for your efforts!
markhaynesAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Andres PeralesConnect With a Mentor Commented:
Gave viable anwers to his solution, he went out and did them and then tried to close.
0
 
Andres PeralesCommented:
So machines that are in your DMZ can not get to the internet?
Are they getting their IP from DHCP or Static IP addresses?
Do they have correct DNS ip addresses in their network properties?
 
0
 
markhaynesAuthor Commented:
Well so far there is only a single computer direct-connected to the DMZ on port FE 0/1 of the Cisco 2801 router. This would seem to be the most simplistic configuration to get things up and running. No variation of computer connected will access the internet

I've tried using both DHCP and static addressing, but same result. When using DHCP, it resolves to the correct IP settings across the board as it does with using a static IP.  So the network properties are correct.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Andres PeralesCommented:
To include getting the correct DNS server ip address for you tcp / ip settings?
I am also assuming that you are doing NAT on your 2801 router, has a nat pool or pat translation been given to the DMZ network and that allowed out?
0
 
markhaynesAuthor Commented:
Yes, both primary and alternate DNS have been verified and consistantly configure correctly and will ping.
As far as your question, NAT is used. Details about its configuration are the types of things I need to ask our ISP/Cisco vendor, to make certain these particulars are verified.
I'll ask them about nat pool and pat translation being given to the DMZ and allowed

This problem has been lingering for months, and I need to fire these types of questions to them in order to inject a list to narrow down the probable issues
0
 
Andres PeralesCommented:
Sounds like a plan...
besides access rules, you have to have NAT rules for these things to work.
Good luck
0
 
markhaynesAuthor Commented:
Ok, all fixed.
Went through the SDM and added a ACL at the very top to allow IP to the address it is mapped to, it has a 1:1 map for 172.x.x.x to the public IP

It's working now!
0
 
Andres PeralesCommented:
Gave viable anwers to his solution, he went out and did them and then tried to close.
0
All Courses

From novice to tech pro — start learning today.