Solved

Why won't web pages won't load thru DMZ, but loads thru internal network using Cisco 2801?

Posted on 2008-10-16
10
408 Views
Last Modified: 2013-12-25
Experts,

Having problems with getting our DMZ to connect to the web.

The details:
-Small corporate office using a single Cisco 2801 managed by an ISP vendor, both for our internal private network and DMZ setup.
-Internal network is connected to FE 0/0, DMZ to FE 0/1.
-Internal works perfect, yet the DMZ will not allow web pages to connect
-DMZ has never worked, was in the process of being implemented but never finished when I arrived at this company
-Verified FTP server by placing it on internal side and pages load and FTP works. Also connected a different computer with same result
-Tested by connecting directly to FE 0/1 no switch is connected
-Tried both static IP and DHCP
-DHCP will resolve IP, subnet, gateway, DNS. All which are confirmed by ISP as being valid
-Can ping web addresses using IP only, will not ping domain names
-Web pages will not load if using IP web address in place of FQDN
-Using a Barracuda firewall appliance, but have since had device turned off for testing
-DNS is provided by our external ISP vendor
-Internal network uses an internal DNS which has always worked

This is what I received back from our ISP/Cisco vendor. The IPs are valid but are crossed out

permit IP host 176.x.x.x any
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 deny   tcp any eq smtp any eq smtp                                           BLOCKS SMTP outbound
 remark Auto generated by SDM for NTP (123) x.x.x.x
 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
 permit ip any any

Basically anything out except SMTP at this point.

What Im mainly looking for are some descriptive troubleshooting ideas that can confirm where the problem might be, as our ISP seems to be dropping the ball.

Thanks for your efforts!
0
Comment
Question by:markhaynes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
10 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735194
So machines that are in your DMZ can not get to the internet?
Are they getting their IP from DHCP or Static IP addresses?
Do they have correct DNS ip addresses in their network properties?
 
0
 

Author Comment

by:markhaynes
ID: 22735287
Well so far there is only a single computer direct-connected to the DMZ on port FE 0/1 of the Cisco 2801 router. This would seem to be the most simplistic configuration to get things up and running. No variation of computer connected will access the internet

I've tried using both DHCP and static addressing, but same result. When using DHCP, it resolves to the correct IP settings across the board as it does with using a static IP.  So the network properties are correct.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735373
To include getting the correct DNS server ip address for you tcp / ip settings?
I am also assuming that you are doing NAT on your 2801 router, has a nat pool or pat translation been given to the DMZ network and that allowed out?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:markhaynes
ID: 22735476
Yes, both primary and alternate DNS have been verified and consistantly configure correctly and will ping.
As far as your question, NAT is used. Details about its configuration are the types of things I need to ask our ISP/Cisco vendor, to make certain these particulars are verified.
I'll ask them about nat pool and pat translation being given to the DMZ and allowed

This problem has been lingering for months, and I need to fire these types of questions to them in order to inject a list to narrow down the probable issues
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735487
Sounds like a plan...
besides access rules, you have to have NAT rules for these things to work.
Good luck
0
 

Author Comment

by:markhaynes
ID: 22735911
Ok, all fixed.
Went through the SDM and added a ACL at the very top to allow IP to the address it is mapped to, it has a 1:1 map for 172.x.x.x to the public IP

It's working now!
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22740768
Gave viable anwers to his solution, he went out and did them and then tried to close.
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 500 total points
ID: 22740769
Gave viable anwers to his solution, he went out and did them and then tried to close.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Node.js 11 82
What is the fastest way to transfer data from one notebook to another 26 134
Windows 2016 Server and Updates 5 46
MSCS Cluster ignoring route add 1 15
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question