Solved

Why won't web pages won't load thru DMZ, but loads thru internal network using Cisco 2801?

Posted on 2008-10-16
10
402 Views
Last Modified: 2013-12-25
Experts,

Having problems with getting our DMZ to connect to the web.

The details:
-Small corporate office using a single Cisco 2801 managed by an ISP vendor, both for our internal private network and DMZ setup.
-Internal network is connected to FE 0/0, DMZ to FE 0/1.
-Internal works perfect, yet the DMZ will not allow web pages to connect
-DMZ has never worked, was in the process of being implemented but never finished when I arrived at this company
-Verified FTP server by placing it on internal side and pages load and FTP works. Also connected a different computer with same result
-Tested by connecting directly to FE 0/1 no switch is connected
-Tried both static IP and DHCP
-DHCP will resolve IP, subnet, gateway, DNS. All which are confirmed by ISP as being valid
-Can ping web addresses using IP only, will not ping domain names
-Web pages will not load if using IP web address in place of FQDN
-Using a Barracuda firewall appliance, but have since had device turned off for testing
-DNS is provided by our external ISP vendor
-Internal network uses an internal DNS which has always worked

This is what I received back from our ISP/Cisco vendor. The IPs are valid but are crossed out

permit IP host 176.x.x.x any
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 deny   tcp any eq smtp any eq smtp                                           BLOCKS SMTP outbound
 remark Auto generated by SDM for NTP (123) x.x.x.x
 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
 permit ip any any

Basically anything out except SMTP at this point.

What Im mainly looking for are some descriptive troubleshooting ideas that can confirm where the problem might be, as our ISP seems to be dropping the ball.

Thanks for your efforts!
0
Comment
Question by:markhaynes
  • 5
  • 3
10 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735194
So machines that are in your DMZ can not get to the internet?
Are they getting their IP from DHCP or Static IP addresses?
Do they have correct DNS ip addresses in their network properties?
 
0
 

Author Comment

by:markhaynes
ID: 22735287
Well so far there is only a single computer direct-connected to the DMZ on port FE 0/1 of the Cisco 2801 router. This would seem to be the most simplistic configuration to get things up and running. No variation of computer connected will access the internet

I've tried using both DHCP and static addressing, but same result. When using DHCP, it resolves to the correct IP settings across the board as it does with using a static IP.  So the network properties are correct.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735373
To include getting the correct DNS server ip address for you tcp / ip settings?
I am also assuming that you are doing NAT on your 2801 router, has a nat pool or pat translation been given to the DMZ network and that allowed out?
0
 

Author Comment

by:markhaynes
ID: 22735476
Yes, both primary and alternate DNS have been verified and consistantly configure correctly and will ping.
As far as your question, NAT is used. Details about its configuration are the types of things I need to ask our ISP/Cisco vendor, to make certain these particulars are verified.
I'll ask them about nat pool and pat translation being given to the DMZ and allowed

This problem has been lingering for months, and I need to fire these types of questions to them in order to inject a list to narrow down the probable issues
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735487
Sounds like a plan...
besides access rules, you have to have NAT rules for these things to work.
Good luck
0
 

Author Comment

by:markhaynes
ID: 22735911
Ok, all fixed.
Went through the SDM and added a ACL at the very top to allow IP to the address it is mapped to, it has a 1:1 map for 172.x.x.x to the public IP

It's working now!
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22740768
Gave viable anwers to his solution, he went out and did them and then tried to close.
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 500 total points
ID: 22740769
Gave viable anwers to his solution, he went out and did them and then tried to close.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now