Solved

Why won't web pages won't load thru DMZ, but loads thru internal network using Cisco 2801?

Posted on 2008-10-16
10
409 Views
Last Modified: 2013-12-25
Experts,

Having problems with getting our DMZ to connect to the web.

The details:
-Small corporate office using a single Cisco 2801 managed by an ISP vendor, both for our internal private network and DMZ setup.
-Internal network is connected to FE 0/0, DMZ to FE 0/1.
-Internal works perfect, yet the DMZ will not allow web pages to connect
-DMZ has never worked, was in the process of being implemented but never finished when I arrived at this company
-Verified FTP server by placing it on internal side and pages load and FTP works. Also connected a different computer with same result
-Tested by connecting directly to FE 0/1 no switch is connected
-Tried both static IP and DHCP
-DHCP will resolve IP, subnet, gateway, DNS. All which are confirmed by ISP as being valid
-Can ping web addresses using IP only, will not ping domain names
-Web pages will not load if using IP web address in place of FQDN
-Using a Barracuda firewall appliance, but have since had device turned off for testing
-DNS is provided by our external ISP vendor
-Internal network uses an internal DNS which has always worked

This is what I received back from our ISP/Cisco vendor. The IPs are valid but are crossed out

permit IP host 176.x.x.x any
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 permit tcp host 10.112.x.x eq smtp any eq smtp
 deny   tcp any eq smtp any eq smtp                                           BLOCKS SMTP outbound
 remark Auto generated by SDM for NTP (123) x.x.x.x
 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
 permit ip any any

Basically anything out except SMTP at this point.

What Im mainly looking for are some descriptive troubleshooting ideas that can confirm where the problem might be, as our ISP seems to be dropping the ball.

Thanks for your efforts!
0
Comment
Question by:markhaynes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
10 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735194
So machines that are in your DMZ can not get to the internet?
Are they getting their IP from DHCP or Static IP addresses?
Do they have correct DNS ip addresses in their network properties?
 
0
 

Author Comment

by:markhaynes
ID: 22735287
Well so far there is only a single computer direct-connected to the DMZ on port FE 0/1 of the Cisco 2801 router. This would seem to be the most simplistic configuration to get things up and running. No variation of computer connected will access the internet

I've tried using both DHCP and static addressing, but same result. When using DHCP, it resolves to the correct IP settings across the board as it does with using a static IP.  So the network properties are correct.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735373
To include getting the correct DNS server ip address for you tcp / ip settings?
I am also assuming that you are doing NAT on your 2801 router, has a nat pool or pat translation been given to the DMZ network and that allowed out?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:markhaynes
ID: 22735476
Yes, both primary and alternate DNS have been verified and consistantly configure correctly and will ping.
As far as your question, NAT is used. Details about its configuration are the types of things I need to ask our ISP/Cisco vendor, to make certain these particulars are verified.
I'll ask them about nat pool and pat translation being given to the DMZ and allowed

This problem has been lingering for months, and I need to fire these types of questions to them in order to inject a list to narrow down the probable issues
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22735487
Sounds like a plan...
besides access rules, you have to have NAT rules for these things to work.
Good luck
0
 

Author Comment

by:markhaynes
ID: 22735911
Ok, all fixed.
Went through the SDM and added a ACL at the very top to allow IP to the address it is mapped to, it has a 1:1 map for 172.x.x.x to the public IP

It's working now!
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22740768
Gave viable anwers to his solution, he went out and did them and then tried to close.
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 500 total points
ID: 22740769
Gave viable anwers to his solution, he went out and did them and then tried to close.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question