?
Solved

Unable to access servers on DMZ after switching to Comcast internet using Cisco 2600 router

Posted on 2010-01-10
30
Medium Priority
?
398 Views
Last Modified: 2012-05-08
We have 1 remote office tied to the HQ with a T1, we recently installed Comcast cable to the remote site to provide it with its own, all internet traffic is going to a proxy server and out to the internet, proxy setting in IE is configured not to use proxy for any internal IPs, both locations has a 2600 Cisco router. Once I configured the router for the new Comcast connection, we lost connection to the website, and our intranet server that are on a dmz at the head quarter. Please see the configuration below and let me know how I can resolve this issue.

version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname router1

!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain-lookup

interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no keepalive
 speed 100
 full-duplex
!
interface Serial0/0
 description Point-to-Point
 bandwidth 1544
 ip address 192.168.254.x 255.255.255.252

interface FastEthernet0/1
 description internet connection
 ip address 173.161.y.n 255.255.255.252
 ip nat outside
 no ip mroute-cache
 no keepalive
 speed 100
 full-duplex
!
interface Serial0/1
 no ip address
 shutdown
!
router eigrp 10
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.254.0
 auto-summary
 no eigrp log-neighbor-changes
!
ip nat inside source list ToNAT interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 173.161.y.n2
no ip http server
ip pim bidir-enable
!
!
ip access-list extended ToNAT
 permit ip host 192.168.2.10 (this is the proxy server's IP) any
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
priority-list 1 protocol ip normal tcp 1494
priority-list 1 default high
dialer-list 1 protocol ip permit
route-map naci-worm permit 10
 match ip address 199
 match length 92 92
 set interface Null0
!
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password 7 0826404F0A100005455F5552
 logging synchronous
 login
 
 login
!
no scheduler allocate
end
0
Comment
Question by:Shando1971
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 13
30 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 26280747
I think, you have lost connection to HQ because right now every traffic from lan is getting natted and going to internet. There must be an exception in an ACl and applied to nat stating traffic originating from lan x.x.x.x and destined for HQ y.y.y.y should not be natted. Then, it will work.

Ideally, the default gateway for every pc should be 192.168.2.1 with browser pointing to proxy. Then filter out the traffic by putting NONAT acl, should solve the issue.

Zest is, tell router what to nat and what to not. Right now, your router sees no exception and natting all traffic (as per your config).
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26281118
With EIGRP you should be fine to access HQ from that site. I think you only have problems to/from servers at DMZ, which typically is not participlate in EIGRP and have complicated nat and routing.

Pls provide more info on DMZ servers:

What subnet(s) is your DMZ.
Does DMZ have right to access internal servers?
Which IP address your remote site is using to access DMZ servers - public IP or internal IP?

0
 

Author Comment

by:Shando1971
ID: 26281224
We only lost access to the dmz at the HQ, the dmz sub is 192.168.0.0, we access the intranet and the website using http, our dns is resolving the addresses to the internal IPs.
Please provide the config for the no nat ACL.
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 13

Expert Comment

by:GuruChiu
ID: 26281775
Pls post the output of
show ip route

as well as traceroute to one of the DMZ server
0
 

Author Comment

by:Shando1971
ID: 26290022
IP route:
Gateway of last resort is 173.161.y.n2 to network 0.0.0.0

D    192.168.8.0/24 [90/2684416] via 192.168.254.x, 00:24:00, Serial0/0
     173.161.0.0/30 is subnetted, 1 subnets
C       173.161.y.n1 is directly connected, FastEthernet0/1
D    192.168.6.0/24 [90/2172416] via 192.168.254.x, 00:24:00, Serial0/0
     192.168.254.0/24 is variably subnetted, 3 subnets, 2 masks
D       192.168.254.24/30 [90/2681856] via 192.168.254.x, 00:24:00, Serial0/0
D       192.168.254.0/24 is a summary, 00:24:00, Null0
C       192.168.254.12/30 is directly connected, Serial0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 173.161.y.n2

Traceroute to DMZ:
ROUTER1#traceroute 192.168.0.2

Type escape sequence to abort.
Tracing the route to 192.168.0.2

  1 173.161.y.n2  0 msec 0 msec 4 msec
  2  *  *  *
  3 68.85.77.t1 12 msec 12 msec 8 msec
  4 68.85.34.t2 8 msec 12 msec 12 msec
  5 68.85.159.t3 8 msec 8 msec 12 msec
  6 68.85.158.t4 12 msec 8 msec 12 msec
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *
 11  *  *  *
 12  *  *  *
 13  *  *  *
 14  *  *  *
 15  *  *  *
 16  *  *  *
 17  *  *  *
 18  *  *  *
 19  *  *  *
 20  *  *  *
 21  *  *  *
 22  *  *  *
 23  *  *  *
 24  *  *  *
 25  *  *  *
 26  *  *  *
 27  *  *  *
 28  *  *  *
 29  *  *  *
 30  *  *  *
0
 
LVL 13

Accepted Solution

by:
GuruChiu earned 2000 total points
ID: 26290083
You do not have a route to your DMZ. Looks like EIGRP do not advertise that route. Create a static route:

ip route 192.168.0.0 255.255.0.0 Serial0/0
0
 

Author Comment

by:Shando1971
ID: 26290158
How about letting blackberry server out, it stopped forwarding messages to handhelds?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26290807
Where is the blackberry server? Is it go out to internet directly or through the proxy server?
0
 

Author Comment

by:Shando1971
ID: 26296773
It goes out directly to the internet, it is at the remote site.
0
 

Author Comment

by:Shando1971
ID: 26300208
I would like to add that OWA (https) that is coming through the HQ to the exchange serve at the remote site stopped working as well.
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26300300
What is the IPA of your BES and what is the MDS listening port?

Where is your OWA server? Which subnet it is on?
0
 

Author Comment

by:Shando1971
ID: 26300420
IPA is:192.168.2.40 and it should use port 3101 out.
can I just create an access list;
ip access-list extended BESOUT
 permit tcp host 192.168.2.40 any eq 3101
then attach it to the fasteth0/1 out?

OWA is on subnet 6.0.
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26301047
3101 is the general BES listening port. There may be other ports needed: under the General tab of MDS Properties windows (r-click BES and Select Mobile Data Service Properties). Typically it is using ports like 8100, 8300 or 8080.
0
 

Author Comment

by:Shando1971
ID: 26304484
It is 8080 for the web server listen port, 8443 for the web server ssl listen port.
we don't use MDS service at the moment. I applied the ACL I suggested above on port 3101 (that was the only ACL we had on the firewall before the changes for comcast). but still didn't work.
0
 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 2000 total points
ID: 26307916
If you are only using 3101, you should use these commands:

ip nat inside source list ToNAT interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.2.40 3101 interface FastEthernet0/1 3101
!
ip access-list extended ToNAT
 permit ip host 192.168.2.10 any
 permit ip host 192.168.2.40 any
0
 

Author Comment

by:Shando1971
ID: 26307933
I'll try that, how about OWA?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26307971
Pls do a ping to the OWA host name and post the result. The most likely problems are:

The DNS resolution is wrong and you get the public IP for OWA.

The routing is wrong.

The NAT is wrong or missing.
0
 

Author Comment

by:Shando1971
ID: 26308385
I'm talking about connecting to the OWA from outside the network, but the connection is going to the HQ's firewall>main exchange server at HQ>exchange server at the remote site. when we try to connect we get the "Internet Explorer cannot display the web page" message in IE.
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26311351
So you want your remote site to access OWA using public IP address? Pls make sure the DNS is correct.
Pls do a ping to the OWA host name and post the result.
0
 

Author Comment

by:Shando1971
ID: 26320095
When I ping from the HQ the exchange server at the remote site using the server name (host name) I get  a reply with the correct IP address.

Who ever wants to get their emails using OWA from home for example they use https://mail.ourdomainname.com:444/exchange.
and usually our firewall has the static nating configured, then it forward the traffice to the remote site.
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26320436
I am confused. I was under the impression that your Exchange server and OWA are at HQ, and your remote office (192.168.2.x) only have a BES server.

Is this correct or I have misunderstood?
0
 

Author Comment

by:Shando1971
ID: 26320678
You miss understood, I stated that we have one exchange at HQ, and one at the remote site.
0
 

Author Comment

by:Shando1971
ID: 26338615
This issue with OWA still unresolved, once I put the old setting on the router, it works fine.
0
 

Author Comment

by:Shando1971
ID: 26356465
All requirements for this question are answered and everything works great, the only thing left is to get OWA to work, OWA works internally only.
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26357690
Let me try to understand again. You have one Exchange server in HQ, and another one at remote site. There is an OWA server in HQ DMZ, and users access the OWA through the internet.
HQ is link to remote site through T1, and there is a proxy server in remote site which is the only device allow to go to the internet through Comcast at the remote site.

Pls confirm the above description is correct.

I also have these questions:
It seems that you imply there is a 2nd OWA server at the remote site. If this is true, is this OWA and the Exchange server in the remote site belongs to the same domain as HQ?
How this OWA at the remote site connect to the internet, direct or through the proxy server?
0
 

Author Comment

by:Shando1971
ID: 26362379
Main Exchange server at HQ in the .6 network (not in a DMZ), 2nd exchange server in the remote office in the .2 network, all OWA traffic for both servers comes through the FW in the HQ with static nating, the FW forwards any https://mail.ourdomainname.com:444/exchange to the exchange server in the remote office, any https://mail.ourdomainname.com/exchange to the exchange server in the HQ.
Users access OWA from outside the network using the above links. HQ and remote site are linked via T1, and there is are proxy servers at both locations, and they are the only device allowed out through comcast, each site has its own comcast connection, BES is installed on the remote site's exchange, and you already allowed it to access the Internet by passing proxy at the remote site.
We can connect to OWA at the remote site internally with no problems. it just seems that after we did the router modifications, the forwarded OWA connection from the FW to the exchange at the remote site is not allowed to come back the same route.
0
 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 2000 total points
ID: 26367476
Now I see what you are trying to do. Not a common way to do it, which I will explain below, but it show me why this is not working.

Your router at your remote office have a default route:
S*   0.0.0.0/0 [1/0] via 173.161.y.n2
which go to Comcast.
At the same time, external users going to https://mail.ourdomainname.com:444/exchange will go to your main office internet connection, which forward the request through the T1 to your remote office. Once your remote office receive the request and send the response back, it will route through the remote office's Comcast connection and nat to a Comcast address. The user who originally submit the request got a response back from a different IP address and ignore it.

To fix it, I will suggest you use policy based routing, e.g.
interface FastEthernet0/0
 ip policy route-map RM-RemoteExchange
access-list 111 permit ip YourRemoteExchange 0.0.0.0 any
route-map RM-RemoteExchange permit 10
 match ip address 111
 set interface Serial0/0

Anyway the way you do it is not common, usually I will use one of these method:

Method 1:
Both Exchange server use one OWA to serve all OWA requests. While it can be one of the two Exchange server, but I actually prefer to use a 3rd server on the DMZ to have another level of security.

Method 2:
If you really want to have two Exchange servers each running their own OWA, I would prefer the remote office Exchange server to use the Comcast to go to internet instead of going through the main office.
0
 

Author Comment

by:Shando1971
ID: 26371589
GuruChiu:
you are great, everything worked like a charm.
but I want to understand, why the forwarded owa request from the HQ didn't go back the same way, isn't this a tcp connection  and it should come out the same way in came from?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26377718
no, it is determine by routing table, unless something else (e.g. policy base routing) override it.
0
 

Author Closing Comment

by:Shando1971
ID: 31675341
I'll post another question about AD replication issue between the remote site and the HQ, I think it is related to this.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question