• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

Unable to access servers on DMZ after switching to Comcast internet using Cisco 2600 router

We have 1 remote office tied to the HQ with a T1, we recently installed Comcast cable to the remote site to provide it with its own, all internet traffic is going to a proxy server and out to the internet, proxy setting in IE is configured not to use proxy for any internal IPs, both locations has a 2600 Cisco router. Once I configured the router for the new Comcast connection, we lost connection to the website, and our intranet server that are on a dmz at the head quarter. Please see the configuration below and let me know how I can resolve this issue.

version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname router1

!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain-lookup

interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no keepalive
 speed 100
 full-duplex
!
interface Serial0/0
 description Point-to-Point
 bandwidth 1544
 ip address 192.168.254.x 255.255.255.252

interface FastEthernet0/1
 description internet connection
 ip address 173.161.y.n 255.255.255.252
 ip nat outside
 no ip mroute-cache
 no keepalive
 speed 100
 full-duplex
!
interface Serial0/1
 no ip address
 shutdown
!
router eigrp 10
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.254.0
 auto-summary
 no eigrp log-neighbor-changes
!
ip nat inside source list ToNAT interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 173.161.y.n2
no ip http server
ip pim bidir-enable
!
!
ip access-list extended ToNAT
 permit ip host 192.168.2.10 (this is the proxy server's IP) any
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
priority-list 1 protocol ip normal tcp 1494
priority-list 1 default high
dialer-list 1 protocol ip permit
route-map naci-worm permit 10
 match ip address 199
 match length 92 92
 set interface Null0
!
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password 7 0826404F0A100005455F5552
 logging synchronous
 login
 
 login
!
no scheduler allocate
end
0
Shando1971
Asked:
Shando1971
  • 16
  • 13
3 Solutions
 
surbabu140977Commented:
I think, you have lost connection to HQ because right now every traffic from lan is getting natted and going to internet. There must be an exception in an ACl and applied to nat stating traffic originating from lan x.x.x.x and destined for HQ y.y.y.y should not be natted. Then, it will work.

Ideally, the default gateway for every pc should be 192.168.2.1 with browser pointing to proxy. Then filter out the traffic by putting NONAT acl, should solve the issue.

Zest is, tell router what to nat and what to not. Right now, your router sees no exception and natting all traffic (as per your config).
0
 
GuruChiuCommented:
With EIGRP you should be fine to access HQ from that site. I think you only have problems to/from servers at DMZ, which typically is not participlate in EIGRP and have complicated nat and routing.

Pls provide more info on DMZ servers:

What subnet(s) is your DMZ.
Does DMZ have right to access internal servers?
Which IP address your remote site is using to access DMZ servers - public IP or internal IP?

0
 
Shando1971Author Commented:
We only lost access to the dmz at the HQ, the dmz sub is 192.168.0.0, we access the intranet and the website using http, our dns is resolving the addresses to the internal IPs.
Please provide the config for the no nat ACL.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
GuruChiuCommented:
Pls post the output of
show ip route

as well as traceroute to one of the DMZ server
0
 
Shando1971Author Commented:
IP route:
Gateway of last resort is 173.161.y.n2 to network 0.0.0.0

D    192.168.8.0/24 [90/2684416] via 192.168.254.x, 00:24:00, Serial0/0
     173.161.0.0/30 is subnetted, 1 subnets
C       173.161.y.n1 is directly connected, FastEthernet0/1
D    192.168.6.0/24 [90/2172416] via 192.168.254.x, 00:24:00, Serial0/0
     192.168.254.0/24 is variably subnetted, 3 subnets, 2 masks
D       192.168.254.24/30 [90/2681856] via 192.168.254.x, 00:24:00, Serial0/0
D       192.168.254.0/24 is a summary, 00:24:00, Null0
C       192.168.254.12/30 is directly connected, Serial0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 173.161.y.n2

Traceroute to DMZ:
ROUTER1#traceroute 192.168.0.2

Type escape sequence to abort.
Tracing the route to 192.168.0.2

  1 173.161.y.n2  0 msec 0 msec 4 msec
  2  *  *  *
  3 68.85.77.t1 12 msec 12 msec 8 msec
  4 68.85.34.t2 8 msec 12 msec 12 msec
  5 68.85.159.t3 8 msec 8 msec 12 msec
  6 68.85.158.t4 12 msec 8 msec 12 msec
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *
 11  *  *  *
 12  *  *  *
 13  *  *  *
 14  *  *  *
 15  *  *  *
 16  *  *  *
 17  *  *  *
 18  *  *  *
 19  *  *  *
 20  *  *  *
 21  *  *  *
 22  *  *  *
 23  *  *  *
 24  *  *  *
 25  *  *  *
 26  *  *  *
 27  *  *  *
 28  *  *  *
 29  *  *  *
 30  *  *  *
0
 
GuruChiuCommented:
You do not have a route to your DMZ. Looks like EIGRP do not advertise that route. Create a static route:

ip route 192.168.0.0 255.255.0.0 Serial0/0
0
 
Shando1971Author Commented:
How about letting blackberry server out, it stopped forwarding messages to handhelds?
0
 
GuruChiuCommented:
Where is the blackberry server? Is it go out to internet directly or through the proxy server?
0
 
Shando1971Author Commented:
It goes out directly to the internet, it is at the remote site.
0
 
Shando1971Author Commented:
I would like to add that OWA (https) that is coming through the HQ to the exchange serve at the remote site stopped working as well.
0
 
GuruChiuCommented:
What is the IPA of your BES and what is the MDS listening port?

Where is your OWA server? Which subnet it is on?
0
 
Shando1971Author Commented:
IPA is:192.168.2.40 and it should use port 3101 out.
can I just create an access list;
ip access-list extended BESOUT
 permit tcp host 192.168.2.40 any eq 3101
then attach it to the fasteth0/1 out?

OWA is on subnet 6.0.
0
 
GuruChiuCommented:
3101 is the general BES listening port. There may be other ports needed: under the General tab of MDS Properties windows (r-click BES and Select Mobile Data Service Properties). Typically it is using ports like 8100, 8300 or 8080.
0
 
Shando1971Author Commented:
It is 8080 for the web server listen port, 8443 for the web server ssl listen port.
we don't use MDS service at the moment. I applied the ACL I suggested above on port 3101 (that was the only ACL we had on the firewall before the changes for comcast). but still didn't work.
0
 
GuruChiuCommented:
If you are only using 3101, you should use these commands:

ip nat inside source list ToNAT interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.2.40 3101 interface FastEthernet0/1 3101
!
ip access-list extended ToNAT
 permit ip host 192.168.2.10 any
 permit ip host 192.168.2.40 any
0
 
Shando1971Author Commented:
I'll try that, how about OWA?
0
 
GuruChiuCommented:
Pls do a ping to the OWA host name and post the result. The most likely problems are:

The DNS resolution is wrong and you get the public IP for OWA.

The routing is wrong.

The NAT is wrong or missing.
0
 
Shando1971Author Commented:
I'm talking about connecting to the OWA from outside the network, but the connection is going to the HQ's firewall>main exchange server at HQ>exchange server at the remote site. when we try to connect we get the "Internet Explorer cannot display the web page" message in IE.
0
 
GuruChiuCommented:
So you want your remote site to access OWA using public IP address? Pls make sure the DNS is correct.
Pls do a ping to the OWA host name and post the result.
0
 
Shando1971Author Commented:
When I ping from the HQ the exchange server at the remote site using the server name (host name) I get  a reply with the correct IP address.

Who ever wants to get their emails using OWA from home for example they use https://mail.ourdomainname.com:444/exchange.
and usually our firewall has the static nating configured, then it forward the traffice to the remote site.
0
 
GuruChiuCommented:
I am confused. I was under the impression that your Exchange server and OWA are at HQ, and your remote office (192.168.2.x) only have a BES server.

Is this correct or I have misunderstood?
0
 
Shando1971Author Commented:
You miss understood, I stated that we have one exchange at HQ, and one at the remote site.
0
 
Shando1971Author Commented:
This issue with OWA still unresolved, once I put the old setting on the router, it works fine.
0
 
Shando1971Author Commented:
All requirements for this question are answered and everything works great, the only thing left is to get OWA to work, OWA works internally only.
0
 
GuruChiuCommented:
Let me try to understand again. You have one Exchange server in HQ, and another one at remote site. There is an OWA server in HQ DMZ, and users access the OWA through the internet.
HQ is link to remote site through T1, and there is a proxy server in remote site which is the only device allow to go to the internet through Comcast at the remote site.

Pls confirm the above description is correct.

I also have these questions:
It seems that you imply there is a 2nd OWA server at the remote site. If this is true, is this OWA and the Exchange server in the remote site belongs to the same domain as HQ?
How this OWA at the remote site connect to the internet, direct or through the proxy server?
0
 
Shando1971Author Commented:
Main Exchange server at HQ in the .6 network (not in a DMZ), 2nd exchange server in the remote office in the .2 network, all OWA traffic for both servers comes through the FW in the HQ with static nating, the FW forwards any https://mail.ourdomainname.com:444/exchange to the exchange server in the remote office, any https://mail.ourdomainname.com/exchange to the exchange server in the HQ.
Users access OWA from outside the network using the above links. HQ and remote site are linked via T1, and there is are proxy servers at both locations, and they are the only device allowed out through comcast, each site has its own comcast connection, BES is installed on the remote site's exchange, and you already allowed it to access the Internet by passing proxy at the remote site.
We can connect to OWA at the remote site internally with no problems. it just seems that after we did the router modifications, the forwarded OWA connection from the FW to the exchange at the remote site is not allowed to come back the same route.
0
 
GuruChiuCommented:
Now I see what you are trying to do. Not a common way to do it, which I will explain below, but it show me why this is not working.

Your router at your remote office have a default route:
S*   0.0.0.0/0 [1/0] via 173.161.y.n2
which go to Comcast.
At the same time, external users going to https://mail.ourdomainname.com:444/exchange will go to your main office internet connection, which forward the request through the T1 to your remote office. Once your remote office receive the request and send the response back, it will route through the remote office's Comcast connection and nat to a Comcast address. The user who originally submit the request got a response back from a different IP address and ignore it.

To fix it, I will suggest you use policy based routing, e.g.
interface FastEthernet0/0
 ip policy route-map RM-RemoteExchange
access-list 111 permit ip YourRemoteExchange 0.0.0.0 any
route-map RM-RemoteExchange permit 10
 match ip address 111
 set interface Serial0/0

Anyway the way you do it is not common, usually I will use one of these method:

Method 1:
Both Exchange server use one OWA to serve all OWA requests. While it can be one of the two Exchange server, but I actually prefer to use a 3rd server on the DMZ to have another level of security.

Method 2:
If you really want to have two Exchange servers each running their own OWA, I would prefer the remote office Exchange server to use the Comcast to go to internet instead of going through the main office.
0
 
Shando1971Author Commented:
GuruChiu:
you are great, everything worked like a charm.
but I want to understand, why the forwarded owa request from the HQ didn't go back the same way, isn't this a tcp connection  and it should come out the same way in came from?
0
 
GuruChiuCommented:
no, it is determine by routing table, unless something else (e.g. policy base routing) override it.
0
 
Shando1971Author Commented:
I'll post another question about AD replication issue between the remote site and the HQ, I think it is related to this.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 16
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now