Solved

CentOS 5.4 VM on esx 4 can not access http. Need your help desperately

Posted on 2010-08-27
13
576 Views
Last Modified: 2013-11-08
Hi Expert,

I have just install Cent0S 5.4 on a VM which behind a F5 load balancer and Cisco ASA 5520 firewall.
I entered an Acl to all the vm to access www and https.

But I can run yum on it for some reason. I can use nslookup to resolve dns. I do a trace route it does'nt go past the first hop.

I need your help desperate since I need web access on the vm and I have alllowed

I have also disabled iptables

Not sure what else might. Please help.

mshaikh22
0
Comment
Question by:mshaikh22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 249 total points
ID: 33547315
Are you wanting to access a http server running on the vm? Or are you wanting to open a browser on the vm and access the internet?
0
 

Author Comment

by:mshaikh22
ID: 33547387
both but trying to yum but is not working








0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 249 total points
ID: 33547422
You say it is behind F5 LTM? Default setup for F5 has you pointing the default gateway to the F5 (unless you have setup SNATS on the F5) - that sometimes really messes with the load balanced server's ability to do anything else.

If that is the case try either changing the default gateway to whatever the normal default gateway is on your network segment until you have completed your yum updates, or add the routes needed for yum to go through your regular gateway.

Let me know if this is applicable
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:mshaikh22
ID: 33548464
Thank you, bgoering for your help

The Vm is behind F5 and I have given it the F5 gateway. Other Windows Machines are running fine except for this one. When I am adding a windows machine, all I have to do is give the server the default of gateway set in the F5 and SNAT the ip.

But in this case instance, I cannot ping the www.google.com or browse using curl or use yum updates.

I have another centos setup by the guy who was there previously, I am not sure what did he do to make it work that machine work.

I ran route and have the same route displayed as the working one.
iptables is stopped
I have entered the following on the cisco asa to open

access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq www
access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq https

even though there is an firwall entry to allow dmz-web to see www and https.

I have given it the same name servers as the working centos ones in etc/resolv.conf

Not sure what else to do to make this work. Another thing, the iptables firewall keep turning on after I login thru ssh.

I have typed service iptables save. But it keeps the firewall off for sometime and then it turns on.


There is something I am missing but dont know what. What can I check in the working one to see if this one can work.

0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 249 total points
ID: 33549137
So if I understand the default gateway is pointing to a router or the firewall, and not the F5. To keep the firewall of it would be a command something like:

chkconfig iptables off
service iptables stop

Check in the firewall to make sure you have a NAT entry [static (cmz, outside)] statement that covers the ip of your new server.

Good Luck
0
 

Author Comment

by:mshaikh22
ID: 33549354
i do have that in the firewall.
0
 

Author Comment

by:mshaikh22
ID: 33549392
anything i can check on linux to make http work.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33549399
This is puzzling. Can you post a network diagram showing the ASA, F5, working and non-working hosts, and a sanatized (first three octets of public ip addresses masked, passwords masked) ASA configuration.

Also the output of ifconfig -a and of route for the working and non-working hosts.
Thanks
0
 
LVL 4

Assisted Solution

by:kareejb
kareejb earned 251 total points
ID: 33550814
Traceroute to the internet likely isn't going to work past the first hop because your Cisco ASA firewall is likely blocking ICMP. You need to add the rules like to following to your acl's to allow outbound ping and traceroute.

access-list internal-out permit icmp <Centos_IP> any echo-reply access-list internal-out permit icmp <Centos_IP> any time-exceeded access-list internal-out permit icmp <Centos_IP> any unreachable

Replace <Centos_IP> with the ip of your server (or it's static nat IP on the F5). If you want all your servers to be able to do pings to internet replace <Centos_IP> with any.

As far as web access goes, try doing a DNS query on your CentOS box to verify if you can successfully do DNS lookups (you should have the 'dig' or 'nslookup' utilites installed on your CentOS box). If the IP's you have plugged into your /etc/resolv.conf on your server aren't on your local network (ie ISP dns servers), then there are likely ACL's in your Cisco ASA appliance that permit the DNS traffic on a host or subnet basis (TCP/UDP port 53) . If you don't see anything that allows this particular host to query DNS then that would definately break yum and pings to any DNS (like www.google.com vs 74.125.95.106). If the DNS servers are internal and you are unsuccessful doing DNS queries against those servers then you may need to add a static route on the CentOS box to get to those servers if they are on another subnet.

If none of this helps please post a sanitized config of your ASA appliance and a basic network diagram like bgoering suggested. It would help immensely in solving your problem.





0
 

Author Comment

by:mshaikh22
ID: 33551429
Thank you kareejb. I am getting somewhere with this. Now I switch the vlan to the inside layer and turned on and dhcp and now the internet is working.
You are right, its need some rules in the firewall to make it work. I thought to run yum you have to have only www and https open.

Can you give me some command to check the static routes on the linux box set.
some rules to put on the cisco asa to allow the centos box to see yum.

Thank you, Sirs.

0
 
LVL 4

Accepted Solution

by:
kareejb earned 251 total points
ID: 33553204
To get out to yum you need working routing, DNS, and http/https allowed. A basic acl to allow all machines to talk those protocols should look like below. This doesn't included anything to provide a proper NAT setup.This isn't the most secure setup but should get you working. The ASA series firewalls support
access-list internal-out permit icmp any any echo-reply
access-list internal-out permit icmp any any time-exceeded
access-list internal-out permit icmp any any unreachable

access-list internal-out permit tcp any <DNS1 Server IP> eq domainaccess-list internal-out permit udp any <DNS1 Server IP> eq domainaccess-list internal-out permit tcp any <DNS2 Server IP> eq domain
access-list internal-out permit udp any <DNS2 Server IP> eq domain

As far as the linux side 'route -n' will print the kernel routing table. If you need a static route to your DNS servers you should edit the /etc/sysconfig/network-scripts/route-<interface> to add a static route for a paricular interface (ref: http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html)
0
 
LVL 4

Assisted Solution

by:kareejb
kareejb earned 251 total points
ID: 33553209
whoops forgot two acl lines. Just add them to the end of the ones above
access-list internal-out permit tcp any any eq wwwaccess-list internal-out permit udp any any eq https
0
 

Author Comment

by:mshaikh22
ID: 33560647
Thank you very much kareejb and bgoering: for all of your help. Both VM are working now and can access the web. I use those rules specified by Kareejb and typed setup and enabled some services and httpd was one of them. It working now.
Thanks a lot for all of your help.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When converting a physical machine to a virtual machine using VMware vCenter Converter Standalone or vCenter Converter Enterprise, if an adapter type is not selected during the initial customization the resulting virtual machine may contain an IDE d…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Teach the user how to rename, unmount, delete and upgrade VMFS datastores. Open vSphere Web Client: Rename VMFS and NFS datastores: Upgrade VMFS-3 volume to VMFS-5: Unmount VMFS datastore: Delete a VMFS datastore:
Teach the user how to use configure the vCenter Server storage filters Open vSphere Web Client:  Navigate to vCenter Server Advanced Settings: Add the four vCenter Server storage filters: Review the advanced settings: Modify the values of the four v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question