Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

CentOS 5.4 VM on esx 4 can not access http. Need your help desperately

Hi Expert,

I have just install Cent0S 5.4 on a VM which behind a F5 load balancer and Cisco ASA 5520 firewall.
I entered an Acl to all the vm to access www and https.

But I can run yum on it for some reason. I can use nslookup to resolve dns. I do a trace route it does'nt go past the first hop.

I need your help desperate since I need web access on the vm and I have alllowed

I have also disabled iptables

Not sure what else might. Please help.

mshaikh22
0
mshaikh22
Asked:
mshaikh22
  • 6
  • 4
  • 3
6 Solutions
 
bgoeringCommented:
Are you wanting to access a http server running on the vm? Or are you wanting to open a browser on the vm and access the internet?
0
 
mshaikh22Author Commented:
both but trying to yum but is not working








0
 
bgoeringCommented:
You say it is behind F5 LTM? Default setup for F5 has you pointing the default gateway to the F5 (unless you have setup SNATS on the F5) - that sometimes really messes with the load balanced server's ability to do anything else.

If that is the case try either changing the default gateway to whatever the normal default gateway is on your network segment until you have completed your yum updates, or add the routes needed for yum to go through your regular gateway.

Let me know if this is applicable
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
mshaikh22Author Commented:
Thank you, bgoering for your help

The Vm is behind F5 and I have given it the F5 gateway. Other Windows Machines are running fine except for this one. When I am adding a windows machine, all I have to do is give the server the default of gateway set in the F5 and SNAT the ip.

But in this case instance, I cannot ping the www.google.com or browse using curl or use yum updates.

I have another centos setup by the guy who was there previously, I am not sure what did he do to make it work that machine work.

I ran route and have the same route displayed as the working one.
iptables is stopped
I have entered the following on the cisco asa to open

access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq www
access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq https

even though there is an firwall entry to allow dmz-web to see www and https.

I have given it the same name servers as the working centos ones in etc/resolv.conf

Not sure what else to do to make this work. Another thing, the iptables firewall keep turning on after I login thru ssh.

I have typed service iptables save. But it keeps the firewall off for sometime and then it turns on.


There is something I am missing but dont know what. What can I check in the working one to see if this one can work.

0
 
bgoeringCommented:
So if I understand the default gateway is pointing to a router or the firewall, and not the F5. To keep the firewall of it would be a command something like:

chkconfig iptables off
service iptables stop

Check in the firewall to make sure you have a NAT entry [static (cmz, outside)] statement that covers the ip of your new server.

Good Luck
0
 
mshaikh22Author Commented:
i do have that in the firewall.
0
 
mshaikh22Author Commented:
anything i can check on linux to make http work.
0
 
bgoeringCommented:
This is puzzling. Can you post a network diagram showing the ASA, F5, working and non-working hosts, and a sanatized (first three octets of public ip addresses masked, passwords masked) ASA configuration.

Also the output of ifconfig -a and of route for the working and non-working hosts.
Thanks
0
 
kareejbCommented:
Traceroute to the internet likely isn't going to work past the first hop because your Cisco ASA firewall is likely blocking ICMP. You need to add the rules like to following to your acl's to allow outbound ping and traceroute.

access-list internal-out permit icmp <Centos_IP> any echo-reply access-list internal-out permit icmp <Centos_IP> any time-exceeded access-list internal-out permit icmp <Centos_IP> any unreachable

Replace <Centos_IP> with the ip of your server (or it's static nat IP on the F5). If you want all your servers to be able to do pings to internet replace <Centos_IP> with any.

As far as web access goes, try doing a DNS query on your CentOS box to verify if you can successfully do DNS lookups (you should have the 'dig' or 'nslookup' utilites installed on your CentOS box). If the IP's you have plugged into your /etc/resolv.conf on your server aren't on your local network (ie ISP dns servers), then there are likely ACL's in your Cisco ASA appliance that permit the DNS traffic on a host or subnet basis (TCP/UDP port 53) . If you don't see anything that allows this particular host to query DNS then that would definately break yum and pings to any DNS (like www.google.com vs 74.125.95.106). If the DNS servers are internal and you are unsuccessful doing DNS queries against those servers then you may need to add a static route on the CentOS box to get to those servers if they are on another subnet.

If none of this helps please post a sanitized config of your ASA appliance and a basic network diagram like bgoering suggested. It would help immensely in solving your problem.





0
 
mshaikh22Author Commented:
Thank you kareejb. I am getting somewhere with this. Now I switch the vlan to the inside layer and turned on and dhcp and now the internet is working.
You are right, its need some rules in the firewall to make it work. I thought to run yum you have to have only www and https open.

Can you give me some command to check the static routes on the linux box set.
some rules to put on the cisco asa to allow the centos box to see yum.

Thank you, Sirs.

0
 
kareejbCommented:
To get out to yum you need working routing, DNS, and http/https allowed. A basic acl to allow all machines to talk those protocols should look like below. This doesn't included anything to provide a proper NAT setup.This isn't the most secure setup but should get you working. The ASA series firewalls support
access-list internal-out permit icmp any any echo-reply
access-list internal-out permit icmp any any time-exceeded
access-list internal-out permit icmp any any unreachable

access-list internal-out permit tcp any <DNS1 Server IP> eq domainaccess-list internal-out permit udp any <DNS1 Server IP> eq domainaccess-list internal-out permit tcp any <DNS2 Server IP> eq domain
access-list internal-out permit udp any <DNS2 Server IP> eq domain

As far as the linux side 'route -n' will print the kernel routing table. If you need a static route to your DNS servers you should edit the /etc/sysconfig/network-scripts/route-<interface> to add a static route for a paricular interface (ref: http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html)
0
 
kareejbCommented:
whoops forgot two acl lines. Just add them to the end of the ones above
access-list internal-out permit tcp any any eq wwwaccess-list internal-out permit udp any any eq https
0
 
mshaikh22Author Commented:
Thank you very much kareejb and bgoering: for all of your help. Both VM are working now and can access the web. I use those rules specified by Kareejb and typed setup and enabled some services and httpd was one of them. It working now.
Thanks a lot for all of your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now