Solved

CentOS 5.4 VM on esx 4 can not access http. Need your help desperately

Posted on 2010-08-27
13
567 Views
Last Modified: 2013-11-08
Hi Expert,

I have just install Cent0S 5.4 on a VM which behind a F5 load balancer and Cisco ASA 5520 firewall.
I entered an Acl to all the vm to access www and https.

But I can run yum on it for some reason. I can use nslookup to resolve dns. I do a trace route it does'nt go past the first hop.

I need your help desperate since I need web access on the vm and I have alllowed

I have also disabled iptables

Not sure what else might. Please help.

mshaikh22
0
Comment
Question by:mshaikh22
  • 6
  • 4
  • 3
13 Comments
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 249 total points
ID: 33547315
Are you wanting to access a http server running on the vm? Or are you wanting to open a browser on the vm and access the internet?
0
 

Author Comment

by:mshaikh22
ID: 33547387
both but trying to yum but is not working








0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 249 total points
ID: 33547422
You say it is behind F5 LTM? Default setup for F5 has you pointing the default gateway to the F5 (unless you have setup SNATS on the F5) - that sometimes really messes with the load balanced server's ability to do anything else.

If that is the case try either changing the default gateway to whatever the normal default gateway is on your network segment until you have completed your yum updates, or add the routes needed for yum to go through your regular gateway.

Let me know if this is applicable
0
 

Author Comment

by:mshaikh22
ID: 33548464
Thank you, bgoering for your help

The Vm is behind F5 and I have given it the F5 gateway. Other Windows Machines are running fine except for this one. When I am adding a windows machine, all I have to do is give the server the default of gateway set in the F5 and SNAT the ip.

But in this case instance, I cannot ping the www.google.com or browse using curl or use yum updates.

I have another centos setup by the guy who was there previously, I am not sure what did he do to make it work that machine work.

I ran route and have the same route displayed as the working one.
iptables is stopped
I have entered the following on the cisco asa to open

access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq www
access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq https

even though there is an firwall entry to allow dmz-web to see www and https.

I have given it the same name servers as the working centos ones in etc/resolv.conf

Not sure what else to do to make this work. Another thing, the iptables firewall keep turning on after I login thru ssh.

I have typed service iptables save. But it keeps the firewall off for sometime and then it turns on.


There is something I am missing but dont know what. What can I check in the working one to see if this one can work.

0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 249 total points
ID: 33549137
So if I understand the default gateway is pointing to a router or the firewall, and not the F5. To keep the firewall of it would be a command something like:

chkconfig iptables off
service iptables stop

Check in the firewall to make sure you have a NAT entry [static (cmz, outside)] statement that covers the ip of your new server.

Good Luck
0
 

Author Comment

by:mshaikh22
ID: 33549354
i do have that in the firewall.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mshaikh22
ID: 33549392
anything i can check on linux to make http work.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33549399
This is puzzling. Can you post a network diagram showing the ASA, F5, working and non-working hosts, and a sanatized (first three octets of public ip addresses masked, passwords masked) ASA configuration.

Also the output of ifconfig -a and of route for the working and non-working hosts.
Thanks
0
 
LVL 4

Assisted Solution

by:kareejb
kareejb earned 251 total points
ID: 33550814
Traceroute to the internet likely isn't going to work past the first hop because your Cisco ASA firewall is likely blocking ICMP. You need to add the rules like to following to your acl's to allow outbound ping and traceroute.

access-list internal-out permit icmp <Centos_IP> any echo-reply access-list internal-out permit icmp <Centos_IP> any time-exceeded access-list internal-out permit icmp <Centos_IP> any unreachable

Replace <Centos_IP> with the ip of your server (or it's static nat IP on the F5). If you want all your servers to be able to do pings to internet replace <Centos_IP> with any.

As far as web access goes, try doing a DNS query on your CentOS box to verify if you can successfully do DNS lookups (you should have the 'dig' or 'nslookup' utilites installed on your CentOS box). If the IP's you have plugged into your /etc/resolv.conf on your server aren't on your local network (ie ISP dns servers), then there are likely ACL's in your Cisco ASA appliance that permit the DNS traffic on a host or subnet basis (TCP/UDP port 53) . If you don't see anything that allows this particular host to query DNS then that would definately break yum and pings to any DNS (like www.google.com vs 74.125.95.106). If the DNS servers are internal and you are unsuccessful doing DNS queries against those servers then you may need to add a static route on the CentOS box to get to those servers if they are on another subnet.

If none of this helps please post a sanitized config of your ASA appliance and a basic network diagram like bgoering suggested. It would help immensely in solving your problem.





0
 

Author Comment

by:mshaikh22
ID: 33551429
Thank you kareejb. I am getting somewhere with this. Now I switch the vlan to the inside layer and turned on and dhcp and now the internet is working.
You are right, its need some rules in the firewall to make it work. I thought to run yum you have to have only www and https open.

Can you give me some command to check the static routes on the linux box set.
some rules to put on the cisco asa to allow the centos box to see yum.

Thank you, Sirs.

0
 
LVL 4

Accepted Solution

by:
kareejb earned 251 total points
ID: 33553204
To get out to yum you need working routing, DNS, and http/https allowed. A basic acl to allow all machines to talk those protocols should look like below. This doesn't included anything to provide a proper NAT setup.This isn't the most secure setup but should get you working. The ASA series firewalls support
access-list internal-out permit icmp any any echo-reply
access-list internal-out permit icmp any any time-exceeded
access-list internal-out permit icmp any any unreachable

access-list internal-out permit tcp any <DNS1 Server IP> eq domainaccess-list internal-out permit udp any <DNS1 Server IP> eq domainaccess-list internal-out permit tcp any <DNS2 Server IP> eq domain
access-list internal-out permit udp any <DNS2 Server IP> eq domain

As far as the linux side 'route -n' will print the kernel routing table. If you need a static route to your DNS servers you should edit the /etc/sysconfig/network-scripts/route-<interface> to add a static route for a paricular interface (ref: http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html)
0
 
LVL 4

Assisted Solution

by:kareejb
kareejb earned 251 total points
ID: 33553209
whoops forgot two acl lines. Just add them to the end of the ones above
access-list internal-out permit tcp any any eq wwwaccess-list internal-out permit udp any any eq https
0
 

Author Comment

by:mshaikh22
ID: 33560647
Thank you very much kareejb and bgoering: for all of your help. Both VM are working now and can access the web. I use those rules specified by Kareejb and typed setup and enabled some services and httpd was one of them. It working now.
Thanks a lot for all of your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now