?
Solved

CentOS 5.4 VM on esx 4 can not access http. Need your help desperately

Posted on 2010-08-27
13
Medium Priority
?
584 Views
Last Modified: 2013-11-08
Hi Expert,

I have just install Cent0S 5.4 on a VM which behind a F5 load balancer and Cisco ASA 5520 firewall.
I entered an Acl to all the vm to access www and https.

But I can run yum on it for some reason. I can use nslookup to resolve dns. I do a trace route it does'nt go past the first hop.

I need your help desperate since I need web access on the vm and I have alllowed

I have also disabled iptables

Not sure what else might. Please help.

mshaikh22
0
Comment
Question by:mshaikh22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 996 total points
ID: 33547315
Are you wanting to access a http server running on the vm? Or are you wanting to open a browser on the vm and access the internet?
0
 

Author Comment

by:mshaikh22
ID: 33547387
both but trying to yum but is not working








0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 996 total points
ID: 33547422
You say it is behind F5 LTM? Default setup for F5 has you pointing the default gateway to the F5 (unless you have setup SNATS on the F5) - that sometimes really messes with the load balanced server's ability to do anything else.

If that is the case try either changing the default gateway to whatever the normal default gateway is on your network segment until you have completed your yum updates, or add the routes needed for yum to go through your regular gateway.

Let me know if this is applicable
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:mshaikh22
ID: 33548464
Thank you, bgoering for your help

The Vm is behind F5 and I have given it the F5 gateway. Other Windows Machines are running fine except for this one. When I am adding a windows machine, all I have to do is give the server the default of gateway set in the F5 and SNAT the ip.

But in this case instance, I cannot ping the www.google.com or browse using curl or use yum updates.

I have another centos setup by the guy who was there previously, I am not sure what did he do to make it work that machine work.

I ran route and have the same route displayed as the working one.
iptables is stopped
I have entered the following on the cisco asa to open

access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq www
access-list dmz-web_in extended permit tcp ip 192.168.30.32 eq https

even though there is an firwall entry to allow dmz-web to see www and https.

I have given it the same name servers as the working centos ones in etc/resolv.conf

Not sure what else to do to make this work. Another thing, the iptables firewall keep turning on after I login thru ssh.

I have typed service iptables save. But it keeps the firewall off for sometime and then it turns on.


There is something I am missing but dont know what. What can I check in the working one to see if this one can work.

0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 996 total points
ID: 33549137
So if I understand the default gateway is pointing to a router or the firewall, and not the F5. To keep the firewall of it would be a command something like:

chkconfig iptables off
service iptables stop

Check in the firewall to make sure you have a NAT entry [static (cmz, outside)] statement that covers the ip of your new server.

Good Luck
0
 

Author Comment

by:mshaikh22
ID: 33549354
i do have that in the firewall.
0
 

Author Comment

by:mshaikh22
ID: 33549392
anything i can check on linux to make http work.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33549399
This is puzzling. Can you post a network diagram showing the ASA, F5, working and non-working hosts, and a sanatized (first three octets of public ip addresses masked, passwords masked) ASA configuration.

Also the output of ifconfig -a and of route for the working and non-working hosts.
Thanks
0
 
LVL 4

Assisted Solution

by:kareejb
kareejb earned 1004 total points
ID: 33550814
Traceroute to the internet likely isn't going to work past the first hop because your Cisco ASA firewall is likely blocking ICMP. You need to add the rules like to following to your acl's to allow outbound ping and traceroute.

access-list internal-out permit icmp <Centos_IP> any echo-reply access-list internal-out permit icmp <Centos_IP> any time-exceeded access-list internal-out permit icmp <Centos_IP> any unreachable

Replace <Centos_IP> with the ip of your server (or it's static nat IP on the F5). If you want all your servers to be able to do pings to internet replace <Centos_IP> with any.

As far as web access goes, try doing a DNS query on your CentOS box to verify if you can successfully do DNS lookups (you should have the 'dig' or 'nslookup' utilites installed on your CentOS box). If the IP's you have plugged into your /etc/resolv.conf on your server aren't on your local network (ie ISP dns servers), then there are likely ACL's in your Cisco ASA appliance that permit the DNS traffic on a host or subnet basis (TCP/UDP port 53) . If you don't see anything that allows this particular host to query DNS then that would definately break yum and pings to any DNS (like www.google.com vs 74.125.95.106). If the DNS servers are internal and you are unsuccessful doing DNS queries against those servers then you may need to add a static route on the CentOS box to get to those servers if they are on another subnet.

If none of this helps please post a sanitized config of your ASA appliance and a basic network diagram like bgoering suggested. It would help immensely in solving your problem.





0
 

Author Comment

by:mshaikh22
ID: 33551429
Thank you kareejb. I am getting somewhere with this. Now I switch the vlan to the inside layer and turned on and dhcp and now the internet is working.
You are right, its need some rules in the firewall to make it work. I thought to run yum you have to have only www and https open.

Can you give me some command to check the static routes on the linux box set.
some rules to put on the cisco asa to allow the centos box to see yum.

Thank you, Sirs.

0
 
LVL 4

Accepted Solution

by:
kareejb earned 1004 total points
ID: 33553204
To get out to yum you need working routing, DNS, and http/https allowed. A basic acl to allow all machines to talk those protocols should look like below. This doesn't included anything to provide a proper NAT setup.This isn't the most secure setup but should get you working. The ASA series firewalls support
access-list internal-out permit icmp any any echo-reply
access-list internal-out permit icmp any any time-exceeded
access-list internal-out permit icmp any any unreachable

access-list internal-out permit tcp any <DNS1 Server IP> eq domainaccess-list internal-out permit udp any <DNS1 Server IP> eq domainaccess-list internal-out permit tcp any <DNS2 Server IP> eq domain
access-list internal-out permit udp any <DNS2 Server IP> eq domain

As far as the linux side 'route -n' will print the kernel routing table. If you need a static route to your DNS servers you should edit the /etc/sysconfig/network-scripts/route-<interface> to add a static route for a paricular interface (ref: http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html)
0
 
LVL 4

Assisted Solution

by:kareejb
kareejb earned 1004 total points
ID: 33553209
whoops forgot two acl lines. Just add them to the end of the ones above
access-list internal-out permit tcp any any eq wwwaccess-list internal-out permit udp any any eq https
0
 

Author Comment

by:mshaikh22
ID: 33560647
Thank you very much kareejb and bgoering: for all of your help. Both VM are working now and can access the web. I use those rules specified by Kareejb and typed setup and enabled some services and httpd was one of them. It working now.
Thanks a lot for all of your help.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question