Loopback/Spanning Tree

This very smart network guy at my work and I were talking about this: I'm using our company's wireless network, and trying to access our company site, specifically a link within our company webpage. The link won't work. But on our ethernet it will work. He says that it is impossible to "come back in the way you go out" due to loopback. Impossible?

I know a little about Spanning tree protocol. Is this what he's referring to? And is there really no way around that?
dlewis61Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
So loopback and spanning-tree are two different things.  I'm guessing that your company's website is on a DMZ segment off of a firewall.  The rules in the firewall are set up so the internal network can talk to it but the same rules are not set up for the wireless segment.  That is just a guess.
0
dlewis61Author Commented:
Ok. So if the rules were set up, would we be able to go out and come in on the same port? via wireless?
0
Ken BooneNetwork ConsultantCommented:
There are a lot of assumptions here... but if you can reach it from your internal ethernet network, there is no technical reason you can't form an internal wireless network.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Bryant SchaperCommented:
by port, are you referring to IP port, ie HTTP 80.

Then no, or at least by design, you communicate to a known port but they talk back on a dynamic session port.
0
dlewis61Author Commented:
You mean no, it's not possible? This guy said "you can't go out the same way you go in"...
0
Bryant SchaperCommented:
It is not possible, but again are we talking about a protocol port, port 80, 8080, 443......  While your computer may communicate out on port 80 to a website it does not receive back on port 80, it is dynamic and they negotiate a new port.  this allows multiple connections to an IP address, same reason you can run many TCP/UDP applications at the same time, ie open multiple sessions to a website at the same time.

Or are you referring to a physical network port, gigabitethernet0/1 on a router for example?
0
Ken BooneNetwork ConsultantCommented:
What I am saying is that if you can reach your web server from the internal network you should be able to reach it from the internal wireless segment as well.  It might be that the firewall needs some additional configuration but it should be able to work.
0
Ken BooneNetwork ConsultantCommented:
My guess is that his network guy is taking about the physical network port on the firewall.
0
Bryant SchaperCommented:
Then it should be possible but more challenging, but depends on network design, you would normally have internal routers before the DMZ and an External router to internet.
0
AkinsdNetwork AdministratorCommented:
What you have is an intranet. Most likely sharepoint.

Unless you associate a public address via NAT to the web server on port 80 or 443, you will not be able to access it outside the network.

I beilieve you're confusing the loop prevention mechanism in spanning tree with NAT loopback (reflective NAT).

See the link below
http://serverfault.com/questions/355993/how-to-implement-nat-loopback-reflection

Without appropriate static NAT in place, you will only have access to your intranet (intra = internal). Static NAT or assigned public address is what makes websites available over the internet (inter = external)
0
dlewis61Author Commented:
Here's what I'm saying::: let's say that I work for the widget store. We have both wireless and cabled/ethernet. We have a website. It's out on the web. I'm inside my store connecting to our wireless, and I want to go to our website. When I go to my website, I get a website will not load. Our network guy said I would never be able to get on our website from within our store on our wireless, because you can't "come in the same way you go out" on our wireless. I thought he meant because of the loop prevention of the spanning tree protocol. "Never" seems to be incorrect, so my question---is that correct that I would never be able to bring up my store's website on our wireless on our domain?
0
Sandeep GuptaConsultantCommented:
Point to remember:

If you are running wireless network, spanning tree must be disabled.

 I think your spanning tree is enabled and thats why you are facing this problem. Just disable it and try
0
Ken BooneNetwork ConsultantCommented:
dlewis61 - there are a lot of unknowns here first of all.  But I will say again, that if your internal wired ethernet can hit the website, then an internal wireless network would be able to as well.  It may b that your network guy doesn't know how to do it.

We could be more specific if you gave more details.  i.e.  network topology map, type of firewall, is the wireless network on the inside of the firewall or is it on a different leg of the firewall?  Is the website hosted somewhere else, or do you guys host your own website and it is attached to the firewall on a DMZ?  Is your wireless a corporate wireless network or is it simply an internet access only type of wireless network that might be isolated off your firewall.  

So you see we don't  have a lot of information here.  I think your network guy is wrong and in all cases it should work.  It may be that he does not know how to make it work or something is connected in a non standard way that is preventing this.  Without the details above we can't give any more specifics than this.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ken BooneNetwork ConsultantCommented:
BTW...Spanning tree most likely has nothing to do with your problem...
0
AkinsdNetwork AdministratorCommented:
Thanks for clarifying and please erase the thought of spanning tree with this issue.
From your explanation, this is 100% a DNS configuration issue.

If you are unable to access the site internally, that means there is no zone setup for your website on your DNS server.

Go on your DNS server and configure a forward lookup zone  with the private ip (local IP) for your site.
eg the public ip for www.google.com is 74.125.239.115. Their private IP could be 172.16.1.200 or 192.168.1.200 or whatever IP scheme they use internally
You can get to the webpage whether you type the url or the IP. Typing the IP bypasses DNS query and goes straight to the server. With URL, DNS queries the url and returns the IP address to the computer, then the computer connects using the IP.

In your case, your DNS is returning the public ip address to your website. Your DNS needs to be configured to return the private IP address to internal users.

Find the private ip address of your site and type that in your browser instead - your site should come up which will confirm your DNS server needs to be modified.

Take note of Private IP and Public IP
0
Ken BooneNetwork ConsultantCommented:
Whoa whoa whoa... we don't know its 100% dns.  There are too many unknowns to make that 100%  - it is possible, but there are many many reasons why this might not be working.  

when you say "In your case, your DNS is returning the public ip address to your website. Your DNS needs to be configured to return the private IP address to internal users. "   

-- you need to remember this is working from the internal WIRED network.
0
Bryant SchaperCommented:
I would agree, it is network config, I have seen the same come up with VPN portals, they are outside accessible only, if the DNS internally resolves the IP, it still fails.  You have to make special considerations on the firewall's config to allow access
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.