What is the default-gateway set to on the client that you can ping from the router and on the web server that you can't ping from the router ?

Jon

telnet 10.5.4.81 80 /source-interface fa0/0

Trying 10.5.4.81, 80 ...

% Connection timed out; remote host not responding

The default gateway on all internal computers is the switch between the router and the ISA server. The ISA server connects to the gateway switch. It's ip is 10.5.4.1 if that is relevant.

The gateway error i posted earlier is not from the internal network. That error comes from an external computer, generated by their firewall.

The basic issue seems to be you can ping your desktop from the router but not the web server. If you do not have basic connectivity from the router to the web server then NAT, port forwarding, telnet etc. are really just red herrings.

You first need to work out why you do not have basic connectivity from the router to the web server.

Can you ping the web server from the switch between the router and ISA server ?

Jon

Hi

in an earlier post i said i've setup a new webserver, on my desktop. I can ping the new webserver (my desktop) from any interface. I can telnet to it from the internal fa0/1 interface but i can't telnet to it from the external fa0/0 interface. I have a rule in my ISA server that allows the trafic but it still doesn't work.

Basicaly, i must make telnet 10.5.4.81 80 /source-interface fa0/0 work and i think my problem will be over. Since i can ping 10.5.4.81 from fa0/0 but i can't telnet from fa0/0, i think my requests are geting droped.

Is there anyway you can temporarily bypass the ISA server to test.

Well, to 'bypass' the ISA server i added a rule that basicaly allows all outside trafic to any inside destination; so i've cut ISA out of the picture. No results tho. Still can't telnet even tho i can ping.

I meant physically bypass it. Sometimes simply adding a rule to a device does not always have the intended effect and as you can connect from a client in the same subnet i thought it might be a valid test.

Can i just check the topology -

the client and web server have a default-gateway on the switch so the switch is a L3 switch yes ?

The switch then has a default-route pointing to the LAN interface of the router ?

How does traffic actually get sent through the ISA server - is the ISA server in effect between the switch and router in terms of traffic path  or do you redirect traffic to ISA server ?  It's not clear what part the ISA server plays in forwarding traffic between the router and the client/webserver.

Jon

Can't physically bypass it. Removing the ISA server would result in no internet access.

Yes, the switch is a L3 switch. It has multiple vlans and it's a core switch. It routes all trafic to fa0/1 and some trafic to the DHCP server.

The router connects to port 1 in SW1; port 1 is in vlan 200. The ISA server connects to port 3 in SW1; port 3 is also in vlan 200. Vlan 200 is the to-nat vlan. Trafic comes from router to SW1 port 1, exists on SW1 port 3 to the ISA server, enters on external_network_card, gets processed, exists the server on internal_network_card, enters SW1 on vlan3 port22 (vlan3 is the servers vlan).

Okay, in previous post you said the default-gateway for all internal computers was the switch. You say in this post that the ISA server has an interface on vlan 3 which is the server vlan.

You also setup a client in vlan 3 to test with. So how does traffic go through the ISA server. If the default-gateway for the web server is vlan 3 L3 interface on the switch then it would then just be routed to the router.

Where i am confused is that if the switch is routing how do you force traffic through the ISA server. If the ISA server is acting as proxy outbound then that would take care of outbound internet requests from clients. B ut for inbound requests how do you ensure traffic is simply not routed by the L3 switch ?

Is the ISA server acting as a proxy server ?

Jon

Actualy no, i haven't setup a client in vlan3 to test with. The client is in Vlan4, the client vlan. The ISA server is connected to 2 interfaces, one in vlan200 (to-nat vlan) and one in vlan3 (the servers vlan).  The default gateway for all clients is vlan4 10.5.4.1 on SW1. All outbound trafic goes through ISA but i'm unsure how inbound trafic goes through ISA if it does at all.

I haven't setup this topology, i'm just trying to make heads or tails out of it and fix some problems.

Can you post "sh ip route" from your router ?

Jon

Couple of other things to check -

1) you mentioned something about bittorrent on your router. Can you turn that off while testing

2) do you know if the router is forwarding the packet on or not ? If we still don't know that we can use an acl on the LAN interface of the router eg.

access-list 101 permit tcp any host eq 80

access-list 101 permit ip any any

int fa0/1

ip access-group 101 out

when you then try to telnet from fa0/0 it should at least show us if you get any hits on the first line in acl 101

Jon

I turned it off, no change.

I don't know if the router is forwarding the packet or not.

After adding ACL 101 like you said, i got no hits on: "permit tcp any host 10.5.4.81 eq www" but i got hits on: "permit ip any any"

carpovalexandru123 wrote:
I turned it off, no change. 
I don't know if the router is forwarding the packet or not.
After adding ACL 101 like you said, i got no hits on: "permit tcp any host 10.5.4.81 eq www" but i got hits on: "permit ip any any"

Did you try connecting from client on internet ie. not the outside router interface ?

If not, can you try as this would tell us if the router was actually forwarding the packet on. If it wasn't we could then at least narrow the issue down to the router.

You will see lots of hits on the permit ip any any line. That line is there simply to  make sure we don't break anything ie. stop access.

Jon