We have, what I think, is a fairly typical 3-homed FW/DMZ setup.
If I can attempt crude ASCII Art:
Code:
Internet
|
GroupTel
|
Our SW1
|
Our FW
|
Our SW2
|
----------------
| |
LAN DMZ
| |
desktops public servers
Let's say for a moment if I have two servers in the DMZ (host1, host2) that are essentially the same hardware, OS, services running on them, etc.
From the internet then (like, from home), I can telnet host1:80 no problem, but I cannot telnet host2:80. The FW rule that passes *.80 to host1 is precisely the same as the one for host2 (I made a copy and changed the IP address). I've tried reloading and even hard restart of the FW.
I've broken out tcpdump and host1 sees tonnes of traffic. host2 practically none (ICMP and NTP stuff, but that's about it).
I've also looked at tcpdump on the FW itself, and I can't see any traffic that is destined for host2 (I do see it for host1).
If I then disconnect host2 from SW2, and put it right up on SW1 (beside the firewall, not behind it)... then the internet can now suddenly see host2.
Does this smell like a problem with the 'upstream provider', or might it still be something I need to do to either FW or SW1 ? (and what might that be?) I can't get past that tcpdump on FW saw no traffic destined for host2.. it makes me think it's an upstream problem.