Urgent Help Needed: Can't ping or access website on a server behind a router
Full subject: Urgent Help Needed: Can't ping or access website on a server behind a router unless second NIC is disabled
I apologize for the extremely long post, but I'm posting this wherever I can to get help. None of our IT staff in the district can figure it out, and our ISP can't figure it out. If you could take 5 minutes to read this, any help would be greatly appreciated and I seriously thank you for your time in advance.
I've got a really odd and annoying issue that has just sprung up over the last few days. On the network, I've got a number of servers behind a Cisco router that is provided by our ISP and has a full class C external subnet assigned to it. I'm only using about 6 external addresses out of the more than 200 available. We have one main large network for the building that our users use, and that has a computer acting as a firewall. So the main internal network only uses 1 external IP address. The servers are all inside this corporate network with local IP addresses. I have several other devices in the building that require a dedicated external IP, and one of the servers has 2 NIC's, one NIC is internal [with a static internal IP address of course], 1 NIC is an external NIC with a static external IP address assigned to it. This is a critical server that is hosting a website application to the public. So my setup is that the internal port on the Cisco router plugs into a switch, and any device [including the external NIC on the mentioned server, and the main internal network for example] requiring an external IP address plugs into this. External IP's need to be assigned, as the Cisco router doesn't assign them.
Stuck with me so far? Awesome, thank you! Now, this set up has worked great for around 4 years with absolutely no issues. Heck, we've even received a new router from our ISP [managed by the government, I don't have control over this unit] and things still continue to work. Here's where things get sketchy. I recently replaced a bunch of switches on our internal network on our patch panel/rack, and on this rack happens to be the router, and external switch. The external switch was an unmanaged 8 port switch, so I ended up replacing that with a rack mount 24 port switch to keep things clean. When I fired everything back up, our internal network came up, and had internet. The devices around the building that required an external IP and were patched directly into the external switch all came up, and are accessible from outside of the network. The only problem is with that one server with both an internal and external NIC. The website/services on that server hosted through the external NIC are unavailable from outside the router. Now, keep in mind that to me, the only thing that was changed between that external NIC and the Cisco router, was the switch. That's it. Even from inside of our main network, I can go to my desktop computer on the internal company network, pull up an internet browser, visit the publicly accessible [or so it should be] website, and it comes up. I watch the lights on the network equipment and follow the trace, and my computer is going to our gateway/firewall, out the external port to the switch, and straight through the switch into the external NIC on the server to pull the site. Perfect. But I can't view the website from outside of the router.
I talked to someone from the ISP's support about it, and they were connected to the router and could ping inside to the server, but could not ping the server from outside the router. Gotta be a router issue on their side right? Wait. It gets weirder. After a couple hours of trying to figure out what was happening, I decided to try something. I brought down the Windows firewall on the affected server for both LAN and external NIC's, leaving the machine wide open as there is no hardware firewall between it and the switch>router, and I connected to the machine via RDC from the internal network, but typed in the external NIC's IP on the server to connect to [again, going out the firewall of our internal network, and through the switch to the server, never exiting the router], and of course, since the firewall was off, I was successful in connecting via RDC. But I then disabled the internal LAN adapter from my external IP session. My second RDC session that I had connected to using the main internal network adapter [the one I usually manage the server from at my desk] immediately cut out. Good so far. Low and behold, after disabling the LAN connection, the support representative could access the website from outside the router via the external NIC, and ping the server. I re-enabled the LAN connection on that server, and he couldn't access the website anymore.
Thank you very much for reading this far, I really really appreciate your time. If you can offer any help as to why this is happening, that would be greatly appreciated, as I need to get this server up FAST. I don't want a bandaid fix, I need this server online the way it was. No changes were ever made over the last few days on the server, and everything was plugged in again properly after the switches were swapped out, and the support rep even removed all ACL's and firewall rules on the router to allow a 100% unrestricted straight pass through, and with the LAN connection on that affected server enabled, the external IP didn't serve the website outside the router. Keep in mind, when I accessed the website from inside our company network, even by specifying the external IP address in the web address bar to specify to only go via external [making sure I wasn't just using an internal path, despite that not even being available because of IIS configuration], it worked. The website came up. But would not serve outside of the router if the LAN port was enabled.
Definitely one of the most confusing issues I've ever ran into, and the support people at Tier 1, Tier 2, and Tier 3 network operations support for the ISP were completely stumped. If you need any more information or clarification on anything I've described, please let me know.