Internet routing problem

u.naranjo · ‎05-05-2004

Hi,

I have the following scenario and have not been able to determine the cause for this to happen:

1. Have a PIX 515 protecting various inside networks

2. Have a 3662 with multiple T1's which connects the remote offices to the main site

3. Have a filtering server which is basically filtering PORN sites

4. The remote offices have 1600 routers

The issues is that for some reason the remote offices can not get to some web sites and if I try to ping from one of the remote routers to that specific site, it does not respond, again they can access most of the sites on the net but some others they can not. I'm using EIGRP and the main 3662 is redistributing the default route to the remotes.

Any insights would be appreciated.

Thanks,

ekhoo · ‎05-05-2004

Where do you put your 3662 router? inside the firewall or outside the firewall?? if the 3662 router is outside the firewall, you need to create a conduit or ACL on your PIX to allow incoming icmp traffic to reach your internal network.

Check you filtering server log & policy....

Richard Burts · ‎05-06-2004

I think there are several possible scenarios which might explain this situation.

If the 3662 is advertising a default route to the remote site and the remote site can get to some web sites on the Internet, then you can believe that the default route is working and packets (HTTP or ping) is getting out.

When some sites work and some do not, I would look first at devices which are designed to selectively allow access (the PIX and/or the filtering server) and see if there is any way that they could be denying traffic to/from these sites.

Another possibility is that the sites which do not work may not have a route back to you. Your data may get to them but they are not able to send responses to you. Depending on what your address space is and how it is advertised they may not see your address space.

One thing I would recommend is to try a traceroute (perhaps an extended traceroute specifying a source address in the address space of your users) and see how far the traffic gets and where it stops.

Another alternative would be to use some of the looking glass sites that are available and verify what they see about your address space.

HTH

Rick

u.naranjo · ‎05-06-2004

Hi and thanks for your reply.

I thought I resolved this when I issue the IP CLASSLESS command on the remotes since after putting this command,the sites that they could not get before, were visible again. Today I got a call from an office and they said they could not get to www. hotmail.com; so I'm looking in to that problem right now. I'll look in more detail at the content filtering server but I'm sure We're not denying web mail; I triple checked this.

Thanks,

Report Inappropriate Content · ‎05-07-2004

Hi, u.naranjo

I have the similar case like you. I think you can help me.

I have setup a LAN in Remote office with different segment and connecting an IP-VPN data line between Remote office and HK Office.

Remote Office

192.168.3.0

192.168.3.196 (Cisco Router for IP-VPN)

Hong Kong Office

192.168.1.0

192.168.1.196 (Cisco Router for IP-VPN)

192.168.1.254 (PIX 515 Firewall) going out to Internet.

It will be very appreciated if you can help this.

Kevin