09-16-2002 08:52 AM - edited 03-02-2019 01:24 AM
The problem comes in accessing certain web servers. I cannot access http://dotster.com or even ping it at 64.85.73.21, http://hotmail.com and http://geminiairsystems.com are also inaccessible. I have a remote system that i connected to and there is no problem with those hosts. Internal DNS resolves the address by hitting external servers with no problem, it picks up the correct IP address for the ping. when i ping the above addresses it says Reply from 209.76.153.162: Destination host unreachable (this is the ethernet address of the router). I included the below config screens of the pix and the 1721 to help. Once we fix this I would really appreciate it if you could point out any commands that i do not need in the config of either the pix or the 1721.
Thanks a million.
---- 1721 Router config ----
PacBellRouter#show run
Building configuration...
Current configuration : 709 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PacBellRouter
!
enable secret 5 XXXXXXXXXXX.
!
ip subnet-zero
ip domain-list 206.13.28.12
ip domain-list 206.13.31.12
!
modemcap entry line
!
!
!
interface FastEthernet0
description TO LOCAL LAN
ip address 209.76.153.162 255.255.255.240
speed auto
!
interface Serial0
description PB CKT 40HCGS991156_OO1PT
ip address 64.160.180.38 255.255.255.240
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
!
no ip classless
ip route 0.0.0.0 0.0.0.0 64.160.180.37
no ip http server
!
!
!
line con 0
line aux 0
exec-timeout 0 0
line vty 0 4
no login
!
end
PacBellRouter#
---- PIX 515 config -----
pixfirewall# show config
: Saved
:
PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging console
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.76.153.163 255.255.255.240
ip address inside 192.168.100.1 255.255.255.0
arp timeout 14400
global (outside) 1 209.76.153.164 netmask 255.255.255.240
global (outside) 1 209.76.153.165-209.76.153.166
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.76.153.167 192.168.100.11 netmask 255.255.255.255 0
0
static (inside,outside) 209.76.153.168 192.168.100.12 netmask 255.255.255.255 0
0
static (inside,outside) 209.76.153.169 192.168.100.13 netmask 255.255.255.255 0
0
static (inside,outside) 209.76.153.170 192.168.100.14 netmask 255.255.255.255 0
0
static (inside,outside) 209.76.153.171 192.168.100.15 netmask 255.255.255.255 0
0
static (inside,outside) 209.76.153.172 192.168.100.16 netmask 255.255.255.255 0
0
static (inside,outside) 209.76.153.173 192.168.100.17 netmask 255.255.255.255 0
0
static (inside,outside) 209.76.153.174 192.168.100.18 netmask 255.255.255.255 0
0
conduit permit icmp any any
conduit permit tcp host 209.76.153.167 eq smtp any
conduit permit tcp host 209.76.153.167 eq www any
conduit permit tcp host 209.76.153.167 eq 5900 any
conduit permit tcp host 209.76.153.170 eq www any
conduit permit tcp host 209.76.153.170 eq ftp any
conduit permit tcp host 209.76.153.171 eq www any
conduit permit tcp host 209.76.153.168 eq 5900 any
conduit permit tcp host 209.76.153.170 eq 3389 any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.76.153.162 0
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
Cryptochecksum:XXXXXXXXXXXX
pixfirewall#
Solved! Go to Solution.
09-16-2002 04:26 PM
Can your users access any web sites? Can they ping your router? Can your router ping the sites your clients can't? Can the PIX?
Do clear xlate, then ping or access a web site that fails and then do a show xlate and sh conn to see that the PIX is translating the traffic. What does this show?
If traffic is not too heavy, debug ip packet (first turn off fast switching) on the router to see traffic going through the router.
I would remove the following 2 lines:
ip domain-list 206.13.28.12
ip domain-list 206.13.31.12
Change your community string from the default public on the pix.
Reverse the order of the global statements (not a big difference but still).
Add service password encryption on the router.
09-16-2002 04:26 PM
Can your users access any web sites? Can they ping your router? Can your router ping the sites your clients can't? Can the PIX?
Do clear xlate, then ping or access a web site that fails and then do a show xlate and sh conn to see that the PIX is translating the traffic. What does this show?
If traffic is not too heavy, debug ip packet (first turn off fast switching) on the router to see traffic going through the router.
I would remove the following 2 lines:
ip domain-list 206.13.28.12
ip domain-list 206.13.31.12
Change your community string from the default public on the pix.
Reverse the order of the global statements (not a big difference but still).
Add service password encryption on the router.
09-17-2002 10:16 AM
the router had a bad command of "no ip classless"
this did not allow certain subnets to be accessable and was changed to "ip classless"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide