05-15-2006 11:11 AM - edited 03-03-2019 03:13 AM
My router sits on the outside of my firewall. I can ping externally from my router (2640 cisco). From an internal box, I can ping my firewall. I can ping the router, both internal facing and external port. But I can not successfully ping to the outside. I assume since it goes through my firewall to the router- that it is not a firewall problem- it has to be the router that is stopping it. 0/0 is set up to the outside line address. 0/1 is set up to be the router address that the firewall knows. And 1/0 is for my internal network (although i dont think that is necessary- was just trying anything I could to get this working) If anyone can help, please- I would appreciate it!
05-15-2006 11:26 AM
Since you mention that you can ping both inside and outside interfaces of your router from a host on the inside of the firewall I will assume that you have the correct routes entered in your external router. One thing I will be interested in knowing is at what point are you doing NAT ... Is it at the firewall?
From the information you have provided so far my first suspicion will be that your provider is not routing traffic back to you properly or you are not NATTING to your assigned address space correctly. By the way any access-lists on the router?
05-15-2006 11:30 AM
There is no natting on the router, or access-lists. I rebuilt it from scratch, and have it very basic. Just the interfaces are given. The natting is set up in the firewall. But I thought that it must be right in the firewall or it wouldnt get to the router. I am very new to all of this- so I could be wrong.
05-15-2006 07:03 PM
Will it be possible for you to share you configs; both firewall and router?
To answer your questions setting a loopback has nothing to do with successful routing. Loopbacks serve various purposes but in this particular case there is no requirement for one. On which interface are you seeing the collisions? If your firewall can only operate in half-duplex mode then collisions are expected but if the firewall is capable of operating in full duplex mode it might not be a bad idea to manually set the speed / duplex settings. Collisions do not and should not happen in full duplex mode.
05-15-2006 12:14 PM
I did see no loopback set, and there are 52 collisions. Is that my problem?
05-15-2006 01:19 PM
Will you submit your router/firewall config to further troubleshoot? Omit any private info such as public ip's, etc. Thx
05-16-2006 10:31 AM
Here is the router config:
Current configuration : 1007 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
enable secret xxx
enable password notused
!
no aaa new-model
ip subnet-zero
no ip routing
!
!
no ip cef
ip domain name lookup
!
!
!
interface FastEthernet0/0
ip address 209.213.XXX.XXX 255.255.XXX.XXX
no ip route-cache
speed auto
half-duplex
!
interface FastEthernet0/1
ip address 209.213.XXX.XXX 255.255.XXX.XXX
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
ip default-gateway 209.213.XXX.XXX
(This is the address of my providers router- not sure if this is correct, I was told that
was needed for path resolution, my books say it should be the IP of my router though)
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password notused
login
!
!
end
The firewall has a static route to a default gateway, which is what I made the fastethernet0/1 interface
Thank you again for helping.
05-16-2006 07:25 PM
You have ip routing turned off on the router. Enable routing by issuing the command:
ip routing
Once IP routing is turned on you do not need the ip default-gateway command so you can safely remove it by:
no ip default-gateway 209.213.x.x
Your ip route 0.0.0.0 0.0.0.0 statement is pointing to FastEthernet 1/0 however, Fa1/0 is administratively shutdown. In your present case the ip route statement is not being used as ip routing has been turned off but once you turn it on you will have to modify this commands to:
ip route 0.0.0.0 0.0.0.0
Additionally you do not have any routes pointing to the network on the inside of the PIX. Add a routing statement like:
ip route
If the PIX is doing NAT then the
If you have the PIX configured properly then making these changes should get you going.
05-17-2006 08:13 AM
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
- pointing to wrong interface (should point to external int) or IP of SP (service provider)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide