Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
2
Replies

Am I right to believe there could be a firewall stopping my route?

m.belloni
Level 1
Level 1

‎05-06-2005 07:29 AM - edited ‎03-03-2019 09:29 AM

My equipment is a cisco 2610 IOS c2600-i-mz.122-10b.

I configured the following static route:

ip route 172.16.104.0 255.255.254.0 172.16.32.2

Ethernet 0/0 address is 172.16.32.1/20

I can ping the gateway 172.16.32.2 and the router is applying the static route:

xxx#sh ip route 172.16.104.0

Routing entry for 172.16.104.0/23

Known via "static", distance 1, metric 0

Redistributing via ospf 99

Advertised by ospf 99 subnets route-map static_ospf_ge

Routing Descriptor Blocks:

* 172.16.32.2

Route metric is 0, traffic share count is 1

However a trace to the remote host 172.16.104.12 always fails:

Tracing the route to 172.16.104.12

1 * * *

2 * * *

No acl seems be blocking my trace on my router:

xxx#sh ip access-lists

Standard IP access list 25

permit 192.168.0.0, wildcard bits 0.0.255.255

permit 204.231.97.0, wildcard bits 0.0.0.255

Standard IP access list static_to_ospf_ge

permit 172.16.48.0, wildcard bits 0.0.1.255 (1 match) check=74

permit 172.16.50.0, wildcard bits 0.0.1.255 (1 match) check=73

permit 172.16.104.0, wildcard bits 0.0.1.255 (3 matches) check=70

permit 172.16.88.0, wildcard bits 0.0.3.255 (10 matches) check=60

Extended IP access list 101

deny ospf any any

permit ip any any (48 matches)

I asked to the customer to check if this gateway 172.16.32.2 which should be a router has implemented some acl that are stopping my trace or if there could be a firewall somewhere.Am I right in your opinion?

Labels:
0 Helpful
2 Replies 2

thisisshanky
Level 11
Level 11

‎05-06-2005 10:30 AM

Can you ping 172.16.104.12 ? Probably the router 172.16.104.12 does not know how to get back to you. Or routers in between 172.16.104.12 and your router does not know about the source address of the ping or traceroute packets.

If the above works, then its quiet possible, icmp is being blocked somewhere in between. Try different protocols such as telnet and see if communication works.

The output of sh ip accesss-list is just not enough to troubleshoot, as it does not show where each acl is applied. So I would suggest you to paste sh run output masking confidential info such as passwords and public IPs.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

m.belloni
Level 1
Level 1
In response to thisisshanky

‎05-08-2005 11:43 PM

I tried with a telnet but it failed too:

xxx#telnet 172.16.104.12

Trying 172.16.104.12 ...

*Mar 6 17:11:22 UTC: Telnet66: 1 1 251 1

*Mar 6 17:11:22 UTC: TCP66: Telnet sent WILL ECHO (1)

*Mar 6 17:11:22 UTC: Telnet66: 2 2 251 3

*Mar 6 17:11:22 UTC: TCP66: Telnet sent WILL SUPPRESS-GA (3)

*Mar 6 17:11:22 UTC: Telnet66: 80000 80000 253 24

*Mar 6 17:11:22 UTC: TCP66: Telnet sent DO TTY-TYPE (24)

*Mar 6 17:11:22 UTC: Telnet66: 10000000 10000000 253 31

*Mar 6 17:11:22 UTC: TCP66: Telnet sent DO WINDOW-SIZE (31)

% Connection timed out; remote host not responding

I'm attaching my router config

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card