cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7807
Views
4
Helpful
11
Replies

Destination Host Unreachable

MikeTomasko
Level 4
Level 4

I know I've got a whacked out config, but there has to be a way to make everything work! My problem is computers on the 172.16.0.0 subnet cannot reach the internet. My requests either time out or I get destination host unreachable back from the router. I have a VPN tunnel setup between my lab router and my PIX at home going through the cable internet. 172.16.0.0 is my router subnet and 172.16.1.0 is my PIX home subnet. Here's my config:

interface FastEthernet0/0.1

description Voice Network

encapsulation dot1Q 210

ip address 172.16.0.2 255.255.255.0

ip nat inside

no snmp trap link-status

no cdp enable

!

interface FastEthernet0/0.2

description Data Network

encapsulation dot1Q 2

ip address 192.168.1.1 255.255.255.0

ip nat inside

no snmp trap link-status

no cdp enable

!

interface FastEthernet0/1

description Cable Internet

ip address dhcp

ip nat outside

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

no cdp enable

crypto map nolan

!

ip nat pool branch rrr.rrr.rrr.rrr rrr.rrr.rrr.rrr netmask 255.255.255.240

ip nat inside source list 101 interface FastEthernet0/1 overload

ip nat inside source route-map nonat pool branch overload

ip nat inside source static tcp 172.16.0.16 5900 rrr.rrr.rrr.rrr 5900 route-map VNCCCM extendable

ip nat inside source static tcp 172.16.0.17 5959 rrr.rrr.rrr.rrr 5959 route-map VNCUNITY extendable

no ip http server

no ip http secure-server

no ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

ip route 172.16.1.0 255.255.255.0 ppp.ppp.ppp.ppp

!

!

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www

access-list 120 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 130 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 130 permit ip 172.16.0.0 0.0.0.255 any

access-list 140 deny ip host 172.16.0.16 172.16.1.0 0.0.0.255

access-list 140 permit ip host 172.16.0.16 any

access-list 141 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255

access-list 141 permit ip host 172.16.0.17 any

access-list 2223 permit tcp 192.168.0.0 0.0.255.255 any eq 22

access-list 2223 permit tcp 172.16.0.0 0.0.255.255 any eq 22

access-list 2223 permit tcp 192.168.0.0 0.0.255.255 any eq telnet

access-list 2223 permit tcp 172.16.0.0 0.0.255.255 any eq telnet

access-list 2223 permit tcp any eq 22 any eq 22

no cdp run

!

route-map VNCUNITY permit 10

match ip address 141

!

route-map VNCCCM permit 10

match ip address 140

!

route-map nonat permit 10

match ip address 130

Thanks!

11 Replies 11

jackyoung
Level 6
Level 6

Just a very simple question. Did you configure the correct default gateway at your PC ? Can you provide the trace route result ? Did you have the proper route at your PIX for the return traffic ?

Hope this helps.

I tried 172.16.0.2 and 192.168.1.1 for default gateways and neither works. I have computers on the 192 network and they work fine. So it has to be some kind of access-list problem.

The traces just show 172.16.0.2 for the first hope then the rest either time out or I get Destination Host Unreachable for the 2nd hop and it stops there.

I did not find the access-list to apply to any interface, there should be no effect on the router.

According to the config., if there is access to Internet, the traffic should pass to the Fa0/1. Therefore, the next-hop after 172.16.0.2 should be the DHCP address.

Can you try to ping to each hop one-by-one to verify where stop the packet. I suspect the ISP may not have your subnet.

Moreover, where is the PIX located ? At the same segment of Fa0/0.1 ? If yes, they are in different subnets, I believe the packet cannot reach the PIX too.

Hope this helps.

Sorry for my typo. I believem the PIX should be located at same user LAN segment.

Try to simplify the NAT rule and set it for Internet only then test again.

Moreover, the NAT pool is setting for the PIX connection and not the Internet connection. The traffic to Internet may not be NAT.

Hope this helps.

Richard Burts
Hall of Fame
Hall of Fame

Mike

There are several things in your config that I do not understand. Perhaps if we can clarify some of them we might get closer to answering your problem.

I note that the static route for the remote subnet is:ip route 172.16.1.0 255.255.255.0 ppp.ppp.ppp.ppp. What and where is ppp.ppp.ppp.ppp?

I am trying to understand the various flavors of address translation that you are doing. The first one seems to be the one that includes 192.168.0.0

ip nat inside source list 101 interface FastEthernet0/1 overload.

And access list 101 is:

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www

so clearly it get any traffic from 192.168.1.0 but the second line is pretty odd. It is very unlikely that the source port will be 80 and the destination port also be 80 so I doubt that this line gets any matches.

Then the next one is this:

ip nat inside source route-map nonat pool branch overload

The route map excludes 172.16.0.0 going to 172.16.1.0 and then permits 172.16.0.0 to anywhere else. But it does not permit 192.168.1.0 so I am not sure how this relates to your processing.

Also I note that there is a crypto map on your public interface. This may have some impact on what is happening. Can you post details of the crypto configuration?

HTH

Rick

HTH

Rick

Thanks for the quick reply and sorry for any confusion. I forgot to state that ppp.ppp.ppp.ppp stands for my PIX's IP address from my ISP and rrr.rrr.rrr.rrr stands for the routers IP from my ISP. Obivously I removed the actual IPs for security reasons.

As of right now, I'm not worried about the 192.168.1.0 subnet using the VPN (172.16.1.0 subnet). That's why that IP range isn't currently permitted.

The access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www was my shot at fixing no internet on the 172.16.0.0 subnet. Obivously it's wrong! I was trying to allow the 172.16.0.0 subnet limited access to the internet.

I hope I answered your questions and you can help! Thanks!!

172.16.0.0 subnet = Lab Voice Server Network

172.16.0.0 subnet = Home PIX subnet

192.168.1.0 subnet = Lab Data Network

Mike

If there are aspects of this that I misunderstand please help me to understand it correctly. I think I understand that the main problem that you are trying to solve is that some of your PCs do not have access to Internet. If you use private addressing inside and have problems accessing Internet I have found that the most common problem is a problem with address translation. Especially when you say that the 192.168.1.0 PCs do successfully access the Internet but 172.16.0.0 PCs do not I believe that it is very likely that the problem is misconfigured NAT. I would suggest that you re-write the line in access list 101 to permit ip 172.16.0.0 0.0.0.255 any and see if the PCs do have Internet access. If they do then you can experiment with re-writing the rule to restrict their access in whatever way is appropriate, but you will know that Internet access does work.

HTH

Rick

HTH

Rick

Try and replace this:

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www

with this:

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 permit tcp 172.16.0.0 0.0.0.255 any.

However, if you are really set on not allowing anything but web-surfing for the 172.16.0.0/24 network.

You might want to try this one:

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 permit udp 172.16.0.0 0.0.0.255 any eq 53

access-list 101 permit tcp 172.16.0.0 0.0.0.255 any eq 53

access-list 101 permit tcp 172.16.0.0 0.0.0.255 any eq www.

You won't be able to trace though.

Making progress!

access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www made other things stop working like telnet from the other end of the VPN. The 2nd suggestion worked great! I guess I was on the right track before, but I didn't add port 53 to the access list.

I still have one more issue yet, but it's not that important...at least not that I found yet.

If I use DNS servers 207.255.0.130 and 207.255.0.130, I get DNS errors and can't surf the net, but they work for me at home. My home and work WAN IPs are also on the 207 subnet. Any ideas? You think my web traffic is going over the VPN instead of straight out to the internet? What ports would I have to open up to allow trace routes? Thanks!

Last thing first:

access-list 101 permit icmp 172.16.0.0 0.0.0.255 any traceroute

I hope it works, but try it out. You may need to experiment a bit, or just settle with permitting all ICMP from 172.16.0.0/24.

And concerning the DNS, try 4.2.2.2 as your DNS-server insteed. I don't know if you use the same ISP at home, as you do on the "whacked" out router.

But if 4.2.2.2 works we know what the problem is.

Found my problem with not being able to reach the 207.x.x.x DNS servers. no ip classless was in my config. Removed that line now EVERYTHING is working! Thanks!

Review Cisco Networking for a $25 gift card