cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2871
Views
0
Helpful
16
Replies

Not able to ping to this IP

Hi, 

Pls see attached diagram. This is the setup. 

From the PC Vlan (vlan 200) able to ping other server on Vlan 300 except this server 172.19.100.101 & 172.19.100.102.

I don't know why can't ping this 2 server. I suspect because of this firewall but i don't about the configuration.

Please help me to verify

Below is the config of PIX

======================

klccPix# sh run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password fgDKmzUvSvGTzykR encrypted
passwd fgDKmzUvSvGTzykR encrypted
hostname klccPix
domain-name IST.COM
clock timezone MYT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.19.100.23 Linux_File_Srv
name 172.19.0.0 IsetanKLCC_LAN
name 203.127.255.65 NECSAP_Admin
name 172.19.100.11 Database_Srv
name 172.29.0.0 isetanKLCC_LAN2
name 203.127.251.181 NECSAP_DB
name 203.127.251.254 NECSG
name 175.145.155.50 necare
name 202.46.125.251 OU_Mgmt

access-list inside_access_in permit tcp host Linux_File_Srv any
access-list inside_access_in permit tcp host Linux_File_Srv any eq domain
access-list inside_access_in permit udp host Linux_File_Srv any eq domain
access-list inside_access_in permit icmp host Linux_File_Srv any
access-list inside_access_in permit icmp host Database_Srv any echo-reply
access-list inside_access_in permit tcp host Database_Srv any object-group DB_ac
cess
access-list inside_access_in permit tcp any any object-group Email_Services
access-list inside_access_in permit tcp any any eq domain
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in permit icmp any any
access-list inside_access_in permit tcp any any object-group Linux_Services
access-list inside_access_in permit tcp host 172.19.100.64 any
access-list outside_access_in permit tcp host NECSAP_Admin host 203.115.205.28 o
bject-group Linux_Services
access-list outside_access_in permit tcp any host 203.115.205.28 eq https
access-list outside_access_in permit tcp any host 203.115.205.28 object-group ss
h_defined
access-list outside_access_in permit icmp host NECSG host 203.115.205.29 log
access-list outside_access_in permit tcp host NECSG host 203.115.205.29 object-g
roup DB_access log
access-list outside_access_in permit icmp host 60.49.155.154 host 203.115.205.29
 log
access-list outside_access_in permit tcp host 60.49.155.154 host 203.115.205.29
object-group DB_access log
access-list outside_access_in permit tcp object-group NEC_ASIA host 203.115.205.
28 object-group ssh_defined
access-list outside_access_in permit ip 172.19.100.96 255.255.255.240 interface
inside
access-list outside_access_in permit tcp any host 203.115.205.30 object-group RD
P
access-list outside_access_in permit tcp any host 203.115.205.26 object-group RD
P
access-list outside_access_in permit tcp any host 172.19.100.20 eq https
access-list inside_outbound_nat0_acl permit ip any 172.19.100.96 255.255.255.240

access-list inside_outbound_nat0_acl permit ip any host 172.59.1.1
access-list outside_cryptomap_dyn_20 permit ip any 172.19.100.96 255.255.255.240

no pager
logging on
logging timestamp
logging trap warnings
logging facility 22
logging device-id string pixfirewall
logging host inside Linux_File_Srv
icmp permit host necare outside
icmp permit host 219.92.227.57 outside
icmp permit IsetanKLCC_LAN 255.255.0.0 inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 203.115.205.27 255.255.255.248
ip address inside 172.19.100.20 255.0.0.0
no ip address intf2
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool klccippool 172.19.100.96-172.19.100.99

arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 203.115.205.28 Linux_File_Srv netmask 255.255.255.255 0
0
static (inside,outside) 203.115.205.29 Database_Srv netmask 255.255.255.255 0 0
static (inside,outside) 203.115.205.30 172.19.100.17 netmask 255.255.255.255 0 0

static (inside,outside) 203.115.205.26 172.19.100.64 netmask 255.255.255.255 0 0

static (inside,outside) 172.19.100.20 172.19.100.20 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.115.205.25 1
route inside 172.19.100.64 255.255.255.255 172.19.100.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.19.100.64 255.255.255.255 inside

klccPix#

 

 

16 Replies 16

Hi,

can you put your switch configuration here?

Ok then,

Attached is the switch configuration.

FYI, after the switch (172.9.100.8) there is other switch cascade.

 

It seems there's no problem on your switch, As you are using Router-on-Stick for inter-vlan routing, problem might have occurred on 2811 router (as shinepothen said). 

 

it helps if i can see your 2811 Isetan configuration.

 

Something else; You have not full connectivity with servers or just ping does not work?

 

Rgrds

From the PC Vlan, there is no connectivity to the Server (101 & 102)

To other Server is OK.

Attached is the router config

I checked both of your switch and router. All of your ACLs, trunks and sub-interfaces look fine or at least i could not find faulty point.

Consider that running debug on ACLs and couple of show commands will be helpful.

Check firewall rules on your servers, 

keep informing us.

Houtan

That what i thought also..config of router and switch just fine.

The server firewall is fine also, as other server from 172.19.100.x able to ping and connect to the 172.19.100.101 & 102.

 

That why i suspect the firewall config might have to do with it....but im not really sure if it is correct or not

Hi guys,

Really i couldn't figured out why i can't ping this specific IP address.

Is there any configuration at the router that prevent it?

 

Do those servers have the correct gateway configured?

Martin

Yes. Only this specific host can't be ping and access from the VLAN 200

Hey 

check if you have some thing in the server which is blocking the things.

try to turn off your anti virus

turn off any proxy setting if you have any

turn off windows firewall 

check all possibility from the server end to see if any thing is blocking.

Hey 

 

can you please tell us what is the role of the server ?

hi, it would not be the (antivirus, proxy, windows firewall) because from VLAN 300 (PC, Server) able to ping to this specific host.

Only that from VLAN 200 it can't be ping though.

 

it just a staging server, normal.. 

Thanks providing the information.

now what I can suggest is 

try to remove the current IP address from the server and try assigning a different IP from the same subnet.

put the servers IP address to some other machine or test machine and see if the communication is still working or not.

because we see the configuration is correct and them what is that stopping the communication from this host.

 

i can try that..but it is live environment server, i'll need to find time for downtime...

if it is not the router, not the switch, it could be the PIX that prevent the ping

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco