Can't Ping Certain Networks

Unanswered Question
Oct 4th, 2007

Im having a problem:

If my IP address is 192.168.1.113

Default Gateway 192.168.1.250

I can't ping 192.168.102.250

If my IP address is then changed to 192.168.0.137

Default gateway 192.168.0.254

I can ping 192.168.102.250

Anybody have any suggestions what this could be?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pmccubbin Thu, 10/04/2007 - 11:55

Hi Jonathan,

Please provide us with more information. This is too much for the forum to give you an accurate answer.

What are you trying to accomplish?

What devices are you trying to ping?

Are there any ACLs which are blocking ICMP?

What models of devices and what are their IOS versions?

We are here to help, but only if given enough information.

Hope this helps.

Thanks,

Paul

readymixed1 Mon, 10/08/2007 - 10:54

Ok

If my computers ip address is 192.168.1.137 and i try and ping a remote site that has an ip address of 192.168.102.X .. i can't ping anything on that network.

If I change my ip address to 192.168.0.137 and try and ping it ... it works.

I thought maybe it was something in the config of the pix 506 so i took another config from a different remote site that i can ping using either ip addresses. I changed the ip addresses to make the pix operate on the 192.168.102.0 network. ..... Still can't ping.

Therefore I know its not the config on the pix 506.

What else could it be?

What should I be looking for?

Im a recent grad so need all the help I can get.

pmccubbin Mon, 10/08/2007 - 11:23

Hi Jonathan,

1. Sounds like a Layer 3 issue. Check the default gateway on the segment in questin and make sure your PC is configured correctly.

2. Here is what I tell college grads:

Draw the situation in Visio or on a piece of paper. Include all Access Control Lists (ACLs)on your network, interface IP addresses, and default gateways. Put as much detail into the drawing as you can, no detail is too small.

Post your PIX config to this forum and let us be the judge if there isn't some issue. Remove all password information.

Hope this helps. Let us know what you find out.

Paul

readymixed1 Fri, 10/12/2007 - 05:52

Ok I did a ping plotter with my pc set to 192.168.1.137. Here is the results:

It gets to the corp. router but doesn't go any farther. So it cant see the pix at the remote site (192.168.102.250).

If I ping plot the public ip address of the modem at the remote site it will get to the modem.

So I don't know if the problem is in the config of the pix (it shouldn't be I took a config from another site that worked) or something with the firewall or switch here in corp. that wont allow any ip on the 192.168.1.0 network to access 192.168.102.0 network.

Below is the config:

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XX encrypted

passwd XX encrypted

hostname XX

domain-name XX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 5

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 192.168.102.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.102.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.102.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.102.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging buffered warnings

logging trap warnings

logging device-id hostname

logging host inside 192.168.0.31

no logging message 305005

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.102.250 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.102.97 255.255.255.255 0 0

nat (inside) 1 192.168.102.98 255.255.255.255 0 0

nat (inside) 1 192.168.102.99 255.255.255.255 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

snmp-server host inside 192.168.0.137

snmp-server host inside 192.168.0.22

no snmp-server location

snmp-server contact XX

snmp-server community XX

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set des56bit esp-des esp-sha-hmac

crypto map usalocal 10 ipsec-isakmp

crypto map usalocal 10 match address us_HQ

crypto map usalocal 10 set peer XX.XX.XX.XX

crypto map usalocal 10 set peer XX.XX.XX.XX

crypto map usalocal 10 set transform-set des56bit

crypto map usalocal interface outside

isakmp enable outside

isakmp key XX address XX.XX.XX.XX netmask 255.255.255.255

isakmp key XX address XX.XX.XX.XX netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh XX.XX.XX.XX 255.255.255.224 outside

ssh XX.XX.XX.XX 255.255.255.248 outside

ssh XX.XX.XX.XX 255.255.255.248 outside

ssh XX.XX.XX.XX 255.255.255.255 outside

ssh XX.XX.XX.XX 255.255.255.240 outside

ssh XX.XX.XX.XX 255.255.255.240 outside

ssh timeout 5

management-access inside

console timeout 0

vpdn group adsl request dialout pppoe

vpdn group adsl localname XX

vpdn group adsl ppp authentication pap

vpdn username XX password XX

readymixed1 Fri, 10/12/2007 - 05:58

Ran out of space:

When I ping plotter using 192.168.1.137 to 192.168.102.250. The last device it gets to is 192.168.0.253.

Which 192.168.0.253 is my VPN Concentrator. So I dont know if its something within my VPN Concentrator set wrong or what. I dont know anything about the VPN Concentrator.

readymixed1 Thu, 10/25/2007 - 04:26

Can someone please help? What could the problem be? Is it something with our router at corp?

The remote site can access corp, and all of corp can access remote site except for the 192.168.1.0 network.

Richard Burts Thu, 10/25/2007 - 08:37

Jonathan

Can devices in the 192.168.1.0 network get to other networks? Is it a problem getting to just 192.168.102.0 or are there problems getting to other networks?

HTH

Rick

readymixed1 Thu, 10/25/2007 - 12:16

Yes devices in the 192.168.1.0 network can get to other networks. The problem just seems to be going from the 192.168.102.0 network.

Although sometimes the antivirus server and spyware server which is on the 192.168.1.0 network can't find clients on the 192.168.0.0 network but sometimes it can. Or it will see one client on the 192.168.0.0 network but not another client.

Richard Burts Thu, 10/25/2007 - 12:46

Jonathan

I have looked through the config a bit more. I would expect that it needs an access list to permit devices outside to access resources inside. It looks like the access list access-list us_HQ would do that. But I do not see the access list applied anywhere. Is it applied and somehow that did not get reflected in the config that you posted? Or is it really un-assigned as the config shows?

HTH

Rick

readymixed1 Fri, 10/26/2007 - 04:58

Its in the config:

access-list us_HQ permit ip 192.168.120.0 255.255.255.0 192.168.1.0 255.255.255.0

Heres the strange thing (which I stated above ealier). The above config has been copied from another remote site that the 192.168.1.0 network can ping. I just changed the IP addresses to match the other remote site.

So basically the above config is from site #1 but ips i have been changed to work in site #2.

So why can the 192.168.1.0 network ping site #1 but not site #2 when its the same config just different private ips?

Richard Burts Fri, 10/26/2007 - 08:34

Jonathan

I now see that the access list us_HQ is used in the crypto map. Used like this it should allow the traffic to go through. So is there some difference between site #1 and site #2?

HTH

Rick

readymixed1 Fri, 11/02/2007 - 11:52

Nope, there is no difference between site #1 and site #2. Site #1 is a repair shop using bell south dsl modem to cisco pix. Site #2 is about 100 yards away and is a Quality Control shop using bell south dsl modem to cisco pix. So in regards they are the exact samething. The only difference is the private ip address and the username and password for the dsl modem.

Thats whats so confussing, is that from my office across town I can ping site #1 and site #2 using the 192.168.0.0 network. But if I switch to the 192.168.1.0 network I can not ping site #2 but i can ping site #1.

The configs for both pixs are the same except like i said before the private ips and the username and password for the modem.

Actions

This Discussion