10-04-2007 11:37 AM - edited 03-09-2019 06:57 PM
Im having a problem:
If my IP address is 192.168.1.113
Default Gateway 192.168.1.250
I can't ping 192.168.102.250
If my IP address is then changed to 192.168.0.137
Default gateway 192.168.0.254
I can ping 192.168.102.250
Anybody have any suggestions what this could be?
10-04-2007 11:55 AM
Hi Jonathan,
Please provide us with more information. This is too much for the forum to give you an accurate answer.
What are you trying to accomplish?
What devices are you trying to ping?
Are there any ACLs which are blocking ICMP?
What models of devices and what are their IOS versions?
We are here to help, but only if given enough information.
Hope this helps.
Thanks,
Paul
10-08-2007 10:54 AM
Ok
If my computers ip address is 192.168.1.137 and i try and ping a remote site that has an ip address of 192.168.102.X .. i can't ping anything on that network.
If I change my ip address to 192.168.0.137 and try and ping it ... it works.
I thought maybe it was something in the config of the pix 506 so i took another config from a different remote site that i can ping using either ip addresses. I changed the ip addresses to make the pix operate on the 192.168.102.0 network. ..... Still can't ping.
Therefore I know its not the config on the pix 506.
What else could it be?
What should I be looking for?
Im a recent grad so need all the help I can get.
10-08-2007 11:23 AM
Hi Jonathan,
1. Sounds like a Layer 3 issue. Check the default gateway on the segment in questin and make sure your PC is configured correctly.
2. Here is what I tell college grads:
Draw the situation in Visio or on a piece of paper. Include all Access Control Lists (ACLs)on your network, interface IP addresses, and default gateways. Put as much detail into the drawing as you can, no detail is too small.
Post your PIX config to this forum and let us be the judge if there isn't some issue. Remove all password information.
Hope this helps. Let us know what you find out.
Paul
10-12-2007 05:52 AM
Ok I did a ping plotter with my pc set to 192.168.1.137. Here is the results:
It gets to the corp. router but doesn't go any farther. So it cant see the pix at the remote site (192.168.102.250).
If I ping plot the public ip address of the modem at the remote site it will get to the modem.
So I don't know if the problem is in the config of the pix (it shouldn't be I took a config from another site that worked) or something with the firewall or switch here in corp. that wont allow any ip on the 192.168.1.0 network to access 192.168.102.0 network.
Below is the config:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XX encrypted
passwd XX encrypted
hostname XX
domain-name XX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 5
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.102.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.102.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list us_HQ permit ip 192.168.102.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list us_HQ permit ip 192.168.102.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging device-id hostname
logging host inside 192.168.0.31
no logging message 305005
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.102.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.102.97 255.255.255.255 0 0
nat (inside) 1 192.168.102.98 255.255.255.255 0 0
nat (inside) 1 192.168.102.99 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 192.168.0.137
snmp-server host inside 192.168.0.22
no snmp-server location
snmp-server contact XX
snmp-server community XX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set des56bit esp-des esp-sha-hmac
crypto map usalocal 10 ipsec-isakmp
crypto map usalocal 10 match address us_HQ
crypto map usalocal 10 set peer XX.XX.XX.XX
crypto map usalocal 10 set peer XX.XX.XX.XX
crypto map usalocal 10 set transform-set des56bit
crypto map usalocal interface outside
isakmp enable outside
isakmp key XX address XX.XX.XX.XX netmask 255.255.255.255
isakmp key XX address XX.XX.XX.XX netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh XX.XX.XX.XX 255.255.255.224 outside
ssh XX.XX.XX.XX 255.255.255.248 outside
ssh XX.XX.XX.XX 255.255.255.248 outside
ssh XX.XX.XX.XX 255.255.255.255 outside
ssh XX.XX.XX.XX 255.255.255.240 outside
ssh XX.XX.XX.XX 255.255.255.240 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group adsl request dialout pppoe
vpdn group adsl localname XX
vpdn group adsl ppp authentication pap
vpdn username XX password XX
10-12-2007 05:58 AM
Ran out of space:
When I ping plotter using 192.168.1.137 to 192.168.102.250. The last device it gets to is 192.168.0.253.
Which 192.168.0.253 is my VPN Concentrator. So I dont know if its something within my VPN Concentrator set wrong or what. I dont know anything about the VPN Concentrator.
10-25-2007 04:26 AM
Can someone please help? What could the problem be? Is it something with our router at corp?
The remote site can access corp, and all of corp can access remote site except for the 192.168.1.0 network.
10-25-2007 08:37 AM
Jonathan
Can devices in the 192.168.1.0 network get to other networks? Is it a problem getting to just 192.168.102.0 or are there problems getting to other networks?
HTH
Rick
10-25-2007 12:16 PM
Yes devices in the 192.168.1.0 network can get to other networks. The problem just seems to be going from the 192.168.102.0 network.
Although sometimes the antivirus server and spyware server which is on the 192.168.1.0 network can't find clients on the 192.168.0.0 network but sometimes it can. Or it will see one client on the 192.168.0.0 network but not another client.
10-25-2007 12:46 PM
Jonathan
I have looked through the config a bit more. I would expect that it needs an access list to permit devices outside to access resources inside. It looks like the access list access-list us_HQ would do that. But I do not see the access list applied anywhere. Is it applied and somehow that did not get reflected in the config that you posted? Or is it really un-assigned as the config shows?
HTH
Rick
10-26-2007 04:58 AM
Its in the config:
access-list us_HQ permit ip 192.168.120.0 255.255.255.0 192.168.1.0 255.255.255.0
Heres the strange thing (which I stated above ealier). The above config has been copied from another remote site that the 192.168.1.0 network can ping. I just changed the IP addresses to match the other remote site.
So basically the above config is from site #1 but ips i have been changed to work in site #2.
So why can the 192.168.1.0 network ping site #1 but not site #2 when its the same config just different private ips?
10-26-2007 08:34 AM
Jonathan
I now see that the access list us_HQ is used in the crypto map. Used like this it should allow the traffic to go through. So is there some difference between site #1 and site #2?
HTH
Rick
11-02-2007 11:52 AM
Nope, there is no difference between site #1 and site #2. Site #1 is a repair shop using bell south dsl modem to cisco pix. Site #2 is about 100 yards away and is a Quality Control shop using bell south dsl modem to cisco pix. So in regards they are the exact samething. The only difference is the private ip address and the username and password for the dsl modem.
Thats whats so confussing, is that from my office across town I can ping site #1 and site #2 using the 192.168.0.0 network. But if I switch to the 192.168.1.0 network I can not ping site #2 but i can ping site #1.
The configs for both pixs are the same except like i said before the private ips and the username and password for the modem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: