Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

PIX 515 to 1721 Router, some HTTP not reaching the host

The problem comes in accessing certain web servers. I cannot access http://dotster.com or even ping it at 64.85.73.21, http://hotmail.com and http://geminiairsystems.com are also inaccessible. I have a remote system that i connected to and there is no problem with those hosts. Internal DNS resolves the address by hitting external servers with no problem, it picks up the correct IP address for the ping. when i ping the above addresses it says Reply from 209.76.153.162: Destination host unreachable (this is the ethernet address of the router). I included the below config screens of the pix and the 1721 to help. Once we fix this I would really appreciate it if you could point out any commands that i do not need in the config of either the pix or the 1721.

Thanks a million.

---- 1721 Router config ----

PacBellRouter#show run

Building configuration...

Current configuration : 709 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname PacBellRouter

!

enable secret 5 XXXXXXXXXXX.

!

ip subnet-zero

ip domain-list 206.13.28.12

ip domain-list 206.13.31.12

!

modemcap entry line

!

!

!

interface FastEthernet0

description TO LOCAL LAN

ip address 209.76.153.162 255.255.255.240

speed auto

!

interface Serial0

description PB CKT 40HCGS991156_OO1PT

ip address 64.160.180.38 255.255.255.240

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-24

!

no ip classless

ip route 0.0.0.0 0.0.0.0 64.160.180.37

no ip http server

!

!

!

line con 0

line aux 0

exec-timeout 0 0

line vty 0 4

no login

!

end

PacBellRouter#

---- PIX 515 config -----

pixfirewall# show config

: Saved

:

PIX Version 4.4(7)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXX encrypted

passwd XXXXXXXXXXX encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

logging on

no logging timestamp

no logging console

no logging monitor

logging buffered debugging

no logging trap

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 209.76.153.163 255.255.255.240

ip address inside 192.168.100.1 255.255.255.0

arp timeout 14400

global (outside) 1 209.76.153.164 netmask 255.255.255.240

global (outside) 1 209.76.153.165-209.76.153.166

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 209.76.153.167 192.168.100.11 netmask 255.255.255.255 0

0

static (inside,outside) 209.76.153.168 192.168.100.12 netmask 255.255.255.255 0

0

static (inside,outside) 209.76.153.169 192.168.100.13 netmask 255.255.255.255 0

0

static (inside,outside) 209.76.153.170 192.168.100.14 netmask 255.255.255.255 0

0

static (inside,outside) 209.76.153.171 192.168.100.15 netmask 255.255.255.255 0

0

static (inside,outside) 209.76.153.172 192.168.100.16 netmask 255.255.255.255 0

0

static (inside,outside) 209.76.153.173 192.168.100.17 netmask 255.255.255.255 0

0

static (inside,outside) 209.76.153.174 192.168.100.18 netmask 255.255.255.255 0

0

conduit permit icmp any any

conduit permit tcp host 209.76.153.167 eq smtp any

conduit permit tcp host 209.76.153.167 eq www any

conduit permit tcp host 209.76.153.167 eq 5900 any

conduit permit tcp host 209.76.153.170 eq www any

conduit permit tcp host 209.76.153.170 eq ftp any

conduit permit tcp host 209.76.153.171 eq www any

conduit permit tcp host 209.76.153.168 eq 5900 any

conduit permit tcp host 209.76.153.170 eq 3389 any

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

route outside 0.0.0.0 0.0.0.0 209.76.153.162 0

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

telnet timeout 5

terminal width 80

Cryptochecksum:XXXXXXXXXXXX

pixfirewall#

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX 515 to 1721 Router, some HTTP not reaching the host

Can your users access any web sites? Can they ping your router? Can your router ping the sites your clients can't? Can the PIX?

Do clear xlate, then ping or access a web site that fails and then do a show xlate and sh conn to see that the PIX is translating the traffic. What does this show?

If traffic is not too heavy, debug ip packet (first turn off fast switching) on the router to see traffic going through the router.

I would remove the following 2 lines:

ip domain-list 206.13.28.12

ip domain-list 206.13.31.12

Change your community string from the default public on the pix.

Reverse the order of the global statements (not a big difference but still).

Add service password encryption on the router.

2 REPLIES

Re: PIX 515 to 1721 Router, some HTTP not reaching the host

Can your users access any web sites? Can they ping your router? Can your router ping the sites your clients can't? Can the PIX?

Do clear xlate, then ping or access a web site that fails and then do a show xlate and sh conn to see that the PIX is translating the traffic. What does this show?

If traffic is not too heavy, debug ip packet (first turn off fast switching) on the router to see traffic going through the router.

I would remove the following 2 lines:

ip domain-list 206.13.28.12

ip domain-list 206.13.31.12

Change your community string from the default public on the pix.

Reverse the order of the global statements (not a big difference but still).

Add service password encryption on the router.

New Member

Re: PIX 515 to 1721 Router, some HTTP not reaching the host

the router had a bad command of "no ip classless"

this did not allow certain subnets to be accessable and was changed to "ip classless"

104
Views
0
Helpful
2
Replies
CreatePlease to create content