Ports working fine but tracert shows loops and cannot ping

I cannot ping our public IP's even though they work. In other words our web server is serving web pages ok even though I cannot ping it's public address.

These addresses are changed from the real ones so you will not be able to "see" the site or run port scans.  I have from multiple locations outside and the sites and scans do work.

ISP router           57.57.57.101

Our Router (S0)   57.57.57.102

WWW server       63.63.63.130

There is no icmp blocking on the router or web server.  I think that this tracert shows an odd result as well.  I have never seen this.  Notice how the most of the entries bounce between the ISP's router and ours without reaching address 63.63.63.130

Here's the tracert result:

C:\Documents and Settings\Administrator>tracert 63.63.63.130

Tracing route to 63.63.63.130  over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2    16 ms    22 ms    30 ms  10.33.160.1
  3    14 ms    11 ms    11 ms  24.30.161.110
  4    14 ms     9 ms    10 ms  66.75.161.190
  5    16 ms    13 ms    14 ms  66.75.161.17
  6    29 ms    15 ms    15 ms  66.75.161.26
  7    23 ms    23 ms    24 ms  66.185.143.5
  8    14 ms    16 ms    23 ms  151.164.248.61
  9    16 ms    15 ms    12 ms  151.164.41.30
 10    21 ms    13 ms    13 ms  151.164.40.89
 11    29 ms    15 ms    18 ms  151.164.241.213
 12    17 ms    15 ms    15 ms  151.164.191.30
 13    24 ms    32 ms    23 ms  57.57.57.102
 14    19 ms    19 ms    20 ms  57.57.57.101
 15    26 ms    27 ms    25 ms  57.57.57.102
 16    23 ms    23 ms    32 ms  57.57.57.101
 17    48 ms    38 ms    30 ms  57.57.57.102
 18    31 ms    42 ms    31 ms  57.57.57.101
 19    50 ms    36 ms    37 ms  57.57.57.102
 20    36 ms    36 ms    50 ms  57.57.57.101
 21    40 ms    43 ms    52 ms  57.57.57.102
 22    40 ms    46 ms    55 ms  57.57.57.101
 23    53 ms    51 ms    70 ms  57.57.57.102
 24    43 ms    44 ms    42 ms  57.57.57.101
 25    50 ms    52 ms    61 ms  57.57.57.102
 26    51 ms    49 ms    50 ms  57.57.57.101
 27    66 ms    58 ms    61 ms  57.57.57.102
 28    57 ms    56 ms    55 ms  57.57.57.101
 29    77 ms    62 ms    72 ms  57.57.57.102
 30    61 ms    60 ms    67 ms  57.57.57.101

Here's the config:
clock timezone PST -8
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
interface FastEthernet0/0
 description Inside Lan Connection
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface Serial0/0
 description SBC WAN
 bandwidth 1536
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip address 57.57.57.102 255.255.255.252
 ip nat outside
 frame-relay interface-dlci 15 IETF
!
ip nat inside source list 100 interface Serial0/0.1 overload
ip nat inside source static tcp 192.168.1.201 80 63.63.63.130 80 extendable

ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

line con 0
 exec-timeout 0 0
 password 7 15435C5B526061023A3630261C0A
 transport input none
 speed 19200
line aux 0
 password 7 040A5C51596B06681B1C00131D06
line vty 0 4
 password 7 101F5E4E535D582D1E012F2F2B25
 login
!
end

Let me know if you want more info. There is no  routing protocol used on this config. I submitted the config to an SBC engineer who said the config looked fine.  Thanks for the continued help.

Note: Tracert is being done from my home machine outside of the network.  There are no PTR or A records registered yet for this site.  The tracert above was done using the IP and not the FQDN.  If I take a port scanner and point it at 63.63.63.130 I can see port 80 is open.

Does anyone know what might be causing this and how to correct it?

Thanks in advance!
LVL 1
zenportafinoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cagriCommented:
Hi Zenportafino,

As I've written under the same question under some other topic, it is all about your NAT definiton, overloading and static definition being translating only port 80 (web).

Regards,
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AutoSpongeCommented:
Yeah, ICMP does not use a port and therefore will not pass to your webserver based on that access list, you'd have to add a permit ICMP any any before the implicit deny all.
0
AutoSpongeCommented:
I mean, you'd have to stop forwarding just port 80 and restrict ports with an ACL to 80 and ICMP.  (hope that's clearer than what I said before).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

zenportafinoAuthor Commented:
cagri, I will award points in the previous question and will also award points in this question since my question has changed.  

I totaly understand now what you are saying about icmp and only letting port 80 though.  It makes sense.  Here's the question for this post:

Why does ping and tracert work for my other router below?  

The set up below is for a DIFFERENT frame relay line where my block of public IP's is ASSIGNED to an interface so it is different than the router above. The router above  has a WAN address with the public IP block NOT ASSIGNED to any interface.

It's not the end of the world if I cannot ping or tracert though I would like the ability to for  troubleshooting and more importantly, I would like to learn how these configs really work.  Thanks again and here's the config that ICMP will pass though.


Router1#sh run
Building configuration...

Current configuration : 3492 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
enable password 7 00270B3C560C580218336E6F
!
!
!
!
!
clock timezone PST -8
ip subnet-zero
no ip finger
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface Serial0/0
 description To UUNET (u34106)
 bandwidth 1536
 no ip address
 ip access-group 100 in
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip address 63.63.63.129 255.255.255.128
 ip access-group 100 in
 ip nat outside
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 11 interface Serial0/0.1 overload
ip nat inside source static tcp 192.168.1.7 110 63.63.63.250 110 extendable
ip nat inside source static tcp 192.168.1.7 25 63.63.63.250 25 extendable
ip nat inside source static tcp 10.0.0.2 80 63.63.63.129 80 extendable
ip nat inside source static tcp 192.168.1.13 80 63.63.63.200 80 extendable
ip nat inside source static tcp 192.168.1.16 80 63.63.63.201 80 extendable
ip nat inside source static tcp 192.168.1.16 443 63.63.63.201 443 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip http access-class 11
!
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
snmp-server community d8129a912d RW
snmp-server community public RO
snmp-server enable traps snmp
!
line con 0
 password 7 020707080A520A76154B5C
 login
 transport preferred none
 transport input none
line aux 0
 password 7 045A08550E754919501C50
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0
 exec-timeout 30 0
 password 7 045A08550E754919501C50
 login
 transport preferred none
line vty 1
 exec-timeout 30 0
 password 7 070E221A4F5A1C5746175E
 login
 transport preferred none
line vty 2 4
 exec-timeout 30 0
 password 7 020707080A520A76154B5C
 login
 transport preferred none
!
end


0
AutoSpongeCommented:
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any

You're allowing anything through that interface on the second example.  You're not doing so on the previous one.
0
zenportafinoAuthor Commented:
I tried applying that access-list again and still not getting icmp through.  Can I have more that one access-list with 100-199 used?

clock timezone PST -8
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
interface FastEthernet0/0
 description Inside Lan Connection
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface Serial0/0
 description SBC WAN
 bandwidth 1536
 no ip address
 ip access-group 102 in
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip address 57.57.57.102 255.255.255.252
 ip access-group 102 in
 ip nat outside
 frame-relay interface-dlci 15 IETF
!
ip nat inside source list 100 interface Serial0/0.1 overload
ip nat inside source static tcp 192.168.1.201 80 63.63.63.130 80 extendable

ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any any

line con 0
 exec-timeout 0 0
 password 7 15435C5B526061023A3630261C0A
 transport input none
 speed 19200
line aux 0
 password 7 040A5C51596B06681B1C00131D06
line vty 0 4
 password 7 101F5E4E535D582D1E012F2F2B25
 login
!
end
0
AutoSpongeCommented:
I think I see it now.  In one you have an access-class that doesn't specify packet type, so both IP and ICMP pass.  The other specifies IP so ICMP falls into the implicit deny.  Adding a permit icmp any any on the end should do it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.