Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 204
  • Last Modified:

Can not ping one address.

Hello,

Other than this one address the router appears to work just perfect. I just can't seem to ping the address below. The device in front of this 3640, a pix can ping the address just fine so it has to be on this device or the pix. But why this one address and none others that I know about?

Can you help me correct the problem?

Thanks.
Kent


Can not ping 64.60.258.50!

Current configuration : 1441 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname AFE
!
boot system flash 122-24a.bin
logging buffered 4096 informational
enable secret
!
ip subnet-zero
!
!
ip name-server 198.6.1.2
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.1.1 255.255.0.0
 duplex auto
 speed auto
!
interface Ethernet1/0
 description Internal Network
 ip address 192.168.10.1 255.255.255.0
 half-duplex
!
interface Ethernet1/1
 description Office Ethernet
 ip address 192.168.20.1 255.255.255.0
 no keepalive
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 172.16.0.0 255.255.0.0 FastEthernet0/0
ip route 172.16.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.4.0 255.255.255.0 192.168.20.2
ip route 192.168.5.0 255.255.255.0 192.168.20.2
ip route 192.168.10.0 255.255.255.0 Ethernet1/0
ip route 192.168.20.0 255.255.255.0 Ethernet1/1
no ip http server
!
!
snmp-server engineID local 00000009020000B064C3A651
snmp-server community  RO
snmp-server enable traps tty
snmp-server enable traps envmon
snmp-server enable traps frame-relay
!
dial-peer cor custom
!
!
!
!
line con 0
 password
 login
line aux 0
 password
 login
line vty 0 4
 password
 login
!
end

AFE#ping 64.60.248.50

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.60.248.50, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
0
KentDRuddick
Asked:
KentDRuddick
  • 4
  • 3
1 Solution
 
kfullartonCommented:
I assume this address is on the outside of the pix.  Can you ping any other addresses?
0
 
KentDRuddickAuthor Commented:
This address is on the outside of the PIX. This is the only address that I know of that I can not ping. I can reach the address from the pix but not this 3640. The route statements are very straight forward on the pix. I can not figure out why just this one address can not be pinged on this device. Other than this address I have no other issues with this device, everything works fine. I'm stumped.
0
 
kfullartonCommented:
Can you post the pix config?  Sounds like the issue is there.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
KentDRuddickAuthor Commented:
I skewed the addresses of the servers for security.

Thanks for your help with this.


interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname AFE
domain-name
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.10.200 kin
name 172.16.5.250 SMTPGW
name 172.16.5.200 exchange
name 172.16.5.45 insidesharepoint
name 192.168.10.10 tsgateway
name 206.169.17.xx nt01out
name 206.169.17.x kout
name 206.169.17.xx webout
name 206.169.17.x webmail
name 206.169.17.x outsidesharepoint
name 206.169.17.xx tsgatewayout
name 172.16.10.201 jin
name 206.169.17.x jout
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 206.80.25.242 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 206.169.17.xx-206.169.17.xxx
global (outside) 1 206.169.17.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) kout kin netmask 255.255.255.255 0 0
static (inside,outside) nt01out SMTPGW netmask 255.255.255.255 0 0
static (inside,outside) webmail exchange netmask 255.255.255.255 0 0
static (inside,outside) outsidesharepoint insidesharepoint netmask 255.255.255.2
55 0 0
static (inside,outside) jout jin netmask 255.255.255.255 0 0
static (inside,outside) tsgatewayout 172.16.5.204 netmask 255.255.255.255 0 0
conduit permit tcp host kout eq 5500 any
conduit permit tcp host nt01out eq smtp any
conduit permit tcp host webmail eq https any
conduit permit tcp host outsidesharepoint eq www any
conduit permit tcp host tsgatewayout eq 62889 any
conduit permit tcp host jout eq 5500 any
conduit permit tcp host tsgatewayout eq 62888 any
conduit permit udp host webmail eq ntp host 204.123.2.72
route outside 0.0.0.0 0.0.0.0 206.80.25.241 1
route inside 172.16.0.0 255.255.0.0 192.168.1.2 1
route inside 172.16.1.0 255.255.255.0 192.168.1.2 1
route inside 192.168.0.0 255.255.0.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
0
 
kfullartonCommented:
I don't see any issues there.  Can you ping 206.80.25.241 from the pix and from the 3640?
0
 
KentDRuddickAuthor Commented:
I can ping that address from the pix but not the 3640. I find that really strange.
0
 
kfullartonCommented:
Well, you don't have anything specifically allowing the icmp packet to come back in.  I'm kind of a hack when it comes to the pix, but try adding a line like...

permit icmp any any

or

add an acl that allow icmp inbound and apply it to the outside interface.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now