lizardqueen007
asked on
Help with traceroute or tracert or tracetcp behind PIX 506 and 2524 Cisco router
Hi I currently have another question open, but I thought I post this one by itself.
I am behind a 2524 router and a pix 506. I will post whatever you desire if you tell me the command i.e, show running-config or whatever. The issue is not physical layer since I am able to surf the web from the server and it is currently serving a web page and receiving email which are succesfully deliverd to the LAN.
Here's the PIX:
cms_pix(config)# show configure
: Saved
:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
hostname firewall506
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol http 81
no fixup protocol smtp 25
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 99.99.99.99 255.255.255.224
ip address inside 10.200.20.1 255.255.255.0
arp timeout 14400
global (outside) 1 99.99.99.99
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 99.99.99.99 10.200.20.1 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 99.99.99.99 eq smtp any
conduit permit tcp host 99.99.99.99 eq www any
conduit permit tcp host 99.99.99.99 eq 4899 any
conduit permit tcp host 10.200.20.1eq smtp any
conduit permit icmp host 99.99.99.99 any unreachable
conduit permit icmp host 99.99.99.99 any time-exceeded
conduit permit icmp host 99.99.99.99 any echo-reply
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet 10.200.20.5 255.255.255.255 inside
telnet 10.200.20.2 255.255.255.255 inside
telnet timeout 15
terminal width 80
Cryptochecksum:10698a39652
HERE IS THE 2524:
router2524>en
Password:
router2524#show running-config
Building configuration...
Current configuration:
!
version 11.0
service udp-small-servers
service tcp-small-servers
!
hostname cms3095
!
enable secret 5 xxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxx
!
!
interface Ethernet0
ip address 99.99.99.99 255.255.255.224
!
interface Serial0
ip address 99.99.99.98 255.255.255.252
!
interface Serial1
no ip address
shutdown
!
ip name-server 205.244.9.65
ip name-server 205.244.6.65
ip route 0.0.0.0 0.0.0.0 99.99.99.99
!
line con 0
line aux 0
transport input all
line vty 0 4
password 299792458lds
login
!
end
Thank you
I am behind a 2524 router and a pix 506. I will post whatever you desire if you tell me the command i.e, show running-config or whatever. The issue is not physical layer since I am able to surf the web from the server and it is currently serving a web page and receiving email which are succesfully deliverd to the LAN.
Here's the PIX:
cms_pix(config)# show configure
: Saved
:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
hostname firewall506
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol http 81
no fixup protocol smtp 25
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 99.99.99.99 255.255.255.224
ip address inside 10.200.20.1 255.255.255.0
arp timeout 14400
global (outside) 1 99.99.99.99
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 99.99.99.99 10.200.20.1 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 99.99.99.99 eq smtp any
conduit permit tcp host 99.99.99.99 eq www any
conduit permit tcp host 99.99.99.99 eq 4899 any
conduit permit tcp host 10.200.20.1eq smtp any
conduit permit icmp host 99.99.99.99 any unreachable
conduit permit icmp host 99.99.99.99 any time-exceeded
conduit permit icmp host 99.99.99.99 any echo-reply
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet 10.200.20.5 255.255.255.255 inside
telnet 10.200.20.2 255.255.255.255 inside
telnet timeout 15
terminal width 80
Cryptochecksum:10698a39652
HERE IS THE 2524:
router2524>en
Password:
router2524#show running-config
Building configuration...
Current configuration:
!
version 11.0
service udp-small-servers
service tcp-small-servers
!
hostname cms3095
!
enable secret 5 xxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxx
!
!
interface Ethernet0
ip address 99.99.99.99 255.255.255.224
!
interface Serial0
ip address 99.99.99.98 255.255.255.252
!
interface Serial1
no ip address
shutdown
!
ip name-server 205.244.9.65
ip name-server 205.244.6.65
ip route 0.0.0.0 0.0.0.0 99.99.99.99
!
line con 0
line aux 0
transport input all
line vty 0 4
password 299792458lds
login
!
end
Thank you
I'm not sure if I missed it, but what exactly do u want?
ASKER
Sorry-I want to enable tracert so that I can diagnose a network problem. I was advised to use tracert from the mail server which I have given static IP 10.200.20.1 for this example.
static (inside,outside) 99.99.99.99 10.200.20.1 netmask 255.255.255.255 0 0
static (inside,outside) 99.99.99.99 10.200.20.1 netmask 255.255.255.255 0 0
Didn't the "trace x.x.x.x" command work on the cisco router?
ASKER
maybe someone could answer this so I don't need to request refund.
the last commands i entered were:
conduit permit icmp host 99.99.99.99 any unreachable
conduit permit icmp host 99.99.99.99 any time-exceeded
conduit permit icmp host 99.99.99.99 any echo-reply
Is it possible that they were not working until I sent the write mem command?
the last commands i entered were:
conduit permit icmp host 99.99.99.99 any unreachable
conduit permit icmp host 99.99.99.99 any time-exceeded
conduit permit icmp host 99.99.99.99 any echo-reply
Is it possible that they were not working until I sent the write mem command?
So you want to run the command tracert from your mail server? What kind of mail server is it? Is it running on Windows or Linux, etc? To run the trace route from a Windows system, simply open a command prompt and type tracert x.x.x.x where x.x.x.x is the host IP you want to trace to.
Telnet into your router and run the tracert there or firewall whatever host has access to both sides of your network.
Sounds like you are having a problem with one of your firewall policies. I would first make sure that on the same subnet you can ping the desired host, make sure there is no software firewall running on the host.
Telnet into your router and run the tracert there or firewall whatever host has access to both sides of your network.
Sounds like you are having a problem with one of your firewall policies. I would first make sure that on the same subnet you can ping the desired host, make sure there is no software firewall running on the host.
ASKER
I fixed the problem with the following PIX commands:
conduit permit tcp host 10.110.10.20 eq smtp any
conduit permit icmp host 63.145.241.36 any unreachable
conduit permit icmp host 63.145.241.36 any time-exceeded
conduit permit icmp host 63.145.241.36 any echo-reply
Thank you
conduit permit tcp host 10.110.10.20 eq smtp any
conduit permit icmp host 63.145.241.36 any unreachable
conduit permit icmp host 63.145.241.36 any time-exceeded
conduit permit icmp host 63.145.241.36 any echo-reply
Thank you
ASKER
I'm sorry that I was unclear yami_rider, I had been working on this problem for about 24 hours straight and my mind is nearly gone. What I wanted to do was run tracert from the windows mail server through the firewall for diagnostic reasons. I had posted sooooooooo much information in other questions that I lost track of what had been revealed in this new question. Anyway, I was able to solve the problem through other questions posted here and some research at Cisco.
Here's what I found:
http://www.cisco.com/warp/public/110/pixtrace.html
and I issued the following comands to solve the problem:
conduit permit icmp host 99.99.99.99 any unreachable
conduit permit icmp host 99.99.99.99 any time-exceeded
conduit permit icmp host 99.99.99.99 any echo-reply
what was confusing is that they did not immediately work, but maybe I did not clear xlate or write mem or something that I do not know.
Thanks again everyone at experts-exchange you guys are great.
Here's what I found:
http://www.cisco.com/warp/public/110/pixtrace.html
and I issued the following comands to solve the problem:
conduit permit icmp host 99.99.99.99 any unreachable
conduit permit icmp host 99.99.99.99 any time-exceeded
conduit permit icmp host 99.99.99.99 any echo-reply
what was confusing is that they did not immediately work, but maybe I did not clear xlate or write mem or something that I do not know.
Thanks again everyone at experts-exchange you guys are great.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.