Link to home
Start Free TrialLog in
Avatar of rreddell
rreddell

asked on

Can not access a public IP from inside our Firewall (Pix 506e)

We have a remote time clock that has a public IP address. I can ping the IP address when I am inside the firewall using the ping cmd.. (Pix 506e)  but I can not ping/access the IP from inside the network.  

I can access everything else just not this block off IPs..  209.113.xxx.xxx

Since I can ping the IP from the firewall..  It seems like the firewall is blocking it for some reason..

Thanks for your help
Avatar of rsivanandan
rsivanandan
Flag of India image

From where are you not able to ping ? Both statements above say that you cannot ping from inside.

Is this IP static natted on the PIX ?

Cheers,
Rajesh
Avatar of rreddell
rreddell

ASKER

When I am on the server inside the the network it will not work...  When I log into the Pix.. it works..    

 
I still don't follow you, so is this your network;

Time Stuff----------PIX----------Server

Where are the inside interface and outside interface, can you  modify the above diagram ?

Cheers,
Rajesh
We have a time clock that is off site..  its public IP is 209.113.xxx.xxx

At the office...  our internal network is 192.168.1.xxx

When I am using a computer that is located on the internal network.. for example 192.168.1.101 it will not ping nor will it connect to the time clock...

When I log onto our Pix Firewall...   from the ping command inside the pix box I am able to ping the 209.113.xxx.xxx  

When I'm at home I can ping and connect just fine also.
Okay, so you want to allow ICMP to it ? or NTP service itself ? You need to put in those for your access-list applied on the inside interface.

Post your sanitized pix configuration and I will show you to add the acl.

Cheers,
Rajesh
I just want to be able to access it..  We have another time clock with a public IP of 64.61.xxx.xxx and it works fine!  

I can also ping everything else..   web sites etc.

Why would it just be the 209.113.xxx.xxx ip?
thanks for your quick responses  btw...
Can you post your router configuration? perhaps there is something in it which is stopping it from happening..
You are probably not able to access it because of the reason;

1. There is an access-list applied on the pix firewall's inside interface;

2. This access-list do not allow traffic to 209.113.xxx.xxx ip .

To find out, you need to post the pix config, if you prefer not to; then you could add the entries to that it allows to connect.

Cheers,
Rajesh
I was the one that installed the PIX.. (granted I dont know much about them)..  but it was new and I never put that kind of access-list in...

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****
passwd *****
hostname tgc-pix1
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.94.0.0 Yahoo
access-list outside_access_in permit tcp any host 72.248.113.211
access-list outside_access_in permit tcp any host 72.248.113.212
access-list outside_access_in permit tcp any host 72.248.113.214
access-list outside_access_in permit icmp any host 72.248.113.212 echo
access-list outside_access_in permit icmp any host 72.248.113.211 echo
access-list outside_access_in permit icmp any host 72.248.113.214 echo
access-list outside_access_in permit tcp any host 72.248.113.213
access-list outside_access_in permit icmp any host 72.248.113.213 echo
access-list outside_access_in permit tcp any host 72.248.113.215
access-list outside_access_in permit icmp any host 72.248.113.215 echo
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.248.113.210 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.1.189 255.255.255.255 inside
pdm location 192.168.1.198 255.255.255.255 inside
pdm location Yahoo 255.255.0.0 outside
pdm location 192.168.1.18 255.255.255.255 inside
pdm location 192.168.1.60 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 72.248.113.212 192.168.1.189 netmask 255.255.255.255 0 0
static (inside,outside) 72.248.113.214 192.168.1.198 netmask 255.255.255.255 0 0
static (inside,outside) 72.248.113.211 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 72.248.113.213 192.168.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 72.248.113.215 192.168.1.60 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.248.113.209 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.254 inside
dhcpd dns 216.41.101.15 204.17.65.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:08bc528bd911c48882770356f5ffcd43
: end
[OK]


ASKER CERTIFIED SOLUTION
Avatar of skaap2k
skaap2k

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When I'm inside the pix itself I can ping the time clock.   So I couldn't see that being a reason?

When I do a tracert from the internal network... it times out at the first hop...  doesnt even get a chance to get past the PIX....

grrrrrrrrrr



The reason that you're able to ping it from pix and your home proves that there nothing blocking on the other end.

On the machine from where you are trying to ping, what is the default gateway ? Is it for sure 192.168.1.1 (Pix inside address).

If yes, how does the tracert look? I mean, does it get to the firewall at least ? Can you post the output of tracert?

Cheers,
Rajesh
This is from the internal network...    Again.. I'm not a real deep network guy..  but I just can not see what could this be...     The gateway is 192.168.1.1

Tracing route to host203.209.113.251.conversent.net [209.113.251.203]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
 
Thatz really weird. I tried pinging but it didn't so obviously it is being blocked somewhere but that isn't the problem. When you trace route, you should be atleast able to see the gateway ip address first.

Did you try from another machine ? Which would eliminate the tcp/ip stack problem with the office machine?

Cheers,
Rajesh
Just a thought, but need to confirm first with you.

Can you do the ping/tracert from a machine which is *NOT* the following ip;

192.168.1.189  
192.168.1.198  
192.168.1.4  
192.168.1.18  
192.168.1.60  

Cheers,
Rajesh
Tried it from a regular workstation...  same results.. ping and tracert...  

Try to ping it now..  Early this morning our Data provider had issues...

One thing I will try this evening is to eliminate everything else and just plug my laptop into the pix and try to ping it then....
I'm able to ping now though I'm having couple of timeout issues as well. But yeah, it would be good to try.

Cheers,
Rajesh
Sorry for the delay... been out of the office...

OK..  Was able to try and just go from my laptop.. into the firewall..  bypassing everything else...

NO DICE...

So it seems like the firewall is blocking the IP some how?

Could I make a rule that routes everything internally for that IP  to the outside?
hmmm. actually no need, there is nothing on the firewall that blocks it. I just tried to ping it again from my machine and it doesn't. So is there something that keeps changing on the site where this server is present?

Cheers,
Rajesh
Been a long time since I started this...  but hey..  better then never right!?

There is nothing that changes on the site...   I'm able to ping it from my home right now and from inside the router... but still not from inside the network...  

I've also put in a whole new domain.. but even with the new servers... no dice...

but playing around a little...  I found another IP that will not allow me to ping it...  and this site has the same setup as the 209.113 site...   but it allows me to ping it from inside the cisco router...   its IP is 67.158.118.11

What I mean by the same setup.. they have integrated T1s...  voice and data on the same T...  Might give the Telcom a call....  

Sorry for the absence on this...  

Ry
no issues, let me know what happens from telecom end.

Cheers,
Rajesh
Called ONECom...  they also said it has to be the router...  being I'm able to ping everything from inside the router.....  

I'm at a lost here...   only thing I know to do now... is to take everything else off the network... and just plug a laptop into the switch with the PIX...   maybe something is screwing with it on the network??  
When you get time, try that just directly a laptop on the pix and see. It is weird.

Cheers,
Rajesh
The replaced the router...  everything is working now...

Thanks for all your help and quick responses...  you helped be elimated what it could be down to what it was...

Again.. thanks!

Ry