Avatar of Bosaloski
BosaloskiFlag for United States of America

asked on 

Unable to Ping Internet from server

I have a network with a SBS 2003 server and 5 clients.  I am using Bellsouth DSL as my Internet connection with a Cisco pix firewall between the DSL modem and my LAN.  The clients can ping and browse the LAN and Internet without any problems, but my server is the machine with the problem.  This problem started sometime late last month, but the server has been working fine for a year or so up until then.  The server can ping local machines, but it cannot ping or browse any websites on the Internet.  I know that there is a problem with my server only because my clients work just fine getting to the Internet.  I thought it might be a DNS issue, but because I can't even ping websites and the fact that my clients are using the server as a DNS server and can get to the Internet then it is not a DNS issue.  I have tried to run a recursive query from my DNS server and of course it failed.  I feel something may be blocking the ping requests from my server, so I checked the firewall on my server.  I am using Trend Micro's Client/Server Messaging firewall.  Windows firewall is turned off and the service is stopped.  I have stopped the Trend firewall service, but I get the same result when trying to ping the Internet.  I found out that the WWW Publishing service was not started and so I started it, but I still cannot ping to the Internet.  I can remote into my server, so i know there is not a problem with the network card.

I am at a loss as to what to check now.  Any suggestions or advice would be greatly appreciated.  Thanks for any help you can give.

Avatar of undefined
Last Comment
Avatar of cdbeste

maybe there is a rule on the Cisco blocking
your server IP
Avatar of evan021702
Flag of United States of America image

Your server may have come with Internet and Security Acceleration  (ISA) Server installed since it is SBS.  Check to see if that is installed.  If so you will either need to uninstall it or add rules to allow ping to/from external addresses.
Avatar of Bosaloski
Flag of United States of America image


The Cisco is not blocking the server.  The clients can browse the Internet.  Also, I have looked at the configuration adn it is good.  Also, there have been no changes on the pix since last month.

I apologize for not telling you which SBS I have.  It is actually SBS 2003 standard.  There is no ISA firewall installed on the server.  Thanks for your ideas.
Avatar of bkepford
Flag of United States of America image

Can you post an ipconfig /all for both your PCs and your server?
Your hunch seems right about the DNS. If you are running Active directory your server needs to use itself as the DNS server and then in the DNS server properties there is a forwarder tab you need to put the providers DNS servers there.
Avatar of evan021702
Flag of United States of America image

You can also test the DNS.  Open a command prompt and type nslookup . Do a lookup for a known website such as google.com or yahoo.com.  If you get a timeout error, try pinging an external site by the ip address and not the DNS name. Here is google.com's open external address: .  
Also what type of DSL modem was supplied.  I have had issues with the 2wire modems with built in firewalls.
Avatar of Don S.
Don S.
Flag of United States of America image

Is the default gateway address on your server correct?  (pointing at the Cisco firewall?)
Avatar of Bosaloski
Flag of United States of America image


The nslookup failed when using Google's IP address.  Nslookup said "DNS request timed-out" and "Request to servername.domainname.local timed-out".  

The default gateway is set to the Cisco Pix firewall.

The ipconfig /all for the server is:
DHCP Enabled? No
IP address:
Subnet mask:
Default Gateway:
DNS Servers:

The client machines ipconfig /all is:
DHCP Enable? Yes
IP address:
Subnet Mask:
Default Gateway:
DNS Servers:
WINS Server:

If the client machines ue only the local server as the DNS server, then they cannot surf the internet, but can still ping websites.  When the server uses only the Bellsouth DNS servers it still cannot surf the Internet, nor can it ping websites by name or IP address.

The DSL modem is a Netopia from Bellsouth, but it is not the culprit.  If it was then no one could get to the Internet even with the Bellsouth DNS servers.  Also, no changes have been made to the DSL modem since it was installed.
Avatar of Bosaloski
Flag of United States of America image


Right now, the server only has the Bellsouth DNS servers in its IP properties.  I tried pinging the Bellsouth DNS server and got  1 reply.  I tried it again and got 3 replies.  I tried it a few more times and got no replies (all "Request timed out").
Avatar of evan021702
Flag of United States of America image

Just to rule out the PIX, I would take a laptop and plug it directly into the DSL modem.  Assuming you have a dynamic IP from Bellsouth, just wait for it to connect when you plug in the ethernet card and do some testing from there (ping, nslookup, etc.).  If everything works from there, make sure you have fixup protocol dns in your PIX.  Then try nslookup from your server/workstations again.  nslookup should default to your address, but you can also test the secondary DNS by typing server or server .  
Would you mind posting your PIX config?
Avatar of Bosaloski
Flag of United States of America image


Hooked up my laptop directly to the DSL modem.  Could get to the Internet, ping passed, and nslookup passed.  I did the same thing with my laptop and the Cisco PIx.  The laptop got an intermal IP address form the DHCP server (the SBS server).  All of the test passed.  fixup protocol dns maximum-length 512 command is in the pix configuration.  

Ping and nslookup still fail on server only.  I have been running a ping -t command to Bellsouth's DNS server and about 15% of the pings actually get replies.  The others get Request timed out.  When I do get a reply it comes in groups.  I usually get about 12 - 15 replies in a row and then it goes back to Request timed out.  

Here is my pix configuration:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 5KdS6c1u9S3qp4.F encrypted
passwd 5KdS6c1u9S3qp4.F encrypted
hostname HTFfirewall
domain-name Hi-TekFlooring.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound permit icmp any any
access-list inbound permit tcp any host public IP address eq https
access-list inbound permit tcp any host public IP address eq smtp
access-list inside_outbound_nat0_acl permit ip any

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside public IP address
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL
pdm location inside
pdm location inside
pdm location outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) public IP address netmask 0 0
access-group inbound in interface outside
route outside public IP address 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
snmp-server host inside
snmp-server location Hi-Tek Flooring
snmp-server contact KMK Technologies 843.965.5658
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VDPN-GROUP accept dialin pptp
vpdn group PPTP-VDPN-GROUP ppp authentication mschap
vpdn group PPTP-VDPN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VDPN-GROUP client configuration address local VPN_POOL
vpdn group PPTP-VDPN-GROUP client configuration dns
vpdn group PPTP-VDPN-GROUP client configuration wins
vpdn group PPTP-VDPN-GROUP pptp echo 60
vpdn group PPTP-VDPN-GROUP client authentication local
vpdn username mhaidary password *********
vpdn username KMKAdmin password *********
vpdn username bookkeeper password *********
vpdn username mansour2 password *********
vpdn enable outside
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end

I have reviewed the pix configuration and can find nothing wrong with it.

Thanks for your help.
Avatar of evan021702
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Bosaloski
Flag of United States of America image


The problem is not with the Cisco pix.  I have done some more testing, such as using another cable in another port on the switch, using a USB network card, and using a different IP address.  My results were that the different cable and switch port made no difference.  I still could not ping or browse the Internet.  When I used another network card, I could ping and browse the Internet as long as I used another IP address than  When I used another IP address on the server's network card other than the existing one (, I could consistently ping the web and browse the web.  However, my DHCP server went down and I could not access my Trend Micro Security Dashboard because it is tied to the server's previous IP address.  Even though I could go online, my recursive test in my DNS server would fail.  I have reset the IP address to on the server's network card and now the recursive test in the DNS server says Pass, my DHCP server is back online, I can access my Security Dashboard, but I cannot ping the Internet nor browse it.  The ping to the Internet will get a response about 15% of the time.

There is a problem with the IP address of, but I am unsure why only that 1 IP address is having a problem.  If anyone has heard of this kind of problem or has a solution, please let me know.  Right now, I am perplexed.  Thanks again.
Avatar of evan021702
Flag of United States of America image

You may have a winsock issue or problem with registry keys associated with networking that networking component.  Please review this article from Microsoft and then try running netdiag /test:winsock after you have installed netdiag.  If any portion of the test fails, then the winsock registry entry is corrupt.
However if you have to remove the corrupt winsock you will have to reinstall TCP/IP protocol on the network adapter.  
Avatar of Bosaloski
Flag of United States of America image


Thanks for the sugestion.  I was starting to wonder if it could be a winsock issue.  I ran the netdiag test and all of the test passed.  I will haveto keep researching the problem.  Thanks.
Avatar of evan021702
Flag of United States of America image

Have you checked the local routing table on the Server to be sure there are not bad entries (open command > type route print)?
Have you had any windows updates install around the time that this all started occuring? I have seen plenty of times a KB hose up things.  
Avatar of Bosaloski
Flag of United States of America image



I thought it might be an update.  I have seen where an update stopped all emails from coming in on one SBS server I setup.  While I was eating lunch, I thought about how it was just that was affected, so I decided to look at everything that might mention the IP address of  The DSL modem did not have any mention of that I P address.  I remembered that you mentioned about the static statement in my Cisco PIX, so I went over my configuration again.  This time I decided to try your suggestion about removing the existing static comment and adding the 2 new static comments.  Once I did that, saved the new config, and rebooted the PIX all of the pings to Bellsouth's DNS server started working.  I would have sworn that the PIX was not the problem.  Good thing I'm not a betting man.

Will the new static statement let the PIX know where to send email  to the server (  Thanks for all of your help.  I really appreciate it.
Avatar of evan021702
Flag of United States of America image

Yes your email should still work. However feel free to test just to be sure.
 Even cisco shows your PIX configuration as correct, however I have always just done it this way so that I am sure that nothing unintentional is statically mapped to my servers. Only the ports you specify will be mapped for each static statement input.
Glad tt worked!!!

Small Business Server (SBS) is a line of server operating systems targeted at small businesses by bundling the operating system with a number of other Microsoft products that would normally need to be purchased or licensed separately. The most notable inclusions are Exchange, SQL Server, SharePoint and ISA/TMG (Microsoft's firewall and proxy server).

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo