Solved

PIX Routing blocks http

Posted on 2009-04-14
42
1,150 Views
Last Modified: 2013-11-22
We are having a strange problem that is only affecting the company owners home network.  I will try to be as descriptive as possible.  Our office has a single T1 coming in from our ISP from there it goes into our PIX 515e.  After the PIX is a Cisco 3750 switch.  The owner has a single fractional T1 running to his house, this is a point-to-point from the office only.  On the house end there is a cisco 1750 router and on the office end we are using a cisco 2821.  Now the owner just a got a new DirectTV system and needs to use the supplied wireless bridge to connect to his network, this is working with no issues.  The problem comes in when internet is involved.  We use a barracuda webfilter setup in proxy mode.  the owner's pc at home cannot browse the web without the proxy being entered into the settings.  Any other PC like mine in the office can bypass the proxy using the PIX as the default gate way.  I have looked at all of hte rules i can think of that may be blocking http traffic from his house to the office and so far have had no luck.  For security reasons we have icmp disabled making it hard to trouble shoot since i am never able to ping google.com for testing no matter how i am connected to the network.  I am not sure whether to take this up with cisco or with Barracuda to have the resolution.  I think it something in our cisco stack that causing the troubles but am unable to find the root cause.  I have checked all of the IP routes and everything looks fine.  As i mention i can use the web on my computer at my desk without having any of the proxy settings in place.
0
Comment
Question by:StrifeJester
  • 23
  • 19
42 Comments
 
LVL 2

Expert Comment

by:Deoji
ID: 24142261
If you set your computer to use the proxy rather than ByPass it do you have internet access?
If you loginto the Barracuda Filter and go to "Block/Accept" then Browse Test. Access an allowed page... Can your Barracuda access the internet?
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24143107
The barracuda is working for me in the office, i can also browse the web if i bypass the barracuda.  the owner is only able to browse if he uses the barracuda.  his subnet is 192.168.2.0 mine is 192.168.3.0 i cannot find anything in the pix that is allowing or dissallowing these ipranges.
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24147297
You may need to setup a static route in the barracuda for 192.168.2.0/24. So it knows which Gateway to use for that address.

That is under the "Basic" tab then "IP Configuration"
Towards the bottom of the page.

Try that and see if it helps.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24147605
Already did that, 192.168.0.0 255.255.0.0 routes to the core switch.  I even tried it with each individual subnet we use. I don't think this is the barracuda causing the problems though.  The reason i don't believe it is the barracuda is that it is not required to use the internet.  I can bring a brand new computer in that has not been joined to the domain and put it on the network and have full internet access.  Once the machine is joined to the domain it gets the proxy/webfilter settings.  I tried the packet tracer in the pix but it is pretty much worthless if you ask me.  It may be the switch or the router because all traces stop with the switch as the last known hop, this may be because we are completely blocking ICMP though since my workstation which as internet access stops at the same place.
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24148178
Is your Core Switch preforming any routing?
If so, assuming it is a Cisco and you do a Show IP Routes does it know where to route 192.168.2.0/24?

If that address isn't listed as a route and that network isn't on the other side of the Core Switch's default gateway then the switch needs a Static Route for that address.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24148224
eigrp and other routing is working because as mentioned the owner can use the proxy from home which means the packets still ahve to get back, he can log into the domain and he can use outlook.  There is no IP route statement, i assume because he can authenticate to the domain and browse folders on the files servers and use outlook that it is not needed.
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24148394
He can use the proxy from home?
I thought you said he doesn't get internet access?

Are you then meaning that you wish to have him be able to get Internet access without using the proxy from home?
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24148488
Here are two traces, one from my machine and one from the owners.  The ip i am tracing to are opendns.org servers.  You can see i am getting one hop further and getting a response from the .17 address this is the ISP router, i don't believe I have access to make changes to it.  what i find strange is that in the trace it is that our pix is not one of the hops.

First is from my workstation
C:\Documents and Settings\admin>tracert 208.68.222.222

Tracing route to 208.68.222.222 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  192.168.3.254
  2     1 ms    <1 ms    <1 ms  XXX.XXX.XXX.17 <- External IP
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.

Now from the 192.168.2.1 Router at the owner's home
DAN-1750-WAN#trace 208.67.222.222

Type escape sequence to abort.
Tracing the route to 208.67.222.222

  1 10.0.1.1 16 msec 12 msec 12 msec
  2 192.168.21.254 12 msec 16 msec 12 msec
  3  *  *  *
  4  *  *  *

What the heck and one from the core switch
MFLD-3750-1#trace 208.67.222.222

Type escape sequence to abort.
Tracing the route to resolver1.opendns.com (208.67.222.222)

  1 66.84.184.17 0 msec 9 msec 0 msec
  2  *  *  *
  3  *  *  *

So there are the three traces you can see my workstation and the core switch route the same but the router at the owners home does not.  I believe the problem lies somewhere in the PIX, Switch, or possibly the ISP router which is also a PIX.  I am leaning more into the switch and think i am just missing something small, like the IP route.  The router at the owners house routes all traffic to the interface o nthe other side of the T1 naturally.  then that router has only 2 ip route lines, one for a client application and then route 0 to the core switch.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24148535
he has a new directv receiver with a linksys wga600n network bridge, the directv receiver doesn't have options for proxy addresses.  the problem is that he is unable to access the internet unless he uses the proxy. so i need him to be able to access the internet similar to how i do from work.  I can change my setting to use or not use the proxy whenever i want, i need this freedom for him as well.  since both his wii and directv receiver do not allow for setting a proxy.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24148597
I turned on ICMP on the PIX to find the next hop is the .17 address which is a router in our building we have a block of IPs from .17-.32  Is it possible that there is a rule in the .17 router that is also a PIX that controls what ips have access to the outside?
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24148643
What is device 192.168.21.254?
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24148666
the vlan address for the switch same as 192.168.3.254
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24148683
Yes, Check your NAT access list in that .17 router.
I am thinking his network doesn't have access to the NAT address Pool.

0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24148867
OK i will try that it is going to be tough since the documentation here is completely outdated and i have no idea how to get into that box or what its internal Ip address is.  I will get back to you once i figure that all out.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24149043
Here is the running config from the .17 device I am not seeing anything here that would be blocking the address but i am not 100% sure what i am looking at.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MFLD-PIX-NLGHT
domain-name XXXXXXXXXXX
clock timezone CST -6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 h225 500-65535
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list Inbound permit ip any host 192.168.4.2
access-list Inbound permit ip any host 192.168.4.3
access-list Inbound permit ip any host 192.168.4.4
access-list Inbound permit icmp any any
access-list Inbound permit ip any any
access-list capin permit ip any any
access-list ToNetwork permit ip any 172.31.254.0 255.255.255.0
access-list FromNorlight permit ip any any
access-list capout permit ip any any
pager lines 24
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.4.1 255.255.255.0
ip address inside 192.168.100.201 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.4.3 192.168.100.9 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.4.4 192.168.100.10 netmask 255.255.255.255 0 0
access-group Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.4.254 1
route inside 172.31.254.0 255.255.255.0 192.168.100.254 1
route inside 192.1.2.0 255.255.255.0 192.168.100.254 1
route inside 192.168.0.0 255.255.0.0 192.168.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
http 172.31.0.0 255.255.0.0 inside
http 192.1.2.0 255.255.255.0 inside
snmp-server host inside 192.1.2.6 poll
snmp-server host inside 192.168.20.12 poll
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXX
no snmp-server enable traps
floodguard enable
telnet 192.1.2.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.31.254.0 255.255.255.0 inside
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24149363
What device does the NAT translation right before a packet goes to the internet?
That isn't this router is it?

Do you have some sort of DMZ setup?
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24149688
This router looks like it is preforming NAT only for a couple of servers for in a DMZ....
If that is the case it looks to me like everything else would pass through to some router that is perhaps in the .100 network that might actually be doing the NAT for internet access.

If so, what is the config of that router?
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24151146
That would be the other PIX .18 on our network.  Yes there is a DMZ, all of this was done before i took this job and as mentioned there is no documentation as to what routes where really.
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24151158
Can you show the config of the PIX .18?
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24151160
The .100 is only used internally for our Cisco VOIP that is a seperate router with three bonded T1 in a IMA loop for long distance back to our carrier.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24151167
yeah let me pull the .18 and clean it up and i will post it, is there anything specific you are looking for in it, its about 4 pages otherwise because of our VPN tunnels and crypto maps
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Expert Comment

by:Deoji
ID: 24151193
Take out the VPN stuff...
That should make it shorter.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24151285
ok i took out some of the crypto and things like that to slim it down let me know if i accidentally cut something out that you might have needed but this i would think should be enough.  As a note i did add this route before i posted this

route inside 192.168.2.0 255.255.255.0 192.168.50.3 1 Naybe it was getting traffic out but it was never coming back from the pix, the switches were doing everything through egirp

: Saved
:
PIX Version 7.2(2)
!
hostname mfld-firewall
names
name 192.1.2.100 XXXXXXX
name 192.1.2.2 XXXXXXX
name 66.84.184.20 XXXXXXXXXXX
name 66.84.184.21 XXXXXXXXXXXX
name 66.84.184.22 XXXXXXXXXXXXX
name 66.84.184.23 XXXXXXXXXXXXXXX
name 66.84.184.24 XXXXXXXXXXXXXXXX
name 192.168.20.10 utility
name 192.168.254.13 support-cbo-DMZ
name 192.168.254.11 support-aca-DMZ
name 192.168.254.12 support-hbs-DMZ
name 192.168.254.14 facsweb-client-DMZ
name 192.168.254.15 facsweb-debtor-DMZ
name 66.84.184.19 XXXXXXXXXXXX
!
interface Ethernet0
 speed 100
 duplex full
 no nameif
 no security-level
 no ip address
!
interface Ethernet0.256
 vlan 256
 nameif outside
 security-level 0
 ip address 66.84.184.18 255.255.255.240 standby 66.84.184.30
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0 standby 192.168.50.10
 ospf cost 10
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 10
 ip address 192.168.254.1 255.255.255.0 standby 192.168.254.254
 ospf cost 10
!
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server alliancedc
 domain-name alliance.local
object-group network JRRemote
 network-object 192.168.113.0 255.255.255.192
 network-object 192.168.113.64 255.255.255.192
object-group network RemoteFull
 network-object 192.1.2.0 255.255.255.0
 network-object 192.168.0.0 255.255.0.0
 network-object 192.168.20.0 255.255.255.0
access-list FromInternet remark -----------------------------------------------
access-list FromInternet remark support.alliance-collections.com
access-list FromInternet extended permit tcp any host support-aca-outside eq https
access-list FromInternet extended permit tcp any host support-aca-outside eq www
access-list FromInternet remark -----------------------------------------------
access-list FromInternet remark support.healthcarebusinessservices.com
access-list FromInternet extended permit tcp any host support-hbs-outside eq https
access-list FromInternet extended permit tcp any host support-hbs-outside eq www
access-list FromInternet remark -----------------------------------------------
access-list FromInternet remark support.centralbizoffice.com
access-list FromInternet extended permit tcp any host support-cbo-outside eq www
access-list FromInternet extended permit tcp any host support-cbo-outside eq https
access-list FromInternet remark -----------------------------------------------
access-list FromInternet remark FACSWeb Client
access-list FromInternet extended permit tcp any host facsweb-client-outside eq www
access-list FromInternet extended permit tcp any host facsweb-client-outside eq https
access-list FromInternet remark -----------------------------------------------
access-list FromInternet remark FACSWeb Debtor
access-list FromInternet extended permit tcp any host facsweb-debtor-outside eq www
access-list FromInternet extended permit tcp any host facsweb-debtor-outside eq https
access-list FromInternet remark -----------------------------------------------
access-list FromInternet remark Unfiltered SMTP Access for domains other
access-list FromInternet remark than alliance-collections.com AND
access-list FromInternet remark centralbizoffice.com
access-list FromInternet extended permit tcp any host 66.84.184.26 eq smtp
access-list FromInternet extended permit tcp any host exchange eq https
access-list FromInternet extended permit tcp any host exchange eq smtp
access-list FromInternet extended permit icmp any any
access-list SplitPermit remark -----------------------------------------------
access-list SplitPermit remark NAT0 Access List (NoNat) For VPN Tunnels
access-list SplitPermit remark -----------------------------------------------
access-list SplitPermit remark Aspirus VPN Traffic
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.254.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.203 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.201 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.204 172.31.252.0 255.255.255.0
access-list FromDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.254.0 255.255.255.0
access-list FromDMZ extended permit ip 192.168.254.0 255.255.255.0 any
access-list FromDMZ extended permit icmp any any
access-list FromDMZ extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq pop3
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq smtp
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq ldap
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq domain
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.199 eq 1972
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.199 eq 1973
access-list SplitVPNClient standard permit 192.1.2.0 255.255.255.0
access-list SplitVPNClient standard permit 172.28.239.0 255.255.255.0
access-list SplitVPNClient standard permit 10.194.254.0 255.255.255.0
access-list SplitVPNClient standard permit 172.28.36.0 255.255.255.0
access-list SplitVPNClient standard permit 172.21.0.0 255.255.0.0
access-list SplitVPNClient standard permit 192.168.0.0 255.255.0.0
access-list SplitVPNClient standard permit 66.84.236.0 255.255.255.0
access-list SplitVPNClient standard permit 66.84.237.0 255.255.255.0
access-list SplitVPNClient standard permit 192.168.20.0 255.255.255.0
access-list SplitVPNClient standard permit 192.1.5.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.203 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.201 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.204 172.31.252.0 255.255.255.0
access-list FromInternal extended deny ip any 192.168.254.0 255.255.255.0
access-list FromInternal extended permit ip any any
access-list FromVoIP extended permit ip 66.84.236.0 255.255.255.0 host 192.168.4.2
access-list FromVoIP extended permit ip 66.84.237.0 255.255.255.0 host 192.168.4.3
access-list FromVoIP extended permit icmp any any
access-list FromVoIP extended permit ip any any
access-list capin extended permit ip any 192.168.100.0 255.255.255.0
access-list capin extended permit ip any 192.168.101.0 255.255.255.0
access-list capin extended permit ip 192.168.100.0 255.255.255.0 any
access-list capin extended permit ip 192.168.101.0 255.255.255.0 any
access-list capout extended permit ip any host 192.168.4.2
access-list capout extended permit ip any host 192.168.4.3
access-list capout extended permit ip host 192.168.4.3 any
access-list capout extended permit ip host 192.168.4.2 any
access-list ToInternal remark From Norlight VoIP LD
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list ToInternal remark -----------------------------------------------
access-list capinside extended permit ip host 192.168.101.10 any
access-list capinside extended permit ip any host 192.168.101.10
access-list capinside extended permit ip host 192.168.111.100 66.84.236.0 255.255.255.0
access-list capinside extended permit ip host 192.168.111.100 66.84.237.0 255.255.255.0
access-list capinside extended permit ip 66.84.236.0 255.255.255.0 host 192.168.111.100
access-list capinside extended permit ip 66.84.237.0 255.255.255.0 host 192.168.111.100
access-list capoutside extended permit ip any any
access-list capoutside extended permit ip host 192.168.4.2 any
access-list capoutside extended permit ip any host 192.168.4.2
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap informational
logging asdm warnings
logging host inside 192.168.20.49
logging host inside 192.168.111.129
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool MFLD 172.31.254.1-172.31.254.254
ip local pool RemoteUser 172.31.253.1-172.31.253.254
ip local pool DMVPN 172.31.252.1-172.31.252.254
failover
no monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list SplitPermit
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list SplitPermitDMZ
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group FromInternet in interface outside
access-group FromInternal in interface inside
access-group ToInternal out interface inside
access-group FromDMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.84.184.17 1
route inside 192.1.2.0 255.255.255.0 192.168.50.3 75
route inside 172.28.0.0 255.255.0.0 192.168.50.3 75
route inside 172.21.0.0 255.255.0.0 192.168.50.3 75
route inside 10.194.0.0 255.255.0.0 192.168.50.3 75
route inside 192.168.111.0 255.255.255.0 192.168.50.3 1
route inside 192.168.112.0 255.255.255.0 192.168.50.3 1
route inside 192.168.20.0 255.255.255.0 192.168.50.3 1
route inside 192.168.101.0 255.255.255.0 192.168.50.3 1
route inside 192.168.100.0 255.255.255.0 192.168.50.3 1
route inside 66.84.237.0 255.255.255.0 192.168.50.3 1
route inside 66.84.236.0 255.255.255.0 192.168.50.3 1
route inside 192.168.4.0 255.255.255.0 192.168.50.3 1
route inside 192.168.2.0 255.255.255.0 192.168.50.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 206.40.119.206 255.255.255.255 outside
http 192.1.2.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.1.2.6 poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.111.129 community NiTtFaGmTcTtAoTc
snmp-server host inside aca-utility poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.20.12 poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.20.32 poll community NiTtFaGmTcTtAoTc
no snmp-server location
no snmp-server contact
telnet 192.1.2.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 60
ssh 206.40.119.206 255.255.255.255 outside
ssh 201.194.184.2 255.255.255.255 outside
ssh 69.8.140.0 255.255.255.0 outside
ssh 192.1.2.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
!
class-map class_h323_h225
 match port tcp range 500 65535
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_2
  inspect ftp
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect sip
!
service-policy global_policy global
ntp server 128.105.39.11 source outside prefer
ntp server 128.105.37.11 source outside
smtp-server 192.1.2.100
prompt hostname context
Cryptochecksum:aabee82595111ff53cbe23f54df06513
: end
asdm image flash:/asdm-522.bin
asdm location 192.1.2.0 255.255.255.0 inside
asdm location 192.168.0.0 255.255.255.0 inside
asdm location 192.168.50.0 255.255.255.0 inside
no asdm history enable

0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24151326
Tracing the route to 4.2.2.2

  1 10.0.1.1 12 msec 12 msec 12 msec
  2 192.168.21.254 12 msec 12 msec 12 msec
  3  *  *  *
  4  *  *  *

still getting this with the new route in place for the 192.168.2.0 traffic on the pix to send it internal so i don't think that was it
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24151427
You might try this in the .18 router...
access-list SplitPermitDMZ extended permit ip 192.168.2.0 255.255.255.0 172.31.252.0 255.255.255.0

if it doesn't make a differance then remove it with the NO command.

I am still looking at your config... That's quite the setup you got there.  :-)
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24151483
Yeah and the remarks are not very well done so it is a real pain to figure out.  I have no idea why there are 172s in there and a few of the other things.  Some of this was brought over when the company moved down the road so there very well could be residual stuff in there too.
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24151530
no luck it still doesn't get to the .17 pix
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24151606
I don't suppose you have some kind of basic visual map of the routers and how they connect together and such?

Even something quickly hand drawn and scanned would help me to better visualize the setup.
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24151792
What is 192.168.100.254?
What is 192.168.50.3?

In you could get me the dump of the config for your switch that is doing the VLAN routing I could better come up with a diagram of your network that would help in the troubleshooting of this problem.

I have already buildt a diagram of router .18 and .17 but I don't yet know how they interconnect....
Also why is .17 called .17??? I can't find anything in it's config relating to an address ending in .17?
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24152576
I masked out external IPs .17 and 18 are the last octet.  50.3 is the vlan address in the 3750 as is the 100.254 here is the vlan section of the switch.

interface Vlan1
 ip address 192.1.2.112 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
 standby 1 ip 192.1.2.80
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN1
!
interface Vlan5
 description Path to iSCSI SAN
 ip address 192.1.5.254 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.254 255.255.255.0
 standby 1 ip 192.168.10.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN10
!
interface Vlan18
 ip address 172.18.1.1 255.255.255.0
 shutdown
!
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip pim sparse-dense-mode
 standby 1 ip 192.168.20.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN20
!
interface Vlan21
 ip address 192.168.21.254 255.255.255.0
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN21
!
interface Vlan30
 ip address 192.168.30.254 255.255.255.0
 standby 1 ip 192.168.30.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN30
!
interface Vlan50
 ip address 192.168.50.254 255.255.255.0
 standby 1 ip 192.168.50.3
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN50
!
interface Vlan70
 ip address 192.168.70.1 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
!
interface Vlan99
 ip address 192.168.99.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
 standby 1 ip 192.168.99.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN99
!
interface Vlan100
 ip address 192.168.100.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
 standby 1 ip 192.168.100.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN100
!
interface Vlan101
 ip address 192.168.101.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
 standby 1 ip 192.168.101.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN101
!
interface Vlan111
 ip address 192.168.111.254 255.255.255.0
 ip helper-address 192.1.2.100
 standby 1 ip 192.168.111.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN111
!
interface Vlan112
 ip address 192.168.112.254 255.255.255.0
 ip helper-address 192.1.2.116
 ip helper-address 192.1.2.100
 standby 1 ip 192.168.112.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN112
!
interface Vlan113
 ip address 192.168.113.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
 shutdown
 standby 1 ip 192.168.113.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN113
!
interface Vlan114
 ip address 192.168.114.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
 standby 1 ip 192.168.114.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN114
!
interface Vlan115
 ip address 192.168.115.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
 standby 1 ip 192.168.115.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN115
!
interface Vlan150
 ip address 192.168.150.254 255.255.255.0
 ip helper-address 192.1.2.100
 ip helper-address 192.1.2.116
!
interface Vlan201
 ip address 192.168.201.254 255.255.255.0
 standby 1 ip 192.168.201.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 name VLAN201
!
interface Vlan253
 ip address 192.168.253.1 255.255.255.0
 shutdown
!
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24152622
we call the .18 mfld-firewall, the .17 is from our provider norlight and named mfld-pix-norlight.  hope this helps

I am working on some visio diagrams as we speak to get the PIX ports all mapped as to where they go on the stack.  Once i have something more hopefully i can get it posted.
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24157123
Can you put the routing information from that Switch up too.


0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24157136
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 192.168.50.1
ip route 10.0.3.0 255.255.255.252 192.168.21.4
ip route 10.1.8.0 255.255.248.0 192.168.20.2
ip route 10.10.0.0 255.255.0.0 192.168.21.6
ip route 10.30.0.0 255.255.0.0 192.168.21.6
ip route 10.100.0.0 255.255.0.0 192.168.20.2
ip route 10.104.60.0 255.255.255.0 192.168.20.2
ip route 10.108.10.0 255.255.255.0 192.168.50.1
ip route 10.130.10.0 255.255.255.0 192.168.50.1
ip route 10.130.100.0 255.255.255.0 192.168.50.1
ip route 10.131.100.0 255.255.255.0 192.168.50.1
ip route 10.138.10.0 255.255.255.0 192.168.50.1
ip route 10.138.100.0 255.255.255.0 192.168.50.1
ip route 10.139.10.0 255.255.255.0 192.168.50.1
ip route 10.139.100.0 255.255.255.0 192.168.50.1
ip route 10.165.10.4 255.255.255.255 192.168.50.1
ip route 10.165.10.5 255.255.255.255 192.168.50.1
ip route 10.165.10.6 255.255.255.255 192.168.50.1
ip route 10.165.10.10 255.255.255.255 192.168.50.1
ip route 10.165.10.11 255.255.255.255 192.168.50.1
ip route 10.165.10.12 255.255.255.255 192.168.50.1
ip route 63.240.14.132 255.255.255.255 192.168.50.1
ip route 66.84.236.0 255.255.255.0 192.168.100.201
ip route 66.84.237.0 255.255.255.0 192.168.100.201
ip route 167.68.25.83 255.255.255.255 192.168.50.1
ip route 172.16.0.0 255.255.0.0 192.168.50.1
ip route 172.18.0.0 255.255.0.0 192.168.50.1
ip route 172.28.239.0 255.255.255.0 192.168.21.5
ip route 172.30.0.0 255.255.0.0 192.168.50.1
ip route 172.31.0.0 255.255.255.0 192.168.50.1
ip route 172.31.248.0 255.255.255.0 192.168.21.7
ip route 172.31.252.0 255.255.255.0 192.168.50.1
ip route 172.31.253.0 255.255.255.0 192.168.50.1
ip route 172.31.254.0 255.255.255.0 192.168.50.1 75
ip route 172.31.254.0 255.255.255.0 192.1.2.248 90
ip route 192.112.251.132 255.255.255.255 192.168.50.1
ip route 192.168.4.0 255.255.255.0 192.168.100.201
ip route 192.168.113.0 255.255.255.0 192.168.50.1
ip route 192.168.170.0 255.255.255.0 192.168.50.1
ip route 192.168.252.0 255.255.255.0 192.168.50.1
ip route 192.168.253.0 255.255.255.0 192.168.20.2
ip route 192.236.18.0 255.255.255.0 192.168.21.7
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24157194
Your core switch doesn't know the route to get to 192.168.2.0/24
Where does the .2 network attach into your network???
On the .18 Router or .17???
If so what should the IP path be from the core switch to the .2 network?
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24157224
Ok... I see it your default route should know how to get there.
What device is 192.168.50.3?
What is it's config?
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24157564
Ok... From the diagram that I have created so far it appears that 192.168.2.0/24 goes through 192.168.50.3 to 192.168.50.1 then out to the internet directly from there.
What is 192.168.50.3??? Is it a router? If so what is it's config?

According to the information I have gathered so far it appears that the traffic comming from 192.168.2.0/24 bound to the internet never goes through the core switch and never goes through the .17 router.

Is your internet attached on the .18 router then?
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24157654
50.3 is the switch, here is a weird one we moved the device to a static ip, 192.168.2.100 and it works fine. The .2 is on the other side of a router comes in through a 2821.  He also has a home security system we are working to get up so he can monitor that from the office or anywhere we are going to try that on 192.168.2.101 and see what happens.  i am still curious as to why when it was 192.168.2.7 it wouldn't go?  Unless it has something to do with the dhcp pool on the 192.168.2.1 router
0
 
LVL 2

Accepted Solution

by:
Deoji earned 500 total points
ID: 24157727
Possibly a conflict with another IP on the network.
Did you try pinging it after the computer was moved?

If 50.3 is the Switch then it should have a route for the 192.168.2.0/24 network but the config you posted doesn't show a route for that unless I am overlooking it.

0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24159355
it doesn't respond to pings after changing it, also the route is not included because of egirp it knows how to get traffic there.  i would add a route for it into the router on this side but so far all other traffic to the subnet works so i wasn't thinking it was a route
0
 
LVL 17

Author Comment

by:StrifeJester
ID: 24159374
when i do trace to the ip 192.168.2.1 it know to send it to the router and then over the multilink connection and i get the response back, that i would like to leave alone if possible since it is working i don't want to affect other traffic
0
 
LVL 17

Author Closing Comment

by:StrifeJester
ID: 31570097
Thanks for all of the help somewhere in the changes it started working so i am going to leave it alone.
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24203941
Sorry... I got pulled away by a problem here at my Job.
Glad to see that you got it all working now.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now