SBS 2008 clients hhave no internet access after router died.. Server can browse email lan acces normal

So...You have a switch which connects the server, the workstations, and the Cisco PIX? and the PIX then connects to the Zyxel router?
So have you insured that the inside address of the new zyxel router (LAN side) is the same as the old one?    Is the outside address the same as well?
Have you verified port forwarding?

You may have tried this already but...
Go to a client, drop to a command prompt and type:

ipconfig/all

Check the IP, Subnet Mask, Default Gateway
Try pinging the default gateway
(ping x.x.x.x)
Assuming you get a response from the gateway, try a tracert further out, such as your router
tracert y.y.y.y
If that works, try tracert www.google.com
See if DNS works correctly by getting you an IP address

Have you rerun the connect to the Internet wizard? This was necessary after changing routers with SBS 2003, not sure on 2008. You might also try the "fix my Network Wizard". Both are located in the SBS console under networking | connectivity | right hand menu.

Can a client machine access a web site by IP such as Google: 173.194.32.104  This will help to determine if a routing or DNS issue.

Ok.. thanks for the quick response..

Hi CrisHanna.. re:Inside address of router.. Yes I made double sure by checking my PIX config and using the value in there.. also in my notes!  The outside is a fixed IP assigned by my ISP.. as my mail is coming in ok and the DNS is configured (at the providers control panel to direct remote.xyz.co.uk t o the ip I'm assuming is attached to my router's internet facing side) Im assuming the answer is yes... Also RWW and OWA both work fine using the remote.domain_name.com

IPCONFIG /ALL as noted in the body of the question returns all the expected values .. I'm pretty sure  I checked that I could ping the server and PIX from the clients ..  but will try again
I will try the other diagnostic suggestions when I am in the office tomorrow...

RobWill, I dont think I re-ran the connect to the internet as I already had internet access and that is verified in the SBS Console under Network->connectivity ticked and connected.
I did run the fix my network wizard, which is a bit of a pain, because it seems to deem my choice of server ip (192.168.0.50) inappropriate and insists on changing that to 192.168.0.2 for some reason best known only to it!


I will try the rest of the suggestions when I am in the office.. Thanks again

I could be wrong, and Rob will correct me if necessary :-)   Doesn't the Cisco have the ability to have the Public static IP on it's outside (WAN) connection?   If so, I'd set it up that way and remove the zyxel..just to be sure the new one is ok

Cris the PIX can definitely be assigned a public IP. I too was wondering why the dual NAT configuration.
Or, is the Zyxel a modem and not a router, or possibly a combined unit? If a combined router/modem the better config is to put it in bridge mode, however it would seem the current config is not a problem if the server functions.

As mentioned before, can a client machine access a web site by IP such as Google: 173.194.32.104  This will help to determine if a routing or DNS issue.

Hinagain guys!
I was wodering after posting whether usin the word router was confusing the issue.. It actually is a DSL router/modem set as a straight through device.. no NAT No DHCP no firewall.. just modem.... and the outside IS assigned a public address as is the inside of the Zyxel.. the outside of that is picked up from the isp.

Having got that out of the way..
1.. cannot get through to Google with IP
2. Yes.. can ping  PIX (Default gateway) and server from the client
3. Tracert will go no further.. cannot get response from outside of pix or inside of router.. let alone any further..

I noticed elsewhere on these threads, someone mentioned removing DNS and re-instating? Any ideas on that?  As it is SBS2K8, which likes everythiong done via wizards, If I was going to do that.. that is if you guys think its a good idea! then I'd appreciate some sound methodology ...  I want to be sure I'm not going to screw it up even further!!

Thanks for your input(s) so far..
Omar

Hi RobWill

Funny .. I was just about to add a comment.. while I was scratching my head here, I connected a laptop to the system and disconnected the server.. tried with a public address,.. no problem, with an internal address throughth pix and I had an issue.. no browsing with a random unused ip.. put the SEVERS adress in and BINGO!!.. So you were right on the money when you said you suspected the pix
was blockking any traffic other than the server... I must have had a similar suspicion to do those tests.. Anyway that has narrowed the field down significantly!!
I have recently been changing things to open ports for RWW.. but that then continued to work fine for at least a week.. the screwing around only started after the Zyxel went west.. I suspect a surge or just old age!
re you ip 173.194.32.104 straight in from the server!
I'll have a close look at the pix config!  Any ideas whether it could be a physical malfunction on the PIX?
Cheers.. Omar

Hi Rob or Cris.. anyone??

Any idea how i can output the config of the pix (apart from using a serial cable and hyperterminal!) to a file so I can attach it here?

It can always be a physical malfunction, but the Pix is pretty much a battleship, crude but very dependable. I have never seen one that would fire up that didn't work.....but I have seen lots that were mis-configured.

I am very rusty with Pix's, or maybe never that good.
However from the menu you should be able to get to a command line window and enter "show running-config" then copy and paste.
You can also use hyper terminal to an IP rather than use the serial cable.

"from the menu " = menu in the Pix GUI (PDM)

Thanks Rob.. I found I could right click mark.. highlight the output in the DOS window and copy / paste to a text file! .. so here is the config.. I'd be grateful if anyone can point out any glaring cock ups!
pix-config-nov-10.txt

Sorry to come back to this sooo late
Just a thought...did the SBS 2003 have 2 nics and now the SBS 08 has just one?   Were all workstations "proxied" through the SBS 2003 server previously?
I'd probably through a 40.00 Netgear router in there to replace the PIX and see if everything works...that for sure narrows down the pix config...but I'm not a Cisco guy either

Hi Rob.. that line has ben n there forever from the days of SBS 2003.. and never caused any problem.. The rest of the config, as I said, was working up till the time the Zyxel croaked..!
The enties yourefer to are probably for Outlook anywhere and Remote worklace.. Are you referring to the open ports lines
access-list acl_group permit tcp any host 217.36.14.210 eq 987
access-list acl_group permit tcp any host 217.36.14.210 eq 3389
access-list acl_group permit tcp any host 217.36.14.210 eq pptp

As I mentioned and Cris also pointed out it looks like the clients might be trying to use the SBS as their gateway from old SBS 2003 config.

The lines I was referring to that were not relevant to the question were things like:
access-list acl_group permit tcp any host 217.36.14.220 eq https
access-list acl_group permit tcp any host 217.36.14.210 eq https
access-list acl_group permit tcp any host 217.36.14.210 eq smtp
access-list acl_group permit tcp any host 217.36.14.220 eq smtp
Why are those ports open on two IP's

Oh.. I see
We used to have two domaind xyzdesign and xyzprojects and the mail feed was sent to 220 for the former and 210 for the latter.. The remote.xyzprojects.co.uk is now pointing at 210 .. 220, as you rightly say is a hangover.. but it was there before this issue raised its ugly head.. If you think I should remove them.. its quite easy.. I'll probably remove them anyway as they are not being used.

Thanks for your contimued input

As mentioned those are not relevant to the problem, it just made me wonder what else was on the network.

Could you post the results from  ipconfig /all  from both the server and a problematic workstation while the Pix is in place?
Thanks,
--Rob

Sure thing..  I don't think it will reveal anything controversial.. But.. Thanks anyway.  I have now removed those two lines in the PIX config.. It seems to me like it's no longer doing any NAT'ing for some reason ?
Server..
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Omar>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : XYZ-SERVER
   Primary Dns Suffix  . . . . . . . : xyz.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : xyz.local

Ethernet adapter Local Area Connection 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDI
 VBD Client) #2
   Physical Address. . . . . . . . . : 84-2B-2B-49-B5-17
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDI
 VBD Client)
   Physical Address. . . . . . . . . : 84-2B-2B-49-B5-16
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8da:709:ecce:d11c%11(Preferred)
   Link-local IPv6 Address . . . . . : fe80::e4f6:fb8c:26d0:db1d%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 293874475
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-48-0A-75-00-15-17-F6-CD-E

   DNS Servers . . . . . . . . . . . : fe80::8da:709:ecce:d11c%11
                                       192.168.0.50
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Server Adapter
   Physical Address. . . . . . . . . : 00-15-17-F6-CD-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{9838FF62-4963-4F03-83A1-9B65D9B7
B6A}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{C8823DA8-8F9E-45D3-8C7D-7EB24659
C0B}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{AA11F583-E616-4290-B709-D6354669
1D9}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

client: Including ping and tracert
C:\Documents and Settings\Triermore>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Triermore>tracert 217.36.14.222

Tracing route to host217-36-14-222.in-addr.btopenworld.com [217.36.14.222]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
       
  *        *        *           Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:\Documents and Settings\Triermore>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : xyz-6
        Primary Dns Suffix  . . . . . . . : xyz.local
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : xyz.local
                                            xyz.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : xyz.local
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
roller
        Physical Address. . . . . . . . . : 00-12-3F-57-7E-4D
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.11
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DHCP Server . . . . . . . . . . . : 192.168.0.50
        DNS Servers . . . . . . . . . . . : 192.168.0.50
        Lease Obtained. . . . . . . . . . : 11 November 2010 03:07:09
        Lease Expires . . . . . . . . . . : 19 November 2010 03:07:09

Hi Cris.. Exactly ONE .. Teh one with IP for the server 192.168.0.50

There are 3 NIC's enabled, two are disconnected. You need to disable the other two and run the "Fix my network wizard" as a start. As Cris said only one NIC is supported, even though they are disconnected that is considered active.

I still think oyu have a Cisco config issue.

The IP config shows
Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Server Adapter
   Physical Address. . . . . . . . . : 00-15-17-F6-CD-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDI
 VBD Client) #2
   Physical Address. . . . . . . . . : 84-2B-2B-49-B5-17
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDI
 VBD Client)
   Physical Address. . . . . . . . . : 84-2B-2B-49-B5-16
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8da:709:ecce:d11c%11(Preferred)
   Link-local IPv6 Address . . . . . : fe80::e4f6:fb8c:26d0:db1d%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 293874475
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-48-0A-75-00-15-17-F6-CD-E

   DNS Servers . . . . . . . . . . . : fe80::8da:709:ecce:d11c%11
                                       192.168.0.50
   NetBIOS over Tcpip. . . . . . . . : Enabled

I'll bet this is a Dell?
If this were me, I'd plug the network cable into the Intel adapter, put the same static settings and disable the two "built in" Broadcom NICs in BIOS.   That would uncomplicate a lot

 
 

Try disabling RRAS on the SBS if enabled as well.

Thanks guys

Yes I disabled the other two nics as you suggested.. but I'll kill off the two built in NICs in BIOS for good measure..  I'll have to wait until the users are finished.. they have enough disruption already!  Have you any idea why the FIX my networwork wizard keeps changing my chosen IP? It says it cant find a router and then shows internet connected and everything is ok?!

I hope I can be of assistant...  From the face value of looking at the configurations, it looks fine.  That configuration should let you browse the Internet without any problems.  With the Xycel router going out, there must have been a reason behind it.  That reason could cause problems with the PIX as well.  However, we won't know enough to tell unless we can do a debug inside the PIX and watch how data is being translated.  

We can do some explicit configurations to see if it would work and here's a few things you can do:

1. Add ICMP to your ACL.
access-list acl_group permit icmp any any
This will allow pings to return in, though it should allow it to return in if you request it from the inside.  But, now, we are specifying it
2. Create another ACL for outbound
access-list acl_out permit ip any any
3. Assign the ACL to an interface
access-group acl_out in interface inside

Here, we are just forcing the connections because we think the PIX is the issue.  Now that ICMP is allowed (also a part of ip), you should be able to use pings to test where your problem is.

As mentioned, your original configuration looks fine.  When you access something on the outside, the PIX automates an established connection over your fixup allowances.  ICMP is not one of them because it's forcing a ICMP echo response/request.  

Now, since you can browse from your server, test this from your workstation.  
1. ping the default gateway
Just to make sure you can hit the PIX... that's all.
2. ping the PIX's default gateway (217.36.14.210)
Let's see if you can get pass the PIX at all to your very next hop.  If not, then you have something very wrong with the PIX because that IP address belongs to the network that PIX belongs to.
3.  If you can ping the PIX's gateway, then ping some IP address on the Internet i.e. 209.191.122.70 (Yahoo's).
If you can get here, then your NATs (actually PATs) are correct and there is something else wrong.

Try that first and see where we can go from there.

Thanks to you all for your invaluable help.. the problem, in the end was quite prosaic...  I had been given some incorrect information regarding setting up the DSL router/modem.. something quite basic!
Anyway some useful pointers by Mike in CISCO area https://www.experts-exchange.com/questions/26608596/CISCO-PIX-501-suspected-of-malfunction.html?anchorAnswerId=34122574#a34122574
helped pinpoint the problem.  Unfortunately, I had lost my original notebook where I kept notes of this config.. so I didn't spot the fault.. sometimes it's staring youi in the face.. and you can't see it!!
I'll try and assign the points fairly as everyone has been helpful.. So thanks again.

Solution arrived at through two different threads.. both with excellent advice.. Thanks to all.. Omar

Sorry.. I meant to award Cris some points for his first comment.. which was pretty close to the source of the whole issue.. myu mouse must have wandered! .. If a moderator is available, perhaps I can reassign some of the points?

Thanks OmarSenussi. Glad to hear you were able to resolve.
If you would like to reallocate points, to which I have no objection and agree you should, just click on the "request attention" link in the original question area.
Cheers!
--Rob