EKRIN
asked on
Why can't I ping anything or tracert anything past my gateway?
I can't ping anything or tracert anything past my router. I have a Dell 6024 Layer 3 router with 10 different VLAN's on it, and none of them can get past the VLAN Gateway. 10.10.200.2 is our PIX 515e and 10.10.200.1 is our Cisco VPN Concentrator. I can't seem to get to any of those on a tracert. But I can ping them fine within the network. Also, pinging any outside IP does not work either.
Here are some results:
H:\>tracert 4.2.2.2
Tracing route to vnsc-bak.sys.gtei.net [4.2.2.2]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.23.254
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
H:\>ping google.com
Pinging google.com [74.125.225.19] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 74.125.225.19:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
H:\>ping 4.2.2.2
Pinging 4.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
H:\>ping 10.10.200.2
Pinging 10.10.200.2 with 32 bytes of data:
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Ping statistics for 10.10.200.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>ping 10.10.200.1
Pinging 10.10.200.1 with 32 bytes of data:
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Ping statistics for 10.10.200.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Here are some results:
H:\>tracert 4.2.2.2
Tracing route to vnsc-bak.sys.gtei.net [4.2.2.2]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.23.254
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
H:\>ping google.com
Pinging google.com [74.125.225.19] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 74.125.225.19:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
H:\>ping 4.2.2.2
Pinging 4.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
H:\>ping 10.10.200.2
Pinging 10.10.200.2 with 32 bytes of data:
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Reply from 10.10.200.2: bytes=32 time<1ms TTL=254
Ping statistics for 10.10.200.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>ping 10.10.200.1
Pinging 10.10.200.1 with 32 bytes of data:
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Reply from 10.10.200.1: bytes=32 time<1ms TTL=127
Ping statistics for 10.10.200.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
spiderwilk007
On the Dell 6024 you need to make sure your LAN to WAN settings are correct for each VLAN. You might need to specifically allow LAN to WAN services for each VLAN.
your gateaway might forbid ping
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well thanks, but not really sure how to accomplish that. I have internet access, so I know the wan is working, but other than that....I know WAN is VLAN4000 and I am on VLAN23 and not sure about much more...:)
ASKER
Firewall is on, but I don't see anything in it that is allowing ICMP Echo requests. But I can ping my firewall from outside the network no problems at all. Do I need a line in my pix like:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any echo-reply
ASKER
I was reading that exact same article when you sent that. :) Not sure if that applies though since the outside can already ping my PIX
In the link provided by vquzman you have two methods to send ping through the firewall; access-lists and inspect. You should use inspects since it adds a more secure method
In the section "Pings Outbound" it clearly says :
There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.
For example:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.
For example:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
Hello,
Not sure there is enough information to really answer the question, but maybe I can get you started in the right direction. Before going into topology questions, is ping and tracert the only issues you are having, for instance can you browse the internet? If you can browse or otherwise reach the net, then your likely problem is your acl's in the pix. You would need to allow incoming ICMP "echo-reply's" and "time-exceeded" and/or adjust your ICMP inspection policies.
Not sure there is enough information to really answer the question, but maybe I can get you started in the right direction. Before going into topology questions, is ping and tracert the only issues you are having, for instance can you browse the internet? If you can browse or otherwise reach the net, then your likely problem is your acl's in the pix. You would need to allow incoming ICMP "echo-reply's" and "time-exceeded" and/or adjust your ICMP inspection policies.
Do the devices you're pinging have a route back to the source of the pings?
Can you do a "show running config" on your cisco and give us the output?
Also on the Dell.
There are three likely potential causes:
The networking equipment doesn't know how to deliver the packets to the destination (need NAT and/or appropriate route(s)?)
The networking equipment doesn't know how to return replies to the sender (need NAT and/or appropriate route(s)?)
The networking equipment is actively configured to block the packets, or their replies (need to adjust ACLs?)
Start with sniffers on both ends, and go from there.
The networking equipment doesn't know how to deliver the packets to the destination (need NAT and/or appropriate route(s)?)
The networking equipment doesn't know how to return replies to the sender (need NAT and/or appropriate route(s)?)
The networking equipment is actively configured to block the packets, or their replies (need to adjust ACLs?)
Start with sniffers on both ends, and go from there.
Hello
Follow this article on how to troubleshoot ping through a firewall
https://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_5369-Troubleshooting-traffic-through-an-Cisco-ASA-using-the-capture-feature.html
Follow this article on how to troubleshoot ping through a firewall
https://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_5369-Troubleshooting-traffic-through-an-Cisco-ASA-using-the-capture-feature.html
ASKER
Firewall blocking ping and tracert