Solved

Problem pinging RRAS server from outside the network

Posted on 2016-10-03
11
79 Views
Last Modified: 2016-10-26
RRAS has been working successfully for a few years.  Last week something seems to have changed and we are no longer able to ping the public IP Address that is port forwarded to the Windows 2k3 server IP Address 192.168.100.3

From the 192.168.100.3 server, if we go to http://canyouseeme.org we see our public IP address.  When we check Port 1723 (PPTP port) we get a successful reply which leads us to believe that both the firewall and ISP are not blocking this port.

We are currently using an ASA 5506-X running ASA Version 9.4(1)

access-list outsideif_in extended permit tcp any object obj-192.168.100.3 eq pptp

object network obj-192.168.100.3
 nat (insideif,outsideif) static (Public IP Address)

Open in new window


netstat -an -o |find /i "listening" shows in attahcment.

Does anyone have any suggestions?
netstat.JPG
0
Comment
Question by:morther
  • 4
  • 4
11 Comments
 
LVL 23

Accepted Solution

by:
masnrock earned 500 total points
ID: 41827788
Is ICMP traffic set to be blocked anywhere? If so, there possibly lies your issue. You need to check the ASA and the server. Also, have you tried pinging the server's private IP address from within the network? If this works, then the issue points to the ASA. If this doesn't work, then it points to the server itself.

While you mention that you cannot ping the server, it also sounds like the server has not been down either. Is that correct?
0
 

Author Comment

by:morther
ID: 41828458
Thanks masnrock for the reply.  I am able to ping the internal address of the server.

ICMP is exactly the same on the ASA as it was 4 months ago when I made my last backup.  Below are the ICMP settings.

object-group icmp-type icmpallow
 icmp-object echo-reply
 icmp-object traceroute
 icmp-object unreachable
 icmp-object source-quench

access-list outsideif_in extended permit icmp any any object-group icmpallow

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  inspect icmp

Open in new window


This is really strange that it just stopped working last week.  It seems as though the ISP has change something or blocked something, but they assure me nothing has changed.  Ughhhh!
0
 

Author Comment

by:morther
ID: 41831862
Is there anyone that might have a suggestion of the issue I am having?
0
 
LVL 23

Expert Comment

by:masnrock
ID: 41832407
So the problem is definitely within the ASA. Have you tried clearing out the ICMP configuration, then setting it up again with the same rule?

Another step you can try is to change "outsideif_in" to "outside_in" on line 7.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:morther
ID: 41834134
Thanks Masnrock:  I tried what you suggested, but no luck.  Still unable to ping the from outside the network.  This is really crazy, because this was working and nothing had changed on my side.  No firewall or server changes.
0
 
LVL 23

Expert Comment

by:masnrock
ID: 41834180
Can you pull up any firewall logs that may help? Usually there is going to be something that will indicate what rule denied or rejected it?
0
 

Author Closing Comment

by:morther
ID: 41860383
Hello Masnrock.  You were correct, there was a problem with the ICMP. We ended up adding the last line "icmp-object echo" and that fixed the issue.  Really not sure how this was working before, but happy it is now.

bsesingasa# sho run object-group id icmpallow
object-group icmp-type icmpallow
 icmp-object echo-reply
 icmp-object traceroute
 icmp-object unreachable
 icmp-object source-quench
 icmp-object echo

Thanks for you great help.  Mike
0
 
LVL 23

Expert Comment

by:masnrock
ID: 41860394
You're quite welcome, and glad you're functioning properly at this point.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now