Mike Orther
asked on
Problem pinging RRAS server from outside the network
RRAS has been working successfully for a few years. Last week something seems to have changed and we are no longer able to ping the public IP Address that is port forwarded to the Windows 2k3 server IP Address 192.168.100.3
From the 192.168.100.3 server, if we go to http://canyouseeme.org we see our public IP address. When we check Port 1723 (PPTP port) we get a successful reply which leads us to believe that both the firewall and ISP are not blocking this port.
We are currently using an ASA 5506-X running ASA Version 9.4(1)
netstat -an -o |find /i "listening" shows in attahcment.
Does anyone have any suggestions?
netstat.JPG
From the 192.168.100.3 server, if we go to http://canyouseeme.org we see our public IP address. When we check Port 1723 (PPTP port) we get a successful reply which leads us to believe that both the firewall and ISP are not blocking this port.
We are currently using an ASA 5506-X running ASA Version 9.4(1)
access-list outsideif_in extended permit tcp any object obj-192.168.100.3 eq pptp
object network obj-192.168.100.3
nat (insideif,outsideif) static (Public IP Address)
netstat -an -o |find /i "listening" shows in attahcment.
Does anyone have any suggestions?
netstat.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there anyone that might have a suggestion of the issue I am having?
So the problem is definitely within the ASA. Have you tried clearing out the ICMP configuration, then setting it up again with the same rule?
Another step you can try is to change "outsideif_in" to "outside_in" on line 7.
Another step you can try is to change "outsideif_in" to "outside_in" on line 7.
ASKER
Thanks Masnrock: I tried what you suggested, but no luck. Still unable to ping the from outside the network. This is really crazy, because this was working and nothing had changed on my side. No firewall or server changes.
Can you pull up any firewall logs that may help? Usually there is going to be something that will indicate what rule denied or rejected it?
ASKER
Hello Masnrock. You were correct, there was a problem with the ICMP. We ended up adding the last line "icmp-object echo" and that fixed the issue. Really not sure how this was working before, but happy it is now.
bsesingasa# sho run object-group id icmpallow
object-group icmp-type icmpallow
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object source-quench
icmp-object echo
Thanks for you great help. Mike
bsesingasa# sho run object-group id icmpallow
object-group icmp-type icmpallow
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object source-quench
icmp-object echo
Thanks for you great help. Mike
You're quite welcome, and glad you're functioning properly at this point.
ASKER
ICMP is exactly the same on the ASA as it was 4 months ago when I made my last backup. Below are the ICMP settings.
Open in new window
This is really strange that it just stopped working last week. It seems as though the ISP has change something or blocked something, but they assure me nothing has changed. Ughhhh!