Access Issue

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Post Reply
Guest

Access Issue

Post by Guest » Thu Mar 09, 2006 4:40 pm

We are not able to ping the ip 10.2.1.240. Can anyone look into the issue and help us ? Here is the scenario described below........  server192.162.2.X -------> Switch------>Firewall-------->Router . Now we need to access the IP 10.2.1.240 from the server. From the server the tracert result is given below..... C:>tracert 10.2.1.240Tracing route to 10.2.1.240 over a maximum of 30 hops  1    <1 ms    <1 ms    <1 ms  192.168.99.10------------------------------->Router IP  2     *        *        *     Request timed out.  3     *     ^C In the router we have checked the below result...... Router#sh ip route 10.2.1.240Routing entry for 10.2.1.0/24  Known via "static", distance 1, metric 0  Routing Descriptor Blocks:  * 10.252.126.1      Route metric is 0, traffic share count is 1  The following route has been configured on the router ........... ip route 10.2.1.0 255.255.255.0 10.252.126.1 Waiting for your help and suggestion.

Guest

Re:Access Issue

Post by Guest » Thu Mar 09, 2006 4:58 pm

Pls advise ip address of each hop. If you can share the config of the firewall and router, that would help.

Guest

Re:Access Issue

Post by Guest » Thu Mar 09, 2006 6:37 pm

here is the router config for your reference......  Building configuration...Current configuration : 5060 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname !boot-start-markerboot-end-marker!logging buffered 51200 warnings!no aaa new-model!resource policy!ip subnet-zero!!ip cef!!ip domain name yourdomain.comip name-server 213.42.20.20!!!!!!interface GigabitEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$ ip address 86.96.194.214 255.255.255.240 ip nat outside ip virtual-reassembly duplex auto speed auto!interface GigabitEthernet0/1 ip address 192.168.98.10 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto!interface FastEthernet0/1/0 description -- Connected TO  LAN ----- switchport access vlan 100!interface FastEthernet0/1/1 description --- SITE TO SITE L3  LINK---- switchport access vlan 200!interface FastEthernet0/1/2 description --- *********MARKET WAN LINK ----- switchport access vlan 126!interface FastEthernet0/1/3 description -- ********MARKET CONNECTION ----- switchport access vlan 34 spanning-tree portfast!interface Serial0/0/0 no ip address shutdown clock rate 2000000!interface Vlan1 no ip address!interface Vlan34 ip address 10.16.34.5 255.255.255.0 ip nat outside ip virtual-reassembly!interface Vlan100 ip address 192.168.99.10 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly!interface Vlan126 ip address 10.252.126.2 255.255.255.252 ip nat outside ip virtual-reassembly!interface Vlan200 ip address 192.168.100.26 255.255.255.252 ip ospf network point-to-point ip ospf priority 0 ip ospf mtu-ignore!interface Vlan426 no ip address!router ospf 100 log-adjacency-changes network 192.168.11.224 0.0.0.31 area 0 network 192.168.100.4 0.0.0.3 area 0!router ospf 1 log-adjacency-changes network 192.168.99.10 0.0.0.0 area 0 network 192.168.100.26 0.0.0.0 area 0!ip classlessip route 0.0.0.0 0.0.0.0 86.96.194.209ip route 10.2.1.0 255.255.255.0 10.252.126.1ip route 10.50.5.0 255.255.255.0 10.16.34.1ip route 10.250.126.0 255.255.255.0 192.168.99.9ip route 150.100.0.0 255.255.0.0 10.16.34.1ip route 172.168.10.0 255.255.255.0 192.168.98.9ip route 172.168.10.0 255.255.255.0 192.168.3.34ip route 192.168.30.0 255.255.255.0 10.16.34.1ip route 213.42.105.160 255.255.255.224 10.16.34.1 10!ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat translation timeout 60ip nat pool DFM_M 10.16.34.10 10.16.34.10 netmask 255.255.255.0ip nat inside source list 100 interface GigabitEthernet0/0 overloadip nat inside source list DFM pool DFM_M overloadip nat inside source static 172.168.10.102 86.96.194.212ip nat inside source static 172.168.10.8 86.96.194.213ip nat inside source static 192.168.2.27 86.96.194.217!ip access-list extended DFM permit ip any 213.42.105.0 0.0.0.255 log permit ip any 213.42.105.160 0.0.0.31 log permit ip any 192.168.30.0 0.0.0.255 log permit ip any 150.100.0.0 0.0.255.255 log permit ip any 10.50.5.0 0.0.0.255!no logging trapaccess-list 100 deny   ip any 213.42.105.0 0.0.0.255 logaccess-list 100 deny   ip host 172.168.10.8 any logaccess-list 100 deny   ip host 86.96.194.213 any logaccess-list 100 deny   ip host 172.168.10.102 any logaccess-list 100 deny   ip host 86.96.194.212 any logaccess-list 100 permit ip any any!line con 0 logging synchronous loginline aux 0line vty 0 4 privilege level 15 password 7 02070D5D18070B2C1D40 logging synchronous login transport input telnet sshline vty 5 15 access-class 23 in privilege level 15 login local transport input telnet ssh!scheduler allocate 20000 1000!end Router#sh ip route 10.2.1.240Routing entry for 10.2.1.0/24  Known via "static", distance 1, metric 0  Routing Descriptor Blocks:  * 10.252.126.1      Route metric is 0, traffic share count is 1 Router#ping 10.2.1.240Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.1.240, timeout is 2 seconds:.....Success rate is 0 percent (0/5)Router#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2       E1 - OSPF external type 1, E2 - OSPF external type 2       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2       ia - IS-IS inter area, * - candidate default, U - per-user static route       o - ODR, P - periodic downloaded static routeGateway of last resort is 86.96.194.209 to network 0.0.0.0O E2 192.168.14.0/24 [110/51] via 192.168.100.25, 01:11:46, Vlan200     86.0.0.0/28 is subnetted, 1 subnetsC       86.96.194.208 is directly connected, GigabitEthernet0/0C    192.168.99.0/24 is directly connected, Vlan100     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksS       10.2.1.0/24 [1/0] via 10.252.126.1C       10.252.126.0/30 is directly connected, Vlan126S       10.250.126.0/24 [1/0] via 192.168.99.9O E2 192.168.1.0/24 [110/51] via 192.168.100.25, 01:11:46, Vlan200O    192.168.2.0/24 [110/11] via 192.168.99.9, 01:11:46, Vlan100     192.168.100.0/30 is subnetted, 2 subnetsC       192.168.100.24 is directly connected, Vlan200O E2    192.168.100.20 [110/1] via 192.168.100.25, 01:11:46, Vlan200S*   0.0.0.0/0 [1/0] via 86.96.194.209 If anything else you require.....then let us know...

Guest

Re:Access Issue

Post by Guest » Thu Mar 09, 2006 7:44 pm

Can you advise what device is 10.252.126.1 and 192.168.99.9?As advised earlier, you would need to check each hop to make sure that the traffic pass through each hop successfully. At this point, from the limited information, I won be able to tell you where its breaking.

Guest

Re:Access Issue

Post by Guest » Thu Mar 09, 2006 7:52 pm

192.168.99.9 is the firewall ip and 10.252.126.1 is the IP of the market WAN link (though we have limited information regarding the actual scenario) .....that is the next hop ip for any traffic from our network to the outside world. one of the vlan 126 has been configured on our side router with 10.252.126.2. Also we are not able to ping the IP 10.252.126.1 from the router itself.......

Post Reply