Cannot ping or view web sites with 192. ip addresses

[Joefederico]

Our network uses an ip scheme of 192.168.1.x subnet 255.255.255.0. Whenever I attempt to access a web site beginning with 192.x.x.x it times out. I also cannot ping them, either by name or ip address. All other web sites work out fine. The clients are setup to go through the default gateway (Cisco 1720 Router). I know there must be something I need to configure on the router. Below is the config. When I use the tracert 192.x.x.x command the router shows up but then everything else times out.

HOSTNAME#show config
Using 1243 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname HOSTNAME
!
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain-lookup
!
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
no ip route-cache
no ip mroute-cache
tunnel source 192.168.x.xxx
tunnel destination 65.119.208.110
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
ip address 192.168.x.xxx 255.255.255.0
no ip route-cache
no ip mroute-cache
speed auto
!
interface Serial0
ip address 172.16.1.6 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.x.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.xxx 'this is PIX VPN
ip route 65.119.208.110 255.255.255.255 192.168.x.xxx 'same
no ip http server
ip pim bidir-enable
!
!
!
line con 0
line aux 0
line vty 0 4
login
line vty 5 15
login
!
end

Anyone's help is greatly appreciated!

 

[tschouten]

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

The above are the RFC 1918 blocks of addresses if you note the 16 in the prefix this translates to a subnet mask of 255.255.0.0 yours is 255.255.255.0, I would say adjust your subnetmask according to the RFC 1918 specs. After doing that you should be right as rain.

 

[kittenhammer]

tschouten, regardless of what the third octet in his 192.168.x.x addresses is, he's still within the space allotted by RFC1918.

 

[kittenhammer]

Oops, shouldn't have submitted yet... Joefederico, could you post a sh ip route?

 

[Joefederico]

Here are the 2 lines I have regarding that. Please note that these lines are in the PIX 506e configuration:

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5

Hope you can help me. Thanks!

 

[Joefederico]

Oops copied wrong thing. Here's the results:

HOSTNAME#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.1.246 to network 0.0.0.0

65.0.0.0/32 is subnetted, 1 subnets
S 65.119.208.110 [1/0] via 192.168.1.246
172.16.0.0/30 is subnetted, 2 subnets
C 172.16.1.4 is directly connected, Serial0
C 172.16.1.0 is directly connected, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
O 10.1.0.0 [110/65] via 172.16.1.5, 3d08h, Serial0
C 192.168.1.0/24 is directly connected, FastEthernet0
S* 0.0.0.0/0 [1/0] via 192.168.1.246

Hope you can help.

 

[IPKONFIG]

Ok, I think I know what your problem is.

Is 192.168.1.246 your FA0 interface or is it your PIX?

If its the PIX, then is it on the local segment of FA0?



"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[Joefederico]

192.168.1.246 is the internal IP address of the PIX. Don't believe it's on the local segment as it has a direct T1 connection, as does the router. The PIX, besides serving as a firewall, has been set up with a VPN to allow home users to connect. In addition, I believe our remote office somehow connects through here as well as their ip scheme is in an access list in the PIX config.

Hope you can still help this slightly confused person.

 

[IPKONFIG]

Bad news...your router only knows about one 192.168.1.X subnet. And that's your FA0 interface. So if your PIX is not hanging off that LAN segment, then you can't get out to any other 192.168.x.x subnet. Simple.

Now, if your PIX is out there in "internetwork" land and your router can't see that subnet, then you have to ask yourself why?

I want to know what's 172.16.1.5? Is this another router in Area 0? Is the PIX in that direction on your network?

I can fix this, but I need to you be more specific about your network. You can't omit IP addresses and expect anyone to be able to help you. Just leave out the passwords. Showing people your private addresses won't hurt anything. Let me know....I'd like to help you get this corrected.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[Joefederico]

Here are the configs for both the router and PIX. Thanks for all your assistance. The 172.16 is not another router. I believe it might be a NAT address when leaving the inside network? Not really sure. Perhaps these configs can tell you more?

1720 Router
HOSTNAME#show config
Using 1205 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
!
hostname HOSTNAME
!
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain-lookup
!
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
no ip route-cache
no ip mroute-cache
tunnel source 192.168.1.245
tunnel destination 65.119.208.110
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
ip address 192.168.1.245 255.255.255.0
no ip route-cache
no ip mroute-cache
speed auto
!
interface Serial0
ip address 172.16.1.6 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.246
ip route 65.119.208.110 255.255.255.255 192.168.1.246
no ip http server
ip pim bidir-enable
!
!
!
line con 0
line aux 0
line vty 0 4
login
line vty 5 15
login
!
end

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname myHOSTNAME
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list 100 permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
access-list 100 permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list 100 permit ip 192.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0
access-list 100 permit ip 192.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
access-list 100 permit ip host 192.168.1.245 host 65.119.208.110
access-list 111 permit gre host 192.168.1.245 host 65.119.208.110
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 65.119.209.169 255.255.254.0
ip address inside 192.168.1.246 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.16.39.1-172.16.39.100
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 65.119.208.218 192.168.1.199 netmask 255.255.255.255 0 0
conduit permit esp any any
conduit permit udp any any eq isakmp
conduit permit gre any any
conduit permit icmp any any echo
conduit permit icmp any any echo-reply
conduit permit icmp any any source-quench
conduit permit icmp any any unreachable
conduit permit icmp any any time-exceeded
conduit permit tcp host 65.119.208.218 eq pop3 any
conduit permit tcp host 65.119.208.218 eq

http://www any

conduit permit tcp host 65.119.208.218 eq smtp any
route outside 0.0.0.0 0.0.0.0 65.119.208.1 1
route inside 10.0.0.0 255.0.0.0 192.168.1.245 1
route inside 172.16.0.0 255.255.0.0 192.168.1.245 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set TSET2 esp-des esp-md5-hmac
crypto dynamic-map VPN 1 set transform-set TSET2
crypto map outside 1 ipsec-isakmp dynamic VPN
crypto map outside 50 ipsec-isakmp
crypto map outside 50 match address 111
crypto map outside 50 set peer 65.119.208.110
crypto map outside 50 set transform-set TSET2
crypto map outside client configuration address initiate
crypto map outside client configuration address respond
crypto map outside interface outside
isakmp enable outside
isakmp key ******** address 65.119.208.110 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup outside address-pool VPN
vpngroup outside wins-server 192.168.1.10
vpngroup outside default-domain wlll.com
vpngroup outside split-tunnel 100
vpngroup outside idle-time 1800
vpngroup outside password ********
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
dhcpd dns 205.171.3.65 205.171.20.251
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd domain domain.com
terminal width 80
Cryptochecksum:4895fff8650cb90d9882ebfc6e98de91

 

[Joefederico]

Here are the configs for both the router and PIX. Thanks for all your assistance. The 172.16 is not another router. I believe it might be a NAT address when leaving the inside network? Not really sure. Perhaps these configs can tell you more?

1720 Router
HOSTNAME#show config
Using 1205 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
!
hostname HOSTNAME
!
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain-lookup
!
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
no ip route-cache
no ip mroute-cache
tunnel source 192.168.1.245
tunnel destination 65.119.208.110
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
ip address 192.168.1.245 255.255.255.0
no ip route-cache
no ip mroute-cache
speed auto
!
interface Serial0
ip address 172.16.1.6 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.246
ip route 65.119.208.110 255.255.255.255 192.168.1.246
no ip http server
ip pim bidir-enable
!
!
!
line con 0
line aux 0
line vty 0 4
login
line vty 5 15
login
!
end

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname myHOSTNAME
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list 100 permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
access-list 100 permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list 100 permit ip 192.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0
access-list 100 permit ip 192.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
access-list 100 permit ip host 192.168.1.245 host 65.119.208.110
access-list 111 permit gre host 192.168.1.245 host 65.119.208.110
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 65.119.209.169 255.255.254.0
ip address inside 192.168.1.246 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.16.39.1-172.16.39.100
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 65.119.208.218 192.168.1.199 netmask 255.255.255.255 0 0
conduit permit esp any any
conduit permit udp any any eq isakmp
conduit permit gre any any
conduit permit icmp any any echo
conduit permit icmp any any echo-reply
conduit permit icmp any any source-quench
conduit permit icmp any any unreachable
conduit permit icmp any any time-exceeded
conduit permit tcp host 65.119.208.218 eq pop3 any
conduit permit tcp host 65.119.208.218 eq

http://www any

conduit permit tcp host 65.119.208.218 eq smtp any
route outside 0.0.0.0 0.0.0.0 65.119.208.1 1
route inside 10.0.0.0 255.0.0.0 192.168.1.245 1
route inside 172.16.0.0 255.255.0.0 192.168.1.245 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set TSET2 esp-des esp-md5-hmac
crypto dynamic-map VPN 1 set transform-set TSET2
crypto map outside 1 ipsec-isakmp dynamic VPN
crypto map outside 50 ipsec-isakmp
crypto map outside 50 match address 111
crypto map outside 50 set peer 65.119.208.110
crypto map outside 50 set transform-set TSET2
crypto map outside client configuration address initiate
crypto map outside client configuration address respond
crypto map outside interface outside
isakmp enable outside
isakmp key ******** address 65.119.208.110 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup outside address-pool VPN
vpngroup outside wins-server 192.168.1.10
vpngroup outside default-domain domain.com
vpngroup outside split-tunnel 100
vpngroup outside idle-time 1800
vpngroup outside password ********
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
dhcpd dns 205.171.3.65 205.171.20.251
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd domain domain.com
terminal width 80
Cryptochecksum:4895fff8650cb90d9882ebfc6e98de91

 

[IPKONFIG]

Ok, your router has interface FastEthernet 0 with IP address of 192.168.1.245/24. Now your PIX inside interface is IP address 192.168.1.245/24. If these two devices are not on the same subnet, you have a really messed up network! I'm betting that they are on the same LAN segment, at least those two interfaces are.

If your positive that they are not, then you can't have the same subnet on two sides of the same router.

BE VERY SPECIFIC...IS THE PIX AND ROUTER FA0 ON THE SAME PHYSICAL SEGMENT?

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[kittenhammer]

It sounds as though other traffic works fine for Joefederico... his router and PIX must be communicating if this is true, so they must be on the same segment, correct? His routing table/configuration confirms that 192.168.1.x is only on the one interface, anyway...

Joefederico, just to confirm the situation... your clients are having problems connecting to _public_ 192.x.x.x addresses, correct? We're not talking about other 192.168.x.x subnets on your own network, are we?

 

[Joefederico]

Yes they are on the same physical segment, there are no other physical subnets of the 192.168.x.x LAN. Communication within the LAN is perfect. Just can't reach public web sites beginning with 192.x.x.x, neither by name or IP via ping.

 

[CiscoTechswe]

This is pix problem, you have access-list 100 for tunnel none translation traffic , Nat0

 

[IPKONFIG]

I agree with CiscoTechswe, this is a PIX issue all the way. And I'm not a PIX person...can't help you there. Sorry.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[Joefederico]

Thanks for all your help. Because of your assistance at least I was able to narrow it down to the PIX. I further defined 2 access lists and voila! VPN is restored and I am able to reach all web sites. It appeared, as I had not further defined the access lists (192.0.0.0 255.0.0.0), the web page request never left the building, preferring, instead, to search within the LAN for the address which it would never find. Thanks again!

 

[tschouten]

Acckk, just got back from vacation and re-read what I posted! What the hell was I thinking? Sorry all that was a really bad post. Also gald to see the problemwas resolved, IPKONFIG, kittenhammer and all deserver a some props. :-D

Again sorry for the horrid, post....must have been asleep at the wheel.