Cisco can not ping ISA

[sogol]

Hello everyone,
I am in a big trouble,I hope you can help me to solve this problem.
I have 3 LANs two of them are connected with two Cisco Routersne with 3660 series and another one with 2600 series,The third LAN is connected with the Second one with VPN (Site to Site VPN between two ISA servers).
My problem is with the static routes that I defined,Routers can see each other and each other LANS but the 2600 Cisco router can not see the ISA server even though its Ping is open,but ISA can see this router,any one has any idea why I can not ping the ISA but it can ping me.The 2600 Router can see all the IPs in the same LAN as ISA but not ISA.

Any advice would be really appreciated.

Sogol

 

[burtsbees]

One of two things are occurring, given the information...either the 2600 cannot receive the return echo-replies because of no return route, or the ISA server has some sort of firewall...what message do you see from a computer connected to the 2600? What messages do you get from the 2600 when you try to ping? Try debug ip icmp, sh ip route. Also, try to telnet into the ISA server from the 2600.
Can the other router ping the ISA server? Can anything on the LANs ping the ISA server? If none of these suggestions help, please post a sh ip route and sh run from the 2600.

Burt

 

[sogol]

Thank you burt for your fast reply.

In fact I can ping everything in the same subnet,but not ISA itself.My problem is ISA can ping the Router and the Router's subnet,Router can ping all the subnet except the ISA server.without seeing ISA it is not possible to see the third LAN that has the site to site VPN connection with this ISA server.
I can not telnet to the ISA,it says:the connection failed,
Can Cisco connect to any device via telnet Burt???Or only Cisco-to-Cisco ?
I post the results of sh ip route nad sh run here:

Jordan#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

192.168.110.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.110.3/32 [1/0] via 192.168.200.3
S 192.168.110.0/24 [1/0] via 192.168.1.1
C 192.168.144.0/24 is directly connected, FastEthernet0/0
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.200.0/24 [1/0] via 192.168.1.1
S 192.168.200.3/32 [1/0] via 192.168.1.1
10.0.0.0/32 is subnetted, 1 subnets
S 10.10.10.3 is directly connected, FastEthernet0/0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial0/0

S* 0.0.0.0/0 [1/0] via 192.168.1.1
Jordan#


And also sh run results:

Jordan#sh run
Building configuration...

Current configuration : 2707 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Jordan
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8zxj$xqEhorrkwU8HQsyBMvtY7.
enable password 7 0201135104140B2042
!
username delaram password 7 01030716481F0303
clock timezone IR 3 30
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip cef
!
!
!
ip name-server 192.168.200.96
no ftp-server write-enable
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface FastEthernet0/0
ip address 192.168.144.10 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
ip nat outside
no cdp enable
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip nat pool NAT 84.241.57.108 84.241.57.108 netmask 255.255.255.252
ip nat inside source list 1 pool NAT overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.110.0 255.255.255.0 192.168.1.1
ip route 192.168.110.3 255.255.255.255 192.168.200.3
ip route 192.168.200.0 255.255.255.0 192.168.1.1
ip route 192.168.200.3 255.255.255.255 192.168.1.1
no ip http server
!
logging trap debugging
logging 192.168.200.96
access-list 1 permit 192.168.144.32 0.0.0.31
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 137
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny udp any any eq 136
access-list 101 deny tcp any any eq 136
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 593
access-list 101 deny udp any any eq 593
access-list 101 deny udp any any eq 445
access-list 101 deny udp any any range 990 1000
access-list 101 deny udp any any eq 8998
access-list 101 deny udp any any eq 4444
access-list 101 deny tcp any any eq 4444
access-list 101 deny tcp any any eq 1434
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any range 3127 3198
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
snmp-server community khiar RO
snmp-server enable traps tty
alias exec ct config term
alias exec sr show run
alias exec ver sh version
!
line con 0
line aux 0
line vty 0 4
!
!
!
end

The IP:192.168.200.3 is the IP of the ISA server.
This router via 192.168.1.0 which is connected via leased line to the 3660 router which has subnet 192.168.200.0

Subnet 192.168.110.0 is the subnet of the LAN which is connected to ISA via VPN.

The ACL does not apply to any Interface.


Thank you for all of your helps and advices.

Sogol

 

[burtsbees]

Yes, Cisco can telnet to any device. The problem seems to be with the ISA box itself. It seems rules are not added. To view the routing table in the ISA server, go to a command prompt and type
ISA>route print
Beyond that, I cannot tell you how to add rules to get back and forth---I really don't know much about them. Have you tried here?

http://www.isaserver.org/articles_tutorials/configuration_general/

Burt

 

[burtsbees]

Also, here's a quote from a forum with someone having the same problem, and the solution...
"ISA by default is locked down.

Make an "Access Rule" to allow Ping from "Anywhere" to "Anywhere" for "All Users" just to get basic ping going from other hosts on the network to ISA.

Of course you can substitute "Anywhere" with any network you choose to define. I've suggested "Anywhere" just to make it easier for you to get up and going.

Access Rules are basically ACLs. Publishing Rules are more akin to port forwarding.

This is ISA at it's most basic and I suggest you go to

http://www.isaserver.org

to look up some standard deployment docs."

Hope this helps.

Burt

 

[sogol]

Hello Burt
thank you for all of your advices.
Unfortunately it still does not work,but one strange thing is from 2600 router I can ping the Valid IP of the other NIC of the ISA server but still not able to ping its IP on subnet 192.168.200.0.

I defined a rule for Pinging ISA from anywhere.Still it makes no difference.
Do you think there is sth wrong with the NIC of the ISA,if yes why everyone can ping it except the router and the LAN behind it??recently I can not ping the LAN behind the 2600 router from ISA either.
One other strange thing is when I trace the interface (192.168.1.0)(which connects two routers via leased line)from ISA,it does not go to subnet 192.168.200.0 but it goes outside and comes in from the Interface of the 3660 router that has a valid ip,I really do not get it,the static route that defined is 192.168.200.0 255.255.255.0 192.168.1.1
but the trace shows sth else,do you have any idea why???
Still I can ping everything in this subnet(192.168.200.0)from 2600 router except ISA.

Thank you for your helps,I really appreciate.

Sogol

 

[bonafide247]

Sogol,

Can your client PCs ping the ISA server?

Also...the ISA server has 2 NICs, correct? One NIC for the internal, one for the external.

You also mentioned that the 2600 can ping the external NIC, correct?

 

[sogol]

Hello Bonafide

Yes all of my PC clients are able to ping the ISA server except the 2600 and the LAN behind it.

Yes the ISA has 2 NICs.One which has valid IP for connecting the clients to the Internet and for VPN connection between this LAN(192.168.200.0) and other one (192.168.110.0)
and the second NIC which is the LAN that has static routes through a 3660 Cisco Router to 2600 router and the LAN behind it.All of the PCs in the LAN that has ISA can ping 2600 router and the LAN behind it,ISA can ping the 2660 and the LAN behind it now but the 2600 could not ping the ISA Server at all.
The Strange thing is 2600 router can ping the external NIC's IP which is a valid ip ?do you have any idea why?
When I trace the route to the Interface that connects two routers with each other(192.168.1.0),from ISA,it does not pass my 3660 router which is set as the Gateway of the Internal NIC ,by surprise it passes the valid IP of the ADSl modem which is the GW of the External NIC.

I appreciate any help and advice.

Sogol

 

[bonafide247]

Sogol, I'm trying to wrap my brain around your network's setup. Let me try and give it a shot:

LAN(192.168.144.0) ---> 2600 FastEthernet0/0(192.168.144.10) ---> 2600 Serial 0/0 (192.168.1.2) ---> LEASED LINE ----> 3660 Serial 0/0 (192.168.1.1) ---> 3660 Ethernet 0/0 (192.168.200.X) ---> LAN (192.168.200.X)

The ISA Server is located on your 192.168.200.X network, correct? From this server, there is a VPN connection going to another ISA server:

ISA Server from 200.X Subnet, with Public IP Address ---> ISA Server from 110.X Subnet, with Public IP Address

Is this right?

 

[sogol]

Yes Bonafide This is exactly right.

the setup is exactly what you've mention.

Thank you.

sogol

 

[bonafide247]

Sogol, I'm probably rehashing again...please bear with me:

1) Can the LAN at 192.168.144.0 ping all the way to the 192.168.200.0 LAN?

2) Can the 192.168.200.0 LAN ping all the way to the 192.168.144.0 LAN?

 

[sogol]

Yes BonaFide

1)LAN 192.168.144.0 can ping LAN 192.168.200.0
2)LAN 192.168.200.0 can ping 192.168.144.0

The only device which makes problem is ISA
Router 2600 can not only ping ISA in the LAN 192.168.200.0
which is strange because I defined a Access rule and open ping from anywhere to anywhere,and ISA can ping the router but router can not ping ISA.


Again thank you for your time and patience.

Sogol

 

[bonafide247]

There seems to be adequate communication throughout your WAN with the exception of the ISA to ISA VPN.

The 2600 cannot ping the ISA box, but the ISA box can ping the 2600.

This question has most likely been answered by your previous reply, but can the ISA box ping serial 0 on the 2600 router?

 

[bonafide247]

Sorry Sogol, that was an incorrect question on my part. I got your post confused, please disregard the previous post.