Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

destination port unreachable

Status
Not open for further replies.
ilpadrino

ilpadrino

MIS
Feb 14, 2001
416
US
We are having trouble accessing one web site from our network. There is nothing in our 1600 access list that would prevent any web browsing. There is nothing in the ACL that has anything to do with this site's ip address. We are using NAT on the 1600. When I ping from the serial interface of the 1600, I get replies. However when I ping from the ethernet interface or any internal address, I get a reply from the site's address, "destination port unreachable". Does anyone know what this means?

We have never had any trouble browsing any web site the last 5 years. Is it possible their firewall is preventing our ip range?
 
Sort by date Sort by votes
Destination Port Unreachable's are sent when a host attempts to connect to another host on a particular TCP or UDP port that the destination is not listening on. For example if you have a host that is not running as a Telnet server and you attempt to open a telnet connection to it it will send an ICMP Destination Port Unreachable back to initiating host.

Are you using RFC1918 (private) IP addressing internally? What does your NAT configuration look like?

Andy
 
Upvote 0 Downvote
Ok, but a web site would be port 80. here is my NAT configuration:

ip nat pool first a.b.c.101 a.b.c.126 netmask 255.255.255.224
ip nat pool second a.b.d.131 a.b.d.254 netmask 255.255.255.128
ip nat inside source list 1 pool first overload
ip nat inside source list 2 pool second overload

here are the interfaces:
interface Serial0.1 point-to-point
description to Internet
ip address w.x.y.z 255.255.255.252
ip access-group 104 in
no ip directed-broadcast
ip nat outside
no ip route-cache
no cdp enable
frame-relay interface-dlci 63

interface Ethernet1
ip address 192.168.1.93 255.255.255.0
ip access-group 103 in
no ip directed-broadcast
ip nat inside
no ip route-cache
no cdp enable
 
Upvote 0 Downvote
also, this may not have been clear, the web site I'm trying to browse is not our own. ie, I'm trying to browse someone else's web site on a different network.

thanks.
 
Upvote 0 Downvote
I know you said that there's nothign in the ACL that should prevent the reply but have you tried taking the ACL's off for a second and testing it that way?
 
Upvote 0 Downvote
Yes, I've taken both sets of acl's off the serial and ethernet interfaces and we still cannot get to the site.
 
Upvote 0 Downvote
PING uses ICMP so try this, run a traceroute which uses UDP on the outbound side and ICMP on the return leg.

Also, you say that pinging from the serial works fine? but not the E0 port? What is your default route? Do you have a 0.0.0.0 0.0.0.0 route in place? Effectively telling the router if you dont have a route to this address, toss the packet to this router 'cause it knows where to go. The lack of a route would give the same error message that you are describing.

MikeS

Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Sorry, I can't figure out how to do a udp trace. In answer to your default route question, yes the default route is the next hop, which is Sprint's router.
 
Upvote 0 Downvote
What site is it? Is it worth anyone on here having a try and seeing if there is anything 'strange' about the site?

Andy
 
Upvote 0 Downvote
Are you going through any Proxy Servers or anything? Have you tried accessing the IP Address directly (not the hostname)? Can you resolve the hostname?


nslookup luxurypropery.com

Andy
 
Upvote 0 Downvote
Thanks for the responses. Someone at the host for this site did something to fix this. I'm waiting to hear what that was and will post for this thread.

Nothing was changed in my network to fix this problem.
 
Upvote 0 Downvote
The host claims that their firewall's IDS had initiated a block on our ip range. I don't necessarily believe that. This is a pretty insignificant site in comparison to the rest of the companies on the we've never had any issues browsing. Thanks for everyone's comments and suggestions.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
317
Zero6
Zero6
Gartech
  • Locked
  • Question
LAN Port Test Device
Replies
3
Views
322
ipohead
ipohead
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
233
BleuBell
BleuBell
amelamel
  • Locked
  • Question
port has faulty link
Replies
2
Views
586
ADB100
ADB100
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
862
CDIV
CDIV

Part and Inventory Search

Sponsor

Back
Top