Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cannot reach IP that ends with 0

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Cannot reach IP that ends with 0 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cannot reach IP that ends with 0 - 12.Dec.2007 10:02:59 AM   
remco.koot

 

Posts: 10
Joined: 26.Sep.2002
From: Netherlands
Status: offline 		Hello all,

Maybe I am missing something.... but I cannot reach an IP address from a dreamhost server.
As soon as I trace or ping to 218.113.254.0 i get no response.
Any other ip address is no problem.
I did check the ISP router, and from there I can ping fine.

What is there to check in my ISA 2004 config so that I can get it working?

If you need more info let me know, thanks in advance.

Remco Koot
Post #: 1
RE: Cannot reach IP that ends with 0 - 12.Dec.2007 1:57:21 PM   
Rotorblade

 

Posts: 1002
Joined: 27.Feb.2007
Status: offline
quote:


As soon as I trace or ping to 218.113.254.0 i get no response.


you should'nt, because it's a invalid IP. (x.x.x.1 - x.x.x.254 are valid!)

RB

(in reply to remco.koot)
Post #: 2
RE: Cannot reach IP that ends with 0 - 12.Dec.2007 4:20:49 PM   
remco.koot

 

Posts: 10
Joined: 26.Sep.2002
From: Netherlands
Status: offline 		Thanks RB.

Well strange, at home (no ISA Server here) I can ping just okay... I must say I made a typo in the post, is should be 208 instead of 218.
So why can I correctly ping at home,  but not behind an ISA server.
And also if those are no valid IP's why is Dreamhost using them to host my website on??

C:\Documents and Settings\Administrator>ping 208.113.254.0
Pingen naar 208.113.254.0 met 32 byte gegevens:
Antwoord van 208.113.254.0: bytes=32 tijd=172 ms TTL=53
Antwoord van 208.113.254.0: bytes=32 tijd=170 ms TTL=53
Antwoord van 208.113.254.0: bytes=32 tijd=176 ms TTL=53
Antwoord van 208.113.254.0: bytes=32 tijd=171 ms TTL=53

Thanks again!

Remco Koot

(in reply to Rotorblade)
Post #: 3
RE: Cannot reach IP that ends with 0 - 12.Dec.2007 7:28:38 PM   
Rotorblade

 

Posts: 1002
Joined: 27.Feb.2007
Status: offline 		Yes, very strange to say the least.  Generally .0 and .255 are reserved IP’s but I guess there are always exceptions to the golden rule!

quote:


Why is Dreamhost using them to host my website on??


A good question to ask them, I would be curious as to their answer

Regards,

RB.


(in reply to remco.koot)
Post #: 4
RE: Cannot reach IP that ends with 0 - 17.Dec.2007 6:15:14 AM   
remco.koot

 

Posts: 10
Joined: 26.Sep.2002
From: Netherlands
Status: offline 		Hi RB,

This is what I got back as an answer on your comment;

The person who told you .0 is invalid must not be very familiar with
networking or they have only worked with /24 networks and not others.
That IP is on a /22 network, IE: 208.113.252.0/22 which means the gateway
address is 208.113.252.1 which serves 4 class-C subnets,
208.113.252.1-208.113.255.255. It is true that if it was 208.113.254.0/24
then it would be an invalid IP as it would be the gateway address but
this is not the case.

So,recap;
From my ISP's router it is possible to ping and trace to 208.113.254.0
That one is connected to my ISAServer box.
Internet and so on is working fine. The only thing is that I cannot reach that IP address from behind the ISAServer as far as I can see.

Anyone else with ISA able to ping this address or any comments on this?

Thanks again!

Remco

(in reply to Rotorblade)
Post #: 5
RE: Cannot reach IP that ends with 0 - 17.Dec.2007 1:24:54 PM   
hrsanchez

 

Posts: 77
Joined: 30.Nov.2007
From: Argentina
Status: offline 		Hi, remco,

Yes, with mask is /22 could be, but all of your devices in the route  should have the same mask ( /22), because of that,  from  your ISP's router it is possible to ping it.  
If your Isa server is not in the same network it is not  possible to ping and trace to 208.113.254.0.
Your ISP must help you.

Hector

(in reply to remco.koot)
Post #: 6
RE: Cannot reach IP that ends with 0 - 17.Dec.2007 4:57:30 PM   
pwindell

 

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		x.x.x.0 is only valid if the mask is less than /24 bit.  But then that would imply a subnet that is larger than 254 Host (/24) which is not good.  But if it is out on the internet and is not yours,... then it isn't yours and you can't do anything about it anyway.

Only ISA SecureNAT Clients can ping, and only if the Access Rules Allow it.

Ping is ICMP and ICMP can be Nat'ed but not proxyed.  Only TCP or UDP can be proxyed.  So Firewall (winsock) Clients and Web Proxy Clients cannot Ping across the ISA.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to Rotorblade)
Post #: 7
RE: Cannot reach IP that ends with 0 - 18.Dec.2007 9:55:02 AM   
remco.koot

 

Posts: 10
Joined: 26.Sep.2002
From: Netherlands
Status: offline 		Ok guys,

I installed a new clean ISA 2006 box. 2 nics, internal 192.168.1.x. and connected the 2nd to my ISP router.

On the ISA server to test inet connectivity , without ISA server started I can go to www.blycolin.eu , or do a tracert to 208.113.254.0. (Site is hosted on dreamhost with this IP)

Now with 1 access rule accept all protocols outbound on a test client I can go to all inet web sites and can for ex. do a succesful tracert to www.microsoft.com.

I cannot access www.blycolin.eu or do a tracert to 208.113.254.0.

So what I wrong with ISA Server here???
Is any of you with ISA server able to do a succesfull trace to that IP or open the website?

Thanks again....

Remco

(in reply to pwindell)
Post #: 8
RE: Cannot reach IP that ends with 0 - 18.Dec.2007 11:43:19 AM   
pwindell

 

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		What does the monitoring Log say?  Be sure to add Result Codes to the Columns.


_____________________________

Phillip Windell
www.wandtv.com

(in reply to remco.koot)
Post #: 9
RE: Cannot reach IP that ends with 0 - 18.Dec.2007 1:14:25 PM   
hrsanchez

 

Posts: 77
Joined: 30.Nov.2007
From: Argentina
Status: offline 		Hi, remco

In order to help you, I  was testing from my location:
It is not your Isa.
Without Isa server, I have access www.blycolin.eu and  do a tracert to 208.113.254.0, but when I try behind  Isa server, I cannot do it.
But when I try from Isa server itself I can do it.

Hector


(in reply to remco.koot)
Post #: 10
RE: Cannot reach IP that ends with 0 - 18.Dec.2007 2:05:40 PM   
pwindell

 

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		I can go to the site just fine from behind my ISA.

Tracert is irrelevant because ICMP is not available to Web Proxy or Firewall (Winsock) Clients.  Only SecureNAT Clients can use ICMP and almost none of our machines are SecureNAT Client (on purpose).

Try disabling the Compression Filter


_____________________________

Phillip Windell
www.wandtv.com

(in reply to hrsanchez)
Post #: 11
RE: Cannot reach IP that ends with 0 - 18.Dec.2007 4:16:33 PM   
remco.koot

 

Posts: 10
Joined: 26.Sep.2002
From: Netherlands
Status: offline 		Thanks Hector & Phillip,

Well, i tried monitoring but there is just nothing showing up usable as far as I can see. A lot of other messages when I access another site though.

What I did not test was to use the firewall client.... After I installed the client I was able to reach the website normally. So that is a solution...

But what is wrong or should be configured different when not using a firewall client. Should be possible I think.

Thanks!

Remco

(in reply to pwindell)
Post #: 12
RE: Cannot reach IP that ends with 0 - 18.Dec.2007 5:31:03 PM   
pwindell

 

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		I will have assume by that,...that you did not previously  have "proxy settings" in the browser either,...and were therefore running all the Clients as SecureNAT Clients,...this is further hinted at by the fact that you used Ping & Tracert and only SecureNAT Clients can do such.

SecureNAT Clients do name resolution on their own before ISA ever gets the request.  Web Proxy and Winsock Proxy (Firewall) Clients allow ISA to do the name resolution for them. This implies you have a screwed up DNS Scheme on your LAN causing inconsistant name resolution between what LAN Hosts do on their own -vs- what the ISA can do itself.

The proper way to do DNS is simple,...but it *must* be done correctly.

1. Every single last machine on the LAN,...even the ISA,...must use the AD/DNS and *only* the AD/DNS.   *Nothing else*

2. The ISP's DNS gets listed in the Forwarders List within the config of the DNS service on your AD/DNS machines.  It should not appear anywhere else.

3. The ISA must have an "anonymous" Access Rule that allows the AD/DNS to make outbound DNS Queries.  No other machine should be allowed to make outbound DNS queries, which will help weed out machines with "rogue" DNS settings. Put this Access Rule at the top of the rule list.

Another thing about SecureNAT Clients is that they to a certain extent do their own routing and they may not handle the "zero" address properly. But this is just a guess on my part as to if this is a factor in the problem. 

Remember it is by the LAN Routing Scheme that a SecureNAT Client even uses the ISA in the first place because it otherwise doesn't know the ISA exists. The packets from the SecureNAT Client only make it to the ISA simply because the ISA is "in the way" and they just sort of "crash into it".

_____________________________

Phillip Windell
www.wandtv.com

(in reply to remco.koot)
Post #: 13
RE: Cannot reach IP that ends with 0 - 19.Dec.2007 10:42:46 AM   
hrsanchez

 

Posts: 77
Joined: 30.Nov.2007
From: Argentina
Status: offline 		Phillip , you are right, after enable the client I was able to reach the website normally.

Hector


(in reply to pwindell)
Post #: 14
RE: Cannot reach IP that ends with 0 - 20.Dec.2007 8:46:48 PM   
pwindell

 

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Then you need to look at restructuring your LAN's DNS Scheme according to my description so that SecureNAT Client get the same consistant DNS resolution as the rest.  Plus it is just the "right" way to do it anyway and may solve other problems that you don't even know you have yet.


_____________________________

Phillip Windell
www.wandtv.com

(in reply to hrsanchez)
Post #: 15
RE: Cannot reach IP that ends with 0 - 19.Jul.2008 10:20:05 AM   
dugan_zhang

 

Posts: 1
Joined: 19.Jul.2008
Status: offline 		Hi

I have a similar problem, except it's in reverse.

I have server who's ip address ends with 0 try to connect my ISA server and my ISA server reject the connection.

The source server ip address is 206.190.37.0, it's trying to sent email to one of my internal server, but my ISA server does not allow the connection.

In the ISA server log, it said "Failed connection attempt"

Anyone know how to fix this problem.

(in reply to pwindell)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Cannot reach IP that ends with 0 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts