• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cannot ping Internal Network

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Cannot ping Internal Network Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cannot ping Internal Network - 18.Aug.2009 12:22:33 PM   
Neves

 

Posts: 16
Joined: 18.Aug.2009
Status: offline
Hello,

Here is my Network diagram :


INTERNET
     |
     |
ISP ROUTER ------ PIX ------ ISA SERVER ------ LAN
     |                                                    |
     |                                                    |
VBRA (Vodafone 3G VPN access)----

Our network is on the isp router dmz, protected by a pix and Isa so that we dont depend on the ISP to configure anything.

PIX configuration:

internal
ip:172.16.0.253

ISA configuration:

external
ip: 172.16.0.254
gateway 172.16.0.253

internal:
ip: 192.168.0.254
no gateway

perimeter:
ip: 192.168.100.254
no gateway

PROBLEM

I have created access rule on ISA to allow ping from external to internal. i can ping, from pix, isa internal IP x.x.x.254. but i cannot ping any other computer or server.
i also created a network rule External to internal ROUTE, but, still nothing.
If i try to ping the pix out isa external ip from any computer inside the network, no problem.

What am i missing ?

tanks in advance (hope its not a stupid question)
Post #: 1
RE: Cannot ping Internal Network - 18.Aug.2009 4:35:55 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

how´s your Network Rules and your Internal Network definition?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Neves)
Post #: 2
RE: Cannot ping Internal Network - 18.Aug.2009 6:28:37 PM   
Neves

 

Posts: 16
Joined: 18.Aug.2009
Status: offline
My internal network configuration is 192.168.0.0 /24
no gateway and i have internal dns configured.

Network rules are the default when choosing 3 leg perimeter topology, i just added ROUTE External to internal.

any ideas ?

Es tuga ? :) eu também

< Message edited by Neves -- 18.Aug.2009 7:18:53 PM >

(in reply to paulo.oliveira)
Post #: 3
RE: Cannot ping Internal Network - 19.Aug.2009 10:13:02 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

you have to remove Internal Network from Internet Access Network Rule, because the default is NAT and I believe is before the rule you created.

I´m Brazilian..

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Neves)
Post #: 4
RE: Cannot ping Internal Network - 19.Aug.2009 10:46:16 AM   
Neves

 

Posts: 16
Joined: 18.Aug.2009
Status: offline
I just figured it out... i replaced Route with NAT in the network rule i inicial created, external to internal (PIX  -> ISA Internal Network) and it work... tnks

why doesn't route work ?

(in reply to paulo.oliveira)
Post #: 5
RE: Cannot ping Internal Network - 20.Aug.2009 2:13:04 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
Does your pixy use NAT?
Or else is it the default gateway problem, which can be resolved by static routes...

(in reply to Neves)
Post #: 6
RE: Cannot ping Internal Network - 20.Aug.2009 11:47:05 AM   
Neves

 

Posts: 16
Joined: 18.Aug.2009
Status: offline
Here is my PIx run conf:

names
name 192.168.0.2 mailsrv
name 192.168.0.3 wswebsrv
name 192.168.0.4 filesrv
name 192.168.0.5 wssrv
name 192.168.0.6 bessrv
name 192.168.0.7 erpsrv
name 192.168.0.8 intrasrv
name 192.168.0.10 file2srv
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx. 255.255.255.252
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.0.253 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name
access-list 100 remark Outside INbound traffic filter
access-list 100 extended permit tcp any host 213.30.22.6 eq 32001
access-list 100 extended permit tcp any host 213.30.22.6 eq ftp
access-list 100 extended permit tcp any host 213.30.22.6 eq www
access-list 100 extended permit tcp any host 213.30.22.6 eq smtp
access-list 100 extended permit tcp any host 213.30.22.6 eq pop3
access-list 100 extended permit tcp any host 213.30.22.6 eq https
access-list 100 extended permit udp any host 213.30.22.6 eq 443
access-list 100 extended permit tcp any host 213.30.22.6 eq 65252
pager lines 24
logging enable
logging timestamp
logging trap informational
logging host inside 172.16.0.254
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface 65252 192.168.0.252 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65002 mailsrv 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65003 wswebsrv 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65004 filesrv 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65005 wssrv 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65006 bessrv 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65007 erpsrv 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65008 intrasrv 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65010 file2srv 3389 netmask 255.255.255.255
access-group 100 in interface outside
route inside 192.168.0.0 255.255.255.0 172.16.0.254 1
route outside 0.0.0.0 0.0.0.0 213.30.22.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!

(in reply to paulo.oliveira)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Cannot ping Internal Network Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts