reason I can't ping out of my Cisco 806?

[xyyz]

I'm still tinkering with my 806 and I've come to a werid problem... when I try pinging or tracerouting www.cisco.com, nothing happens. The router is able to get the IP for cisco.com, but it can't ping it. I'm thinking that something is allowing it to contact the DNS server, but why won't it gimme ping responses?

I don't have any access lists... and my router is like another node under my Linksys router right now.

 

[Kadarin]

Are you able to access the Cisco website through your browser? Can you ping or traceroute other websites? Since you have two routers, do you have the same symptoms from hosts on both of your networks? Try to find out if the problem is local to you first. As of now, I can ping Cisco with no issue.

 

[xyyz]

this problem is only with the cisco router... my other systems on the network are fine... :/

 

[Kadarin]

<< this problem is only with the cisco router... my other systems on the network are fine... :/ >>



Are you trying to ping and traceroute to www.cisco.com from your cisco router itself? And you're saying that other devices on your network are able to ping/traceroute to cisco.com? What is your current network topology?

 

[xyyz]

<<

<< this problem is only with the cisco router... my other systems on the network are fine... :/ >>



Are you trying to ping and traceroute to www.cisco.com from your cisco router itself? And you're saying that other devices on your network are able to ping/traceroute to cisco.com? What is your current network topology? >>



that's exactly right...

the topology is a primative tree topology. all workstations and the Cisco 806 are connected to the Linksys DSL router, which is the gateway.

 

[Garion]

Ahh. You're running into the hidden (but installed on every IOS later than 12.1.x) Cisco DDOS filter. Every Cisco router has a hidden ACL that implicitly denies ICMP packets from it's own IP(s) to *.cisco.com. Any other IP that's routed THROUGH it works fine, but not from the router. This was implemented shortly after the Code Red and Code Red II viruses hit Cisco hard, most of which came from the infected web administration pages on their 6xx series DSL routers. I've heard that most of this development work and enforcement comes from the special Cisco Special Projects Lab (CSPL) in Rosewell, New Mexico. Odd place.

I am, of course, relaying this from a reliable source, lest you think I'm making this up. My friend dates the sister of the guy that works the car of the Junior Cisco SE for the Eagle Hardware account and they sometimes talk tech - This is where I find most of the info that I pass onto you all in this forum. I'm actually just a vacuum salesman who knows how to talk tech. Yes, I'm quite bored tonight, in case you can't tell. And no, I'm not serious. (But you can call me Shirley!)

- G

 

[xyyz]

<< Ahh. You're running into the hidden (but installed on every IOS later than 12.1.x) Cisco DDOS filter. Every Cisco router has a hidden ACL that implicitly denies ICMP packets from it's own IP(s) to *.cisco.com. Any other IP that's routed THROUGH it works fine, but not from the router. This was implemented shortly after the Code Red and Code Red II viruses hit Cisco hard, most of which came from the infected web administration pages on their 6xx series DSL routers. I've heard that most of this development work and enforcement comes from the special Cisco Special Projects Lab (CSPL) in Rosewell, New Mexico. Odd place.

I am, of course, relaying this from a reliable source, lest you think I'm making this up. My friend dates the sister of the guy that works the car of the Junior Cisco SE for the Eagle Hardware account and they sometimes talk tech - This is where I find most of the info that I pass onto you all in this forum. I'm actually just a vacuum salesman who knows how to talk tech. Yes, I'm quite bored tonight, in case you can't tell. And no, I'm not serious. (But you can call me Shirley!)

- G >>




you serious shirley... 'cause eventhough you said you're not serious... it's pretty convincing to me? so if I were to ping or traceroute www.yahoo.com something would come up?

hang on gonna try right now.


hmmm... nope... it's still able to get the ip address for www.yahoo.com but no "!'s" just ".'s"

 

[xyyz]

on a separate note... what exactly is the firewall feature set... what commands.... how do I do stateful packet inspection... actually before that what the hell is stateful packet inspection?

 

[SR]

If they havent change the fw feature set lately and I'm not mistaken it wont get you stateful packet inspection. I think it'll just inspect packets based upon type of service.

 

[Garion]

OK, a real answer. You're probably running NAT through the router, right? An extremely key concept - When you ping out from a Cisco router, it uses the source IP address of the interface closest to the destination.

If you're running NAT through the box, from your "inside" network and ping from the router, it has a source IP of your router's "outside" interface. This probably isn't natted and might not get where you expect it to, depending on your network topology.

- G

 

[xyyz]

<< If they havent change the fw feature set lately and I'm not mistaken it wont get you stateful packet inspection. I think it'll just inspect packets based upon type of service. >>



nopes... stateful packet inspection is included amongst a slew of other things... I dunno how to get it going though.

 

[FFC]

xyyz, you need to look at CBAC or context based access control.

The cisco docs on this are at

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm[/L]


Thisn is the part of IOS that will get you stateful inspection. There is a lot of cisco documentation regarding the firewall feature set on their site which is worth a look.