Jump to content

Packet tracer question

SOUTHwarrior
By SOUTHwarrior
in Networking
 Share
Posted

Okay so packet tracer isnt the greatest for compatibility but should i be dumbfounded by the simplest of tasks that it cant do or am I missing something special here? Ive got a server set up and the private network running dynamic and static nat on the router. I can ping the public ip of the server from the internet pc but when it comes to putting in the ip address on the web page I keep getting a timeout. Keep in mind that its a static translation and the private network is assigned to the dynamic with overload.  The acl allows port 80 from all public networks to that specific destination to that server. Im fairly confident that its packet tracer and its lack of compatibility with some things, but if anybody has had any problems with the same thing let me know because this is driving me crazy.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

By default many http servers only allow local/loopback addresses to connect so here is my thought.

Something wrong with your connection ?

Run the damn cable :)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

By default many http servers only allow local/loopback addresses to connect so here is my thought.

I have no Idea I was running ospf on the local side and I did have a gateway of last resort setup on my company border router. and for my simulated isp I had a default route setup pointing back to the company. So either way I know it had a way to get back. I did have the http service enabled on the server and I could access it by its local ip of 10.10.10.11 but not its global ip of 173.20.19.1.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

This is from Cisco, Right??? 

Yes packet tracer is cisco.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Sometimes it can be crazy but wouldn't you need to add a route so it would be able to go from the external IP (port 80) to the internal IP (port 80)? the http server wouldn't allow the external IP. if i'm right?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

Sometimes it can be crazy but wouldn't you need to add a route so it would be able to go from the external IP (port 80) to the internal IP (port 80)? the http server wouldn't allow the external IP. if i'm right?

No..... Different layer of the osi model. OSPF is layer 3, port numbers are layer 4. When it de-encapsulates it is when it looks at what service its requesting. Acl's check the port number so thats what you need to allow when trying to block all outside communications with the private part of your business. Your static NAT is just there to say hey Im wanting to access data from this IP. Then it looks through the nat translations table to see if it has got a match then if it does it forwards it to that IP if it passes your ACL first.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

No..... Different layer of the osi model. OSPF is layer 3, port numbers are layer 4. When it de-encapsulates it is when it looks at what service its requesting. Acl's check the port number so thats what you need to allow when trying to block all outside communications with the private part of your business. Your static NAT is just there to say hey Im wanting to access data from this IP. Then it looks through the nat translations table to see if it has got a match then if it does it forwards it to that IP if it passes your ACL first.

Oh now i understand. But then it would work, Don't you agree?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

Oh now i understand. But then it would work, Don't you agree?

Thats what im confused about. I think its just a kwerk in packet tracer to be honest. Things like md5 authentication, setting up your gui interface for routers and crap like that all dont work. Idk about the md5 now, Its been a while since ive tried it.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

One thing are you able to ping the web server from outside?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

You can probably doing something wrong, and it's almost impossible to help you without seeing all the configs. My guess is that you messed up with the access list, since that's a pretty common issue.

I always recommend adding access lists last, after you have made sure everything works as it should.

Does all routers have all the necessary routes in their routing table? That might be an issue as well.

 

I suggest you change from "realtime" to "simulation" (button in the lower right corner), then try to access the web server, and go step by step (by pressing "capture / forward") to see where the packets gets lost.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

You can probably doing something wrong, and it's almost impossible to help you without seeing all the configs. My guess is that you messed up with the access list, since that's a pretty common issue.

I always recommend adding access lists last, after you have made sure everything works as it should.

Does all routers have all the necessary routes in their routing table? That might be an issue as well.

 

I suggest you change from "realtime" to "simulation" (button in the lower right corner), then try to access the web server, and go step by step (by pressing "capture / forward") to see where the packets gets lost.

I tried it both with and without the acl, and same result. And did you read the other post I made? I have gateway of last resorts pointing back to the internet router and ospf on the inside. So even if there wasnt a route in the routing table it has a way of getting there and back. Also I did the simulation mode last night and it shows the http request getting there and back then it times out.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

I can ping the public ip of the server from the internet pc but when it comes to putting in the ip address on the web page I keep getting a timeout.

 

Original post snipit

One thing are you able to ping the web server from outside?

I said that in the original post.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I tried it both with and without the acl, and same result. And did you read the other post I made? I have gateway of last resorts pointing back to the internet router and ospf on the inside. So even if there wasnt a route in the routing table it has a way of getting there and back. Also I did the simulation mode last night and it shows the http request getting there and back then it times out.

If the packets goes from the host, to the server, and then all the way back to the host then I am not sure what the problem is. Personally I have never had any issue with the HTTP server in packet tracer. Anyway it's pretty much impossible to help you without seeing the configs.

 

You got a functional website on the server? The packets actually goes back all the way to the host?

 

About my comment on your routing tables, having a gateway of last resort does not mean your routing tables are 100% correct and working. Sure the packet might be able to leave the network but it might not be able to return. Even if it is able to return you might have a routing loop if you got several default routes pointing at each other. If I understand it correctly, your got your company router with a gateway of last resort pointing at your ISP, and your ISP having a gateway of last resort pointing at the company's router, correct? That's a really bad idea, because any packet with an incorrect IP will bounce back and forth between the two routers for all eternity. It's probably not related to your issue since the packets can go back and forth, but it's not something you want in your config, and it's an example of how your routing tables could have caused issues.

 

 

 

Thats what im confused about. I think its just a kwerk in packet tracer to be honest. Things like md5 authentication, setting up your gui interface for routers and crap like that all dont work. Idk about the md5 now, Its been a while since ive tried it.

Authentication on routing updates are supported in OSPF but not EIGRP (last time I checked), not sure about RIP or IS-IS. The "key" command that you need for EIGRP authentications simply do not exist. It's the same deal with NTP, the commands simply do not exist. It seems like Cisco simply removes any command that doesn't work in Packet Tracer, instead of implementing them halfassed.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

If the packets goes from the host, to the server, and then all the way back to the host then I am not sure what the problem is. Personally I have never had any issue with the HTTP server in packet tracer. Anyway it's pretty much impossible to help you without seeing the configs.

 

You got a functional website on the server? The packets actually goes back all the way to the host?

 

About my comment on your routing tables, having a gateway of last resort does not mean your routing tables are 100% correct and working. Sure the packet might be able to leave the network but it might not be able to return. Even if it is able to return you might have a routing loop if you got several default routes pointing at each other. If I understand it correctly, your got your company router with a gateway of last resort pointing at your ISP, and your ISP having a gateway of last resort pointing at the company's router, correct? That's a really bad idea, because any packet with an incorrect IP will bounce back and forth between the two routers for all eternity. It's probably not related to your issue since the packets can go back and forth, but it's not something you want in your config, and it's an example of how your routing tables could have caused issues.

 

 

 

Authentication on routing updates are supported in OSPF but not EIGRP (last time I checked), not sure about RIP or IS-IS. The "key" command that you need for EIGRP authentications simply do not exist. It's the same deal with NTP, the commands simply do not exist. It seems like Cisco simply removes any command that doesn't work in Packet Tracer, instead of implementing them halfassed.

Ill get you the running configs sometime tomorrow so maybe you can help me.

EIGRP also supports md5 I think its on a per interface basis though. Ill have to agree with you on the Rip and IS-IS never read or seen anything about them supporting authentication.

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

EIGRP also supports md5 I think its on a per interface basis though.

It supports it on real equipment, but not in Packet Tracer. The key command does not exist, nor does the ip authentication command exist. I am one version behind so maybe they have added it in the new version. RIPv2 and IS-IS supports authentication as well, but not in packet tracer. Packet tracer is pretty limited but from what I've seen all the things that are implemented works flawlessly (but maybe you've found something that doesn't work).

Which version of packet tracer do you use?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

It supports it on real equipment, but not in Packet Tracer. The key command does not exist, nor does the ip authentication command exist. I am one version behind so maybe they have added it in the new version. RIPv2 and IS-IS supports authentication as well, but not in packet tracer. Packet tracer is pretty limited but from what I've seen all the things that are implemented works flawlessly (but maybe you've found something that doesn't work).

Which version of packet tracer do you use?

The newest 6.0.1

Corsair C70 | Gigabyte Widnforce R9 280x | AMD FX8320 3.5ghz | Corsair 750m | Gigabyte 990FXA-ud3 | Mushkin 120gb SSD | Seagate Barracuda 1tb | Mushkin 16gb ddr3 1333mhz Ram

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×