Windows 8 Allows Ping from Router, but not other PC

When testing in my lab, I ran into some weird behavior with ping.  I had 2 win8 machines attached to a switch, and that switch attached to a router.  I was unable to ping from one of the PCs to the other one, but found that both the router and switch were able to ping both machines without problem.

Then I added a inbound firewall exception for ICMP on both PCs and was able to then ping PC to PC.  

I understand that the Windows firewall blocks pings by default, but does anyone have any thoughts on why it wouldn't block them from the router or switch.

Hardware I'm using is as follows:
Win 8 HP laptop
Win 8 tower
Cisco 3550 switch
Cisco 2950 switch
Cisco 1721 router
LVL 3
RKnebel512Asked:
Who is Participating?
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Got the files and had a look, only 2 differences I found:
- TTL from the request from the router that is 255 instead of 128 for the others (reply from PC and request/reply to/from PC).
- data from router is 72 bytes, from PC is 32 bytes

Can you post a trace as well between router and PC when the firewall is enabled on the PC? Because that is where the ping is working where you wouldn't expect it, right?
0
 
JohnBusiness Consultant (Owner)Commented:
I use Symantec Endpoint Protection which disables Windows Firewall and I can happily ping my Windows 8.1 laptop from my Windows 7 desktop.

To your comment above, my guess is that Windows Firewall accepts a ping from the device it is connected to but not beyond that.

... Thinkpads_User
0
 
Skyler KincaidNetwork/Systems EngineerCommented:
Where you pinging by name or IP address?
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
RKnebel512Author Commented:
@thinkpads_user: In my topology, I could ping from the router too, which is not directly connected. In fact, I added another switch and another router just to be certain, and the far router (on a different network) could still ping.

@xKincaidx: I'm pinging by up addresses in all instances. I don't have and set up.
0
 
JohnBusiness Consultant (Owner)Commented:
Microsoft secures things by turning them off so you cannot use them. You may wish to use a commercial firewall that does not have these issues.

Based on what you said, I expect that Microsoft Firewall had difficulty interpreting the source ping that would not go through. Either the ping (seems doubtful) or the IP/DNS/Gateway it came from. It may have interpreted the IP as a problem source.

I tried several different machines into my Windows 8.1 machine and it always responded.

So then, either just use the exceptions you implemented in Microsoft Firewall (normal practice) or consider a different Firewall.

.... Thinkpads_User
0
 
Rob WilliamsCommented:
Did you happen to try forcing an IPv4 ping, such as:
Ping. -4  192.168.123.123
Win 8 may default to IPv6.  I am not sure about Win 8 (will check) but all I thought all previous O/S's allowed IPv4 ICMP requests by default.  The router would have used IPv4.
0
 
RKnebel512Author Commented:
@thinkpads_user: The problem is that Windows is not blocking pings from my routers and switches when the firewall is up.  It only blocks the PC pings.

@RobWill: I will try an IPv4 ping later, but I don't think that's the problem.  When I punched a hole in the firewall to let the traffic through, I punched a hole for ICMPv4.  So if that was the issue, it should still be blocking.

I know that the windows firewall is supposed to block pings by default.  My issue is that it isn't blocking any pings from the router and switch.
0
 
JohnBusiness Consultant (Owner)Commented:
I think that is because the router and switch are next to your computer. So the Windows Firewall sees no danger in them.

... Thinkpads_User
0
 
JohnBusiness Consultant (Owner)Commented:
Perhaps it may be helpful (if only for me) to see the PC source as a "live" source (e.g. a source of internet traffic on top of the ping and so possibly dangerous); and the Router sources as a "dead" source (e.g. no traffic, just a ping).

.... Thinkpads_User
0
 
Rob WilliamsCommented:
I am not so I agree with your last comments Thinkpads_User.  It implies the firewall has some sort of 3rd party intelegence  :-)
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Hi, are both router and switch using a 'ping' command / do you ping manually from those devices? It could be that both these devices use some sort of tcp based ping, so not using ICMP protocol at all. Or do you determine that the W8 can be 'pinged' by looking at DHCP statistics maybe?
0
 
RKnebel512Author Commented:
- I used the ping command in all cases, from the command prompt on the PC and from CLI on the routers and switches.  

- All boxes are using ICMP.  I know this because I ran wireshark packet sniff and they all showed up as ICMP.  When I went through the packets, all the information looked the same, except for the "data" payload.  The Cisco switch and router had a payload of 72 bytes, while the PC had a payload of 32 bytes.  But I don't see why that would make a difference.  I was under the impression that those were just a placeholder to verify that everything is transmitting properly.

I'm not really sure what you mean by the last question, but I'm not using any DHCP.  Everything has a static ip address.
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
>>I'm not really sure what you mean by the last question, but I'm not using any DHCP.  Everything has a static ip address.

Never mind that, knowing that you use ping answers this already. Just to be clear: when disabling all ICMP inbound rules on the W8 machines makes ping from the Cisco equipment work? If that's the case then either the ICMP (blocking) rules are not working on the W8 machines or the ICMP echo packet sent by the Cisco equipment is not ICMP.

Can you post the packet with 72 byte payload sent by the Cisco equipment and the reply packet sent by the W8 machine?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Cisco 2950 switches' ping command is sending ICMP packets, but it can support other 'protocol keywords' as well:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_13_ea1/configuration/guide/swtrbl.html#wp1084463

Can you get us a ping command reference from you Cisco switch, maybe "ping -?"?
0
 
RKnebel512Author Commented:
Here is the Ping options on each Cisco Device:


Switch-3550#ping ?
  WORD  Ping destination address or hostname
  ip    IP echo
  tag   Tag encapsulated IP echo
  <cr>


Switch-2950#ping ?
  WORD  Ping destination address or hostname
  ip    IP echo
  tag   Tag encapsulated IP echo
  <cr>


Router-1721#ping ?
  WORD  Ping destination address or hostname
  ip    IP echo
  tag   Tag encapsulated IP echo
  <cr>


In each case I just used the standard "ping 192.168.10.51" command.
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
You can attach a small capture file to your post, I tried importing your text-paste - did not work - I'll remove the 'big' post above ;)
0
 
RKnebel512Author Commented:
Okay, Here it is.  I uploaded both the tacket trace from the router to the PC and the one from  PC to PC.  

The attach file here on experts-exchange wouldn't let me attach a .pcapng wireshark file, so I changed the file extension to .txt.  It will have to be changed back before you can use the file.

Both of these traces are taken when the firewall is down so that I was able to get both request and reply packets.
Ping-From-Router-to-PC.txt
Ping-From-PC-to-PC.txt
0
 
RKnebel512Author Commented:
So I can no longer replicate the problem.  I set up the same topology as I had before, but the computers only exhibit the behavior that thinkpads_user mentioned above, where Windows firewall allows pings that are coming from the same network.  

I can no longer get the far router on a different network to ping the PC when the firewall is up.  

Since I can't replicate the problem anymore, I think I will have to give up on the question.  Thank you everyone for your help.
0
 
JohnBusiness Consultant (Owner)Commented:
@RKnebel512 - Thank you for updating us.   .... Thinkpads_User
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.