Solved

Windows 8 Allows Ping from Router, but not other PC

Posted on 2013-12-08
22
1,073 Views
Last Modified: 2014-01-06
When testing in my lab, I ran into some weird behavior with ping.  I had 2 win8 machines attached to a switch, and that switch attached to a router.  I was unable to ping from one of the PCs to the other one, but found that both the router and switch were able to ping both machines without problem.

Then I added a inbound firewall exception for ICMP on both PCs and was able to then ping PC to PC.  

I understand that the Windows firewall blocks pings by default, but does anyone have any thoughts on why it wouldn't block them from the router or switch.

Hardware I'm using is as follows:
Win 8 HP laptop
Win 8 tower
Cisco 3550 switch
Cisco 2950 switch
Cisco 1721 router
0
Comment
Question by:RKnebel512
  • 6
  • 5
  • 5
  • +2
22 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
Comment Utility
I use Symantec Endpoint Protection which disables Windows Firewall and I can happily ping my Windows 8.1 laptop from my Windows 7 desktop.

To your comment above, my guess is that Windows Firewall accepts a ping from the device it is connected to but not beyond that.

... Thinkpads_User
0
 
LVL 15

Expert Comment

by:Skyler Kincaid
Comment Utility
Where you pinging by name or IP address?
0
 
LVL 3

Author Comment

by:RKnebel512
Comment Utility
@thinkpads_user: In my topology, I could ping from the router too, which is not directly connected. In fact, I added another switch and another router just to be certain, and the far router (on a different network) could still ping.

@xKincaidx: I'm pinging by up addresses in all instances. I don't have and set up.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Microsoft secures things by turning them off so you cannot use them. You may wish to use a commercial firewall that does not have these issues.

Based on what you said, I expect that Microsoft Firewall had difficulty interpreting the source ping that would not go through. Either the ping (seems doubtful) or the IP/DNS/Gateway it came from. It may have interpreted the IP as a problem source.

I tried several different machines into my Windows 8.1 machine and it always responded.

So then, either just use the exceptions you implemented in Microsoft Firewall (normal practice) or consider a different Firewall.

.... Thinkpads_User
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Did you happen to try forcing an IPv4 ping, such as:
Ping. -4  192.168.123.123
Win 8 may default to IPv6.  I am not sure about Win 8 (will check) but all I thought all previous O/S's allowed IPv4 ICMP requests by default.  The router would have used IPv4.
0
 
LVL 3

Author Comment

by:RKnebel512
Comment Utility
@thinkpads_user: The problem is that Windows is not blocking pings from my routers and switches when the firewall is up.  It only blocks the PC pings.

@RobWill: I will try an IPv4 ping later, but I don't think that's the problem.  When I punched a hole in the firewall to let the traffic through, I punched a hole for ICMPv4.  So if that was the issue, it should still be blocking.

I know that the windows firewall is supposed to block pings by default.  My issue is that it isn't blocking any pings from the router and switch.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I think that is because the router and switch are next to your computer. So the Windows Firewall sees no danger in them.

... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Perhaps it may be helpful (if only for me) to see the PC source as a "live" source (e.g. a source of internet traffic on top of the ping and so possibly dangerous); and the Router sources as a "dead" source (e.g. no traffic, just a ping).

.... Thinkpads_User
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I am not so I agree with your last comments Thinkpads_User.  It implies the firewall has some sort of 3rd party intelegence  :-)
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 37

Expert Comment

by:Gerwin Jansen
Comment Utility
Hi, are both router and switch using a 'ping' command / do you ping manually from those devices? It could be that both these devices use some sort of tcp based ping, so not using ICMP protocol at all. Or do you determine that the W8 can be 'pinged' by looking at DHCP statistics maybe?
0
 
LVL 3

Author Comment

by:RKnebel512
Comment Utility
- I used the ping command in all cases, from the command prompt on the PC and from CLI on the routers and switches.  

- All boxes are using ICMP.  I know this because I ran wireshark packet sniff and they all showed up as ICMP.  When I went through the packets, all the information looked the same, except for the "data" payload.  The Cisco switch and router had a payload of 72 bytes, while the PC had a payload of 32 bytes.  But I don't see why that would make a difference.  I was under the impression that those were just a placeholder to verify that everything is transmitting properly.

I'm not really sure what you mean by the last question, but I'm not using any DHCP.  Everything has a static ip address.
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
Comment Utility
>>I'm not really sure what you mean by the last question, but I'm not using any DHCP.  Everything has a static ip address.

Never mind that, knowing that you use ping answers this already. Just to be clear: when disabling all ICMP inbound rules on the W8 machines makes ping from the Cisco equipment work? If that's the case then either the ICMP (blocking) rules are not working on the W8 machines or the ICMP echo packet sent by the Cisco equipment is not ICMP.

Can you post the packet with 72 byte payload sent by the Cisco equipment and the reply packet sent by the W8 machine?
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
Comment Utility
Cisco 2950 switches' ping command is sending ICMP packets, but it can support other 'protocol keywords' as well:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_13_ea1/configuration/guide/swtrbl.html#wp1084463

Can you get us a ping command reference from you Cisco switch, maybe "ping -?"?
0
 
LVL 3

Author Comment

by:RKnebel512
Comment Utility
Here is the Ping options on each Cisco Device:


Switch-3550#ping ?
  WORD  Ping destination address or hostname
  ip    IP echo
  tag   Tag encapsulated IP echo
  <cr>


Switch-2950#ping ?
  WORD  Ping destination address or hostname
  ip    IP echo
  tag   Tag encapsulated IP echo
  <cr>


Router-1721#ping ?
  WORD  Ping destination address or hostname
  ip    IP echo
  tag   Tag encapsulated IP echo
  <cr>


In each case I just used the standard "ping 192.168.10.51" command.
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
Comment Utility
You can attach a small capture file to your post, I tried importing your text-paste - did not work - I'll remove the 'big' post above ;)
0
 
LVL 3

Author Comment

by:RKnebel512
Comment Utility
Okay, Here it is.  I uploaded both the tacket trace from the router to the PC and the one from  PC to PC.  

The attach file here on experts-exchange wouldn't let me attach a .pcapng wireshark file, so I changed the file extension to .txt.  It will have to be changed back before you can use the file.

Both of these traces are taken when the firewall is down so that I was able to get both request and reply packets.
Ping-From-Router-to-PC.txt
Ping-From-PC-to-PC.txt
0
 
LVL 37

Accepted Solution

by:
Gerwin Jansen earned 250 total points
Comment Utility
Got the files and had a look, only 2 differences I found:
- TTL from the request from the router that is 255 instead of 128 for the others (reply from PC and request/reply to/from PC).
- data from router is 72 bytes, from PC is 32 bytes

Can you post a trace as well between router and PC when the firewall is enabled on the PC? Because that is where the ping is working where you wouldn't expect it, right?
0
 
LVL 3

Author Comment

by:RKnebel512
Comment Utility
So I can no longer replicate the problem.  I set up the same topology as I had before, but the computers only exhibit the behavior that thinkpads_user mentioned above, where Windows firewall allows pings that are coming from the same network.  

I can no longer get the far router on a different network to ping the PC when the firewall is up.  

Since I can't replicate the problem anymore, I think I will have to give up on the question.  Thank you everyone for your help.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@RKnebel512 - Thank you for updating us.   .... Thinkpads_User
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now