Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

Firewall + router setup. Can't ping firewall

Two questions?

1)  Is the attached picture the appropriate way it's supposed to be setup in a production environment?  

2)  I can't ping from my pc (192.168.1.81) to my firewall (192.168.0.10).  I do have internet access by doing a "ip route 0.0.0.0 0.0.0.0 192.168.0.10"  Why can't I ping?

I tried to use access control lists but it didn't seem to work

Please answer both questions.  Thank you.
0
jkimzlg
Asked:
jkimzlg
  • 9
  • 8
2 Solutions
 
Dan CraciunIT ConsultantCommented:
attached picture?
0
 
Jan SpringerCommented:
am i missing something?  i don't see the attachment.
0
 
jkimzlgAuthor Commented:
my bad... here's the attached pic...
Capture.JPG
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
Jan SpringerCommented:
So, on the firewall do you have a route:

route inside 192.168.0.0 255.255.255.0 192.168.0.3

?

And are your NAT statements allowing 192.168.0.x to NAT?
0
 
jkimzlgAuthor Commented:
the firewall is NATing the 192.168.0.0/24 network.

I can access the Internet from my pc I just can't access/ping 192.168.0.10

if I'm not answering your question can you be more specific.
0
 
Jan SpringerCommented:
icmp by default is off on the firewall.

if you have no inside access list today, add a permit icmp any any and a permit ip any any.
0
 
jkimzlgAuthor Commented:
from my pc I can ping 192.168.0.3, from the cisco 1760 router I can ping 192.168.0.10, so it's not an icmp issue.
0
 
Jan SpringerCommented:
what do the firewall logs say?

or have you tried packet-tracer on the firewall to duplicate the problem?
0
 
jkimzlgAuthor Commented:
jesper, is this how you would normally see a firewall and a router configured in a production environment?
0
 
Jan SpringerCommented:
what type of firewall do you have?
0
 
jkimzlgAuthor Commented:
it's a hardware firewall, Juniper Netscreen 5gt
0
 
Jan SpringerCommented:
when you try to ping the inside interface of the juniper from your PC, what do the logs on the juniper show?
0
 
jkimzlgAuthor Commented:
I think I got it, on my Netscreen 5gt I just added a routing entry for the network 192.168.1.0/24 and it started to work.  jesper, if you could answer my previous question of whether of not this is normally done on a production environment, I'll give you all the points.  Please be as detailed as possible.
0
 
Jan SpringerCommented:
this is correct.  i had the route statement up above for the incorrect subnet.

you need to route the LAN subnet from the firewall to the router.  from there, the router will know how to handle the packets.
0
 
jkimzlgAuthor Commented:
can anyone answer my first question with as much detail as possible?
0
 
Jan SpringerCommented:
the answer is that the juniper was not aware of that route (it wasn't being announced, for example, by OSPF between the router and firewall).

so, a static route, tells the firewall how to reach that subnet.
0
 
jkimzlgAuthor Commented:
can u pls. read my first question and not my second?
0
 
Jan SpringerCommented:
Yes, your hardware configuration is correct.

Outside (untrusted) to the firewall to the inside (trusted).
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now