Solved

Firewall + router setup.  Can't ping firewall

Posted on 2014-01-27
18
392 Views
Last Modified: 2014-01-28
Two questions?

1)  Is the attached picture the appropriate way it's supposed to be setup in a production environment?  

2)  I can't ping from my pc (192.168.1.81) to my firewall (192.168.0.10).  I do have internet access by doing a "ip route 0.0.0.0 0.0.0.0 192.168.0.10"  Why can't I ping?

I tried to use access control lists but it didn't seem to work

Please answer both questions.  Thank you.
0
Comment
Question by:jkimzlg
  • 9
  • 8
18 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
Comment Utility
attached picture?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
am i missing something?  i don't see the attachment.
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
my bad... here's the attached pic...
Capture.JPG
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
So, on the firewall do you have a route:

route inside 192.168.0.0 255.255.255.0 192.168.0.3

?

And are your NAT statements allowing 192.168.0.x to NAT?
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
the firewall is NATing the 192.168.0.0/24 network.

I can access the Internet from my pc I just can't access/ping 192.168.0.10

if I'm not answering your question can you be more specific.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
icmp by default is off on the firewall.

if you have no inside access list today, add a permit icmp any any and a permit ip any any.
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
from my pc I can ping 192.168.0.3, from the cisco 1760 router I can ping 192.168.0.10, so it's not an icmp issue.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
what do the firewall logs say?

or have you tried packet-tracer on the firewall to duplicate the problem?
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
jesper, is this how you would normally see a firewall and a router configured in a production environment?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
what type of firewall do you have?
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
it's a hardware firewall, Juniper Netscreen 5gt
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
when you try to ping the inside interface of the juniper from your PC, what do the logs on the juniper show?
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
I think I got it, on my Netscreen 5gt I just added a routing entry for the network 192.168.1.0/24 and it started to work.  jesper, if you could answer my previous question of whether of not this is normally done on a production environment, I'll give you all the points.  Please be as detailed as possible.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
this is correct.  i had the route statement up above for the incorrect subnet.

you need to route the LAN subnet from the firewall to the router.  from there, the router will know how to handle the packets.
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
can anyone answer my first question with as much detail as possible?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
the answer is that the juniper was not aware of that route (it wasn't being announced, for example, by OSPF between the router and firewall).

so, a static route, tells the firewall how to reach that subnet.
0
 
LVL 1

Author Comment

by:jkimzlg
Comment Utility
can u pls. read my first question and not my second?
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 500 total points
Comment Utility
Yes, your hardware configuration is correct.

Outside (untrusted) to the firewall to the inside (trusted).
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now