Improve company productivity with a Business Account.Sign Up

x
?
Solved

Firewall + router setup.  Can't ping firewall

Posted on 2014-01-27
18
Medium Priority
?
413 Views
Last Modified: 2014-01-28
Two questions?

1)  Is the attached picture the appropriate way it's supposed to be setup in a production environment?  

2)  I can't ping from my pc (192.168.1.81) to my firewall (192.168.0.10).  I do have internet access by doing a "ip route 0.0.0.0 0.0.0.0 192.168.0.10"  Why can't I ping?

I tried to use access control lists but it didn't seem to work

Please answer both questions.  Thank you.
0
Comment
Question by:jkimzlg
  • 9
  • 8
18 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39812649
attached picture?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39812650
am i missing something?  i don't see the attachment.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813122
my bad... here's the attached pic...
Capture.JPG
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813168
So, on the firewall do you have a route:

route inside 192.168.0.0 255.255.255.0 192.168.0.3

?

And are your NAT statements allowing 192.168.0.x to NAT?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813207
the firewall is NATing the 192.168.0.0/24 network.

I can access the Internet from my pc I just can't access/ping 192.168.0.10

if I'm not answering your question can you be more specific.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813221
icmp by default is off on the firewall.

if you have no inside access list today, add a permit icmp any any and a permit ip any any.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813266
from my pc I can ping 192.168.0.3, from the cisco 1760 router I can ping 192.168.0.10, so it's not an icmp issue.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813288
what do the firewall logs say?

or have you tried packet-tracer on the firewall to duplicate the problem?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813390
jesper, is this how you would normally see a firewall and a router configured in a production environment?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813414
what type of firewall do you have?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813430
it's a hardware firewall, Juniper Netscreen 5gt
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813448
when you try to ping the inside interface of the juniper from your PC, what do the logs on the juniper show?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813489
I think I got it, on my Netscreen 5gt I just added a routing entry for the network 192.168.1.0/24 and it started to work.  jesper, if you could answer my previous question of whether of not this is normally done on a production environment, I'll give you all the points.  Please be as detailed as possible.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813506
this is correct.  i had the route statement up above for the incorrect subnet.

you need to route the LAN subnet from the firewall to the router.  from there, the router will know how to handle the packets.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813857
can anyone answer my first question with as much detail as possible?
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 39814980
the answer is that the juniper was not aware of that route (it wasn't being announced, for example, by OSPF between the router and firewall).

so, a static route, tells the firewall how to reach that subnet.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39815226
can u pls. read my first question and not my second?
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 2000 total points
ID: 39815242
Yes, your hardware configuration is correct.

Outside (untrusted) to the firewall to the inside (trusted).
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
This article is about building a VRF-Aware site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two VRF-Aware Policy Based IPsec VPN tunnels configured on CSR1000V router one with NAT and another without NAT.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question