Solved

Firewall + router setup.  Can't ping firewall

Posted on 2014-01-27
18
403 Views
Last Modified: 2014-01-28
Two questions?

1)  Is the attached picture the appropriate way it's supposed to be setup in a production environment?  

2)  I can't ping from my pc (192.168.1.81) to my firewall (192.168.0.10).  I do have internet access by doing a "ip route 0.0.0.0 0.0.0.0 192.168.0.10"  Why can't I ping?

I tried to use access control lists but it didn't seem to work

Please answer both questions.  Thank you.
0
Comment
Question by:jkimzlg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39812649
attached picture?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39812650
am i missing something?  i don't see the attachment.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813122
my bad... here's the attached pic...
Capture.JPG
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813168
So, on the firewall do you have a route:

route inside 192.168.0.0 255.255.255.0 192.168.0.3

?

And are your NAT statements allowing 192.168.0.x to NAT?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813207
the firewall is NATing the 192.168.0.0/24 network.

I can access the Internet from my pc I just can't access/ping 192.168.0.10

if I'm not answering your question can you be more specific.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813221
icmp by default is off on the firewall.

if you have no inside access list today, add a permit icmp any any and a permit ip any any.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813266
from my pc I can ping 192.168.0.3, from the cisco 1760 router I can ping 192.168.0.10, so it's not an icmp issue.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813288
what do the firewall logs say?

or have you tried packet-tracer on the firewall to duplicate the problem?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813390
jesper, is this how you would normally see a firewall and a router configured in a production environment?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813414
what type of firewall do you have?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813430
it's a hardware firewall, Juniper Netscreen 5gt
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813448
when you try to ping the inside interface of the juniper from your PC, what do the logs on the juniper show?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813489
I think I got it, on my Netscreen 5gt I just added a routing entry for the network 192.168.1.0/24 and it started to work.  jesper, if you could answer my previous question of whether of not this is normally done on a production environment, I'll give you all the points.  Please be as detailed as possible.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813506
this is correct.  i had the route statement up above for the incorrect subnet.

you need to route the LAN subnet from the firewall to the router.  from there, the router will know how to handle the packets.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813857
can anyone answer my first question with as much detail as possible?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 39814980
the answer is that the juniper was not aware of that route (it wasn't being announced, for example, by OSPF between the router and firewall).

so, a static route, tells the firewall how to reach that subnet.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39815226
can u pls. read my first question and not my second?
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 500 total points
ID: 39815242
Yes, your hardware configuration is correct.

Outside (untrusted) to the firewall to the inside (trusted).
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ACL deny / Permit 10 55
no PBR recursive or PBR 9 25
Extended ping 6 52
DVR Camera Security System Port Forwading 7 64
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question