Solved

Firewall + router setup.  Can't ping firewall

Posted on 2014-01-27
18
405 Views
Last Modified: 2014-01-28
Two questions?

1)  Is the attached picture the appropriate way it's supposed to be setup in a production environment?  

2)  I can't ping from my pc (192.168.1.81) to my firewall (192.168.0.10).  I do have internet access by doing a "ip route 0.0.0.0 0.0.0.0 192.168.0.10"  Why can't I ping?

I tried to use access control lists but it didn't seem to work

Please answer both questions.  Thank you.
0
Comment
Question by:jkimzlg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39812649
attached picture?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39812650
am i missing something?  i don't see the attachment.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813122
my bad... here's the attached pic...
Capture.JPG
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813168
So, on the firewall do you have a route:

route inside 192.168.0.0 255.255.255.0 192.168.0.3

?

And are your NAT statements allowing 192.168.0.x to NAT?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813207
the firewall is NATing the 192.168.0.0/24 network.

I can access the Internet from my pc I just can't access/ping 192.168.0.10

if I'm not answering your question can you be more specific.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813221
icmp by default is off on the firewall.

if you have no inside access list today, add a permit icmp any any and a permit ip any any.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813266
from my pc I can ping 192.168.0.3, from the cisco 1760 router I can ping 192.168.0.10, so it's not an icmp issue.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813288
what do the firewall logs say?

or have you tried packet-tracer on the firewall to duplicate the problem?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813390
jesper, is this how you would normally see a firewall and a router configured in a production environment?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813414
what type of firewall do you have?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813430
it's a hardware firewall, Juniper Netscreen 5gt
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813448
when you try to ping the inside interface of the juniper from your PC, what do the logs on the juniper show?
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813489
I think I got it, on my Netscreen 5gt I just added a routing entry for the network 192.168.1.0/24 and it started to work.  jesper, if you could answer my previous question of whether of not this is normally done on a production environment, I'll give you all the points.  Please be as detailed as possible.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813506
this is correct.  i had the route statement up above for the incorrect subnet.

you need to route the LAN subnet from the firewall to the router.  from there, the router will know how to handle the packets.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39813857
can anyone answer my first question with as much detail as possible?
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 39814980
the answer is that the juniper was not aware of that route (it wasn't being announced, for example, by OSPF between the router and firewall).

so, a static route, tells the firewall how to reach that subnet.
0
 
LVL 1

Author Comment

by:jkimzlg
ID: 39815226
can u pls. read my first question and not my second?
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 500 total points
ID: 39815242
Yes, your hardware configuration is correct.

Outside (untrusted) to the firewall to the inside (trusted).
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month8 days, 19 hours left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question