Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Adam_Majka
Participant

WAN/LAN ping responding problem

hi,

i have CP 4600 r77.30

i have server ip 10.10.10.10/24 and i want put it to wan (create node - NAT - static - WAN IP). Create policy. Now when i ping server on lan (10.10.10.10) its work fine. When i ping it on WAN its not respond. After 10-15 sec its start responding on WAN ip but not respond on lan ip.If stop pinging on wan then lan ip after 10-15 sec start responding.

ping LAN responding

ping WAN when lan is responding - not responding

stop pinging LAN, ping WAN, 10-15 sec WAN start responding

stop pinging WAN, ping LAN, 10-15 sec LAN start responding

Where is the problem ?

sorry for my english.

11 Replies
Danny
Champion Champion
Champion

Show us a fw monitor trace of these pings please.

0 Kudos
Jerry
Mentor
Mentor

as Danny mentioned that would be the 1st step, 2nd one however would be to understand more about your topology, where is your WAN port and LAN port directly connected (hooked up / plugged into) ?

have you checked your MTU values on your interfaces by any chance?

what about your routes (static?)

Jerry
0 Kudos
Maarten_Sjouw
Champion
Champion

Is the NAT IP in the same range as the WAN interface? 

Wheb you type: fw ctl arp does the NAT IP show up with a mac address?

From where are you pinging the WAN IP?

Regards, Maarten
0 Kudos
Adam_Majka
Participant

thx for reply 

eth 1 : WAN 1 67.59.219.82   255.255.255.248

eth2 : LAN (gateway) 172.12.1.87   255.255.248.0

eth3 : WAN 2 212.169.34.42   255.255.255.248

eth7 : DMZ 10.10.10.1   255.255.255.0

MTU 1500 for all interfaces

i dont need static routes becouse i dont have any other routers with other adresses in internal network.

fw ctl arp 


vdsl-67.59.219.87.an.pl (67.59.219.87) at 00-1c-7f-55-ce-cf interface 67.59.219.82
rev-212.169.34.45.an.pl (212.169.34.45) at 00-1c-7f-55-ce-d3 interface 212.169.34.42
(172.12.0.1) at 00-1c-7f-55-ce-d1 interface 172.12.1.87
WAN (67.59.219.83) at 00-1c-7f-55-ce-cf interface 67.59.219.82
vdsl-67.59.219.86.an.pl (67.59.219.86) at 00-1c-7f-55-ce-cf interface 67.59.219.82
rev-212.169.34.44.an.pl (212.169.34.44) at 00-1c-7f-55-ce-d3 interface 212.169.34.42
osticket.domain.local (172.12.1.206) at 00-1c-7f-55-ce-d1 interface 172.12.1.87
rev-212.169.34.43.an.pl (212.169.34.43) at 00-1c-7f-55-ce-d3 interface 212.169.34.42
vdsl-67.59.219.85.an.pl (67.59.219.85) at 00-1c-7f-55-ce-cf interface 67.59.219.82
rev-212.169.34.46.an.pl (212.169.34.46) at 00-1c-7f-55-ce-d3 interface 212.169.34.42
vdsl-67.59.219.84.an.pl (67.59.219.84) at 00-1c-7f-55-ce-cf interface 67.59.219.82

CP> fw monitor -e "accept (dst=10.10.10.10 or dst=67.59.219.85);"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_0] eth2:i[60]: 172.12.7.60 -> 10.10.10.10 (ICMP) len=60 id=25622
ICMP: type=8 code=0 echo request id=1 seq=5055
[vs_0][fw_0] eth2:I[60]: 172.12.7.60 -> 10.10.10.10 (ICMP) len=60 id=25622
ICMP: type=8 code=0 echo request id=1 seq=5055
[vs_0][fw_0] eth7:o[60]: 172.12.7.60 -> 10.10.10.10 (ICMP) len=60 id=25622
ICMP: type=8 code=0 echo request id=1 seq=5055
[vs_0][fw_0] eth7:O[60]: 10.10.10.1 -> 10.10.10.10 (ICMP) len=60 id=25622
ICMP: type=8 code=0 echo request id=11777 seq=5055
[vs_0][fw_0] eth2:i[60]: 172.12.7.60 -> 10.10.10.10 (ICMP) len=60 id=25629
ICMP: type=8 code=0 echo request id=1 seq=5056
[vs_0][fw_0] eth2:I[60]: 172.12.7.60 -> 10.10.10.10 (ICMP) len=60 id=25629
ICMP: type=8 code=0 echo request id=1 seq=5056
[vs_0][fw_0] eth7:o[60]: 172.12.7.60 -> 10.10.10.10 (ICMP) len=60 id=25629
ICMP: type=8 code=0 echo request id=1 seq=5056
[vs_0][fw_0] eth7:O[60]: 10.10.10.1 -> 10.10.10.10 (ICMP) len=60 id=25629
ICMP: type=8 code=0 echo request id=11777 seq=5056
[vs_0][fw_0] eth2:i[60]: 172.12.7.60 -> 67.59.219.85 (ICMP) len=60 id=25637
ICMP: type=8 code=0 echo request id=1 seq=5057
[vs_0][fw_0] eth2:i[60]: 172.12.7.60 -> 67.59.219.85 (ICMP) len=60 id=25661
ICMP: type=8 code=0 echo request id=1 seq=5058
[vs_0][fw_0] eth2:i[60]: 172.12.7.60 -> 67.59.219.85 (ICMP) len=60 id=25722
ICMP: type=8 code=0 echo request id=1 seq=5059
[vs_0][fw_1] eth1:i[60]: 116.31.116.44 -> 67.59.219.85 (TCP) len=60 id=25933
TCP: 51092 -> 22 .S.... seq=ab88c547 ack=00000000
[vs_0][fw_1] eth1:I[60]: 116.31.116.44 -> 10.10.10.10 (TCP) len=60 id=25933
TCP: 51092 -> 22 .S.... seq=ab88c547 ack=00000000
[vs_0][fw_1] eth7:o[60]: 116.31.116.44 -> 10.10.10.10 (TCP) len=60 id=25933
TCP: 51092 -> 22 .S.... seq=ab88c547 ack=00000000
[vs_0][fw_1] eth7:O[60]: 116.31.116.44 -> 10.10.10.10 (TCP) len=60 id=25933
TCP: 51092 -> 22 .S.... seq=ab88c547 ack=00000000
[vs_0][fw_1] eth1:i[52]: 116.31.116.44 -> 67.59.219.85 (TCP) len=52 id=25934
TCP: 51092 -> 22 ....A. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth1:I[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25934
TCP: 51092 -> 22 ....A. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth7:o[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25934
TCP: 51092 -> 22 ....A. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth7:O[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25934
TCP: 51092 -> 22 ....A. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth1:i[67]: 116.31.116.44 -> 67.59.219.85 (TCP) len=67 id=25935
TCP: 51092 -> 22 ...PA. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth1:I[67]: 116.31.116.44 -> 10.10.10.10 (TCP) len=67 id=25935
TCP: 51092 -> 22 ...PA. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth7:o[67]: 116.31.116.44 -> 10.10.10.10 (TCP) len=67 id=25935
TCP: 51092 -> 22 ...PA. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth7:O[67]: 116.31.116.44 -> 10.10.10.10 (TCP) len=67 id=25935
TCP: 51092 -> 22 ...PA. seq=ab88c548 ack=249f57c8
[vs_0][fw_1] eth1:i[52]: 116.31.116.44 -> 67.59.219.85 (TCP) len=52 id=25936
TCP: 51092 -> 22 ....A. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth1:I[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25936
TCP: 51092 -> 22 ....A. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth7:o[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25936
TCP: 51092 -> 22 ....A. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth7:O[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25936
TCP: 51092 -> 22 ....A. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth1:i[700]: 116.31.116.44 -> 67.59.219.85 (TCP) len=700 id=25937
TCP: 51092 -> 22 ...PA. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth1:I[700]: 116.31.116.44 -> 10.10.10.10 (TCP) len=700 id=25937
TCP: 51092 -> 22 ...PA. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth7:o[700]: 116.31.116.44 -> 10.10.10.10 (TCP) len=700 id=25937
TCP: 51092 -> 22 ...PA. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth7:O[700]: 116.31.116.44 -> 10.10.10.10 (TCP) len=700 id=25937
TCP: 51092 -> 22 ...PA. seq=ab88c557 ack=249f57ef
[vs_0][fw_1] eth1:i[52]: 116.31.116.44 -> 67.59.219.85 (TCP) len=52 id=25938
TCP: 51092 -> 22 ....A. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth1:I[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25938
TCP: 51092 -> 22 ....A. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth7:o[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25938
TCP: 51092 -> 22 ....A. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth7:O[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25938
TCP: 51092 -> 22 ....A. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth1:i[324]: 116.31.116.44 -> 67.59.219.85 (TCP) len=324 id=25939
TCP: 51092 -> 22 ...PA. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth1:I[324]: 116.31.116.44 -> 10.10.10.10 (TCP) len=324 id=25939
TCP: 51092 -> 22 ...PA. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth7:o[324]: 116.31.116.44 -> 10.10.10.10 (TCP) len=324 id=25939
TCP: 51092 -> 22 ...PA. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth7:O[324]: 116.31.116.44 -> 10.10.10.10 (TCP) len=324 id=25939
TCP: 51092 -> 22 ...PA. seq=ab88c7df ack=249f5c27
[vs_0][fw_1] eth1:i[52]: 116.31.116.44 -> 67.59.219.85 (TCP) len=52 id=25940
TCP: 51092 -> 22 ....A. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth1:I[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25940
TCP: 51092 -> 22 ....A. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth7:o[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25940
TCP: 51092 -> 22 ....A. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth7:O[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25940
TCP: 51092 -> 22 ....A. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth1:i[68]: 116.31.116.44 -> 67.59.219.85 (TCP) len=68 id=25941
TCP: 51092 -> 22 ...PA. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth1:I[68]: 116.31.116.44 -> 10.10.10.10 (TCP) len=68 id=25941
TCP: 51092 -> 22 ...PA. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth7:o[68]: 116.31.116.44 -> 10.10.10.10 (TCP) len=68 id=25941
TCP: 51092 -> 22 ...PA. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth7:O[68]: 116.31.116.44 -> 10.10.10.10 (TCP) len=68 id=25941
TCP: 51092 -> 22 ...PA. seq=ab88c8ef ack=249f5f77
[vs_0][fw_1] eth1:i[104]: 116.31.116.44 -> 67.59.219.85 (TCP) len=104 id=25942
TCP: 51092 -> 22 ...PA. seq=ab88c8ff ack=249f5f77
[vs_0][fw_1] eth1:I[104]: 116.31.116.44 -> 10.10.10.10 (TCP) len=104 id=25942
TCP: 51092 -> 22 ...PA. seq=ab88c8ff ack=249f5f77
[vs_0][fw_1] eth7:o[104]: 116.31.116.44 -> 10.10.10.10 (TCP) len=104 id=25942
TCP: 51092 -> 22 ...PA. seq=ab88c8ff ack=249f5f77
[vs_0][fw_1] eth7:O[104]: 116.31.116.44 -> 10.10.10.10 (TCP) len=104 id=25942
TCP: 51092 -> 22 ...PA. seq=ab88c8ff ack=249f5f77
[vs_0][fw_1] eth1:i[120]: 116.31.116.44 -> 67.59.219.85 (TCP) len=120 id=25943
TCP: 51092 -> 22 ...PA. seq=ab88c933 ack=249f5fab
[vs_0][fw_1] eth1:I[120]: 116.31.116.44 -> 10.10.10.10 (TCP) len=120 id=25943
TCP: 51092 -> 22 ...PA. seq=ab88c933 ack=249f5fab
[vs_0][fw_1] eth7:o[120]: 116.31.116.44 -> 10.10.10.10 (TCP) len=120 id=25943
TCP: 51092 -> 22 ...PA. seq=ab88c933 ack=249f5fab
[vs_0][fw_1] eth7:O[120]: 116.31.116.44 -> 10.10.10.10 (TCP) len=120 id=25943
TCP: 51092 -> 22 ...PA. seq=ab88c933 ack=249f5fab
[vs_0][fw_1] eth1:i[152]: 116.31.116.44 -> 67.59.219.85 (TCP) len=152 id=25944
TCP: 51092 -> 22 ...PA. seq=ab88c977 ack=249f5fef
[vs_0][fw_1] eth1:I[152]: 116.31.116.44 -> 10.10.10.10 (TCP) len=152 id=25944
TCP: 51092 -> 22 ...PA. seq=ab88c977 ack=249f5fef
[vs_0][fw_1] eth7:o[152]: 116.31.116.44 -> 10.10.10.10 (TCP) len=152 id=25944
TCP: 51092 -> 22 ...PA. seq=ab88c977 ack=249f5fef
[vs_0][fw_1] eth7:O[152]: 116.31.116.44 -> 10.10.10.10 (TCP) len=152 id=25944
TCP: 51092 -> 22 ...PA. seq=ab88c977 ack=249f5fef
[vs_0][fw_0] eth2:i[60]: 172.12.7.60 -> 67.59.219.85 (ICMP) len=60 id=25754
ICMP: type=8 code=0 echo request id=1 seq=5060
[vs_0][fw_1] eth1:i[136]: 116.31.116.44 -> 67.59.219.85 (TCP) len=136 id=25945
TCP: 51092 -> 22 ...PA. seq=ab88c9db ack=249f6033
[vs_0][fw_1] eth1:I[136]: 116.31.116.44 -> 10.10.10.10 (TCP) len=136 id=25945
TCP: 51092 -> 22 ...PA. seq=ab88c9db ack=249f6033
[vs_0][fw_1] eth7:o[136]: 116.31.116.44 -> 10.10.10.10 (TCP) len=136 id=25945
TCP: 51092 -> 22 ...PA. seq=ab88c9db ack=249f6033
[vs_0][fw_1] eth7:O[136]: 116.31.116.44 -> 10.10.10.10 (TCP) len=136 id=25945
TCP: 51092 -> 22 ...PA. seq=ab88c9db ack=249f6033
[vs_0][fw_1] eth1:i[136]: 116.31.116.44 -> 67.59.219.85 (TCP) len=136 id=25946
TCP: 51092 -> 22 ...PA. seq=ab88ca2f ack=249f6077
[vs_0][fw_1] eth1:I[136]: 116.31.116.44 -> 10.10.10.10 (TCP) len=136 id=25946
TCP: 51092 -> 22 ...PA. seq=ab88ca2f ack=249f6077
[vs_0][fw_1] eth7:o[136]: 116.31.116.44 -> 10.10.10.10 (TCP) len=136 id=25946
TCP: 51092 -> 22 ...PA. seq=ab88ca2f ack=249f6077
[vs_0][fw_1] eth7:O[136]: 116.31.116.44 -> 10.10.10.10 (TCP) len=136 id=25946
TCP: 51092 -> 22 ...PA. seq=ab88ca2f ack=249f6077
[vs_0][fw_1] eth1:i[104]: 116.31.116.44 -> 67.59.219.85 (TCP) len=104 id=25947
TCP: 51092 -> 22 ...PA. seq=ab88ca83 ack=249f60bb
[vs_0][fw_1] eth1:I[104]: 116.31.116.44 -> 10.10.10.10 (TCP) len=104 id=25947
TCP: 51092 -> 22 ...PA. seq=ab88ca83 ack=249f60bb
[vs_0][fw_1] eth7:o[104]: 116.31.116.44 -> 10.10.10.10 (TCP) len=104 id=25947
TCP: 51092 -> 22 ...PA. seq=ab88ca83 ack=249f60bb
[vs_0][fw_1] eth7:O[104]: 116.31.116.44 -> 10.10.10.10 (TCP) len=104 id=25947
TCP: 51092 -> 22 ...PA. seq=ab88ca83 ack=249f60bb
[vs_0][fw_1] eth1:i[52]: 116.31.116.44 -> 67.59.219.85 (TCP) len=52 id=25948
TCP: 51092 -> 22 F...A. seq=ab88cab7 ack=249f60bb
[vs_0][fw_1] eth1:I[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25948
TCP: 51092 -> 22 F...A. seq=ab88cab7 ack=249f60bb
[vs_0][fw_1] eth7:o[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25948
TCP: 51092 -> 22 F...A. seq=ab88cab7 ack=249f60bb
[vs_0][fw_1] eth7:O[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25948
TCP: 51092 -> 22 F...A. seq=ab88cab7 ack=249f60bb
[vs_0][fw_1] eth1:i[52]: 116.31.116.44 -> 67.59.219.85 (TCP) len=52 id=25949
TCP: 51092 -> 22 ....A. seq=ab88cab8 ack=249f60bc
[vs_0][fw_1] eth1:I[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25949
TCP: 51092 -> 22 ....A. seq=ab88cab8 ack=249f60bc
[vs_0][fw_1] eth7:o[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25949
TCP: 51092 -> 22 ....A. seq=ab88cab8 ack=249f60bc
[vs_0][fw_1] eth7:O[52]: 116.31.116.44 -> 10.10.10.10 (TCP) len=52 id=25949
TCP: 51092 -> 22 ....A. seq=ab88cab8 ack=249f60bc
monitor: caught sig 2
monitor: unloading

0 Kudos
Jerry
Mentor
Mentor

"i dont need static routes becouse i dont have any other routers with other adresses in internal network."  ??? can you clarify please ??? I'm lost now Smiley Happy 

Jerry
0 Kudos
Adam_Majka
Participant

i mean only default routes 

dest - default | next hope - normal | rank - 60 | gateways - eth1, eth3

0 Kudos
Jerry
Mentor
Mentor

show us one thing Adam:

- show configuration static-route (clish)

- show configuration interface (clish) - hide real IP's.

Jerry
0 Kudos
Maarten_Sjouw
Champion
Champion

Keep in mind that when you do a ping from the network the host is connected to, you will always get the untranslated packet back.

What do I mean by that?

You have a NAT setup for a host with IP 10.10.10.10 and you ping it from an other host with 10.10.10.11 --> works fine.

Now you ping the NAT address, the packet will go to the FW and will be returned to the same network but still with the same source, the return traffic will never go back to the FW as the source is now in the same network and the ping is not recognized as it still has the real IP's not the NAT IP.

Your FW Monitor shows SSH working just fine by the way.

Regards, Maarten
0 Kudos
Vladimir
Champion
Champion

Do you have two manual NAT rules created on top of your NAT policy for:

LAN---DMZ---Any; Original, Original, Original

DMZ---LAN---Any; Original, Original, Original

?

0 Kudos
Adam_Majka
Participant

no i don't

there are automatic NAT rules only.

0 Kudos
Vladimir
Champion
Champion

Well then, I suggest for you to add those and see if it'll change the behavior to your satisfaction.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events