Re: Connectivity Issue

ravinder_gulia · ‎2019-04-18

Hi All

Can we ping any PC directly connected to SG?

Connectivity:

SG----->Router(192.168.116.200)----Local Network---->PC(192.168.116.1)

Not able to ping PC from SG, But getting ping from SG to Router Local network Gateway IP 192.168.116.200. Why?

As able to reach local network gateway, then why not getting Ping from local PC.

Please suggest how can achieve this.

What have to do for this

Nick_Doropoulos · ‎2019-04-18

Hi Ravinder,

Assuming your topology resembles the one above, I would say that all you need to do is to add a route on your gateway.

In Clish:

set static-route 192.168.116.0/24 nexthop gateway address [ip-address-of-router-residing on the same subnet as your firewall] priority 1 on

save config

ping 192.168.116.1

I hope this helps.

Daniel_Taney · ‎2019-04-18

I would also recommend checking logs to make sure ICMP isn't being dropped for some reason. Depending on your Global Properties and/or Access Policy, you may need a rule explicitly allowing this. You may have some drop rule dropping it.

You may also want to look for Anti-Spoofing events in your logs if your Topology isn't defined properly and the GW thinks the remote network on the other side of the router is spoofing. (Doubtful if other traffic isn't getting blocked, but might be worth a quick check)

R80 CCSA / CCSE

Maarten_Sjouw · ‎2019-04-18

What is the default route on the PC? Is that 192.168.116.200 then it should work unless the FW won't allow it, also keep in mind that the Windows Firewall also blocks incoming Ping for any non RFC1918 address.
Can you ping the IP of the FW from the PC?

Regards, Maarten

HeikoAnkenbrand · ‎2019-04-18

Whitch network is between SG and router?

Ping from SG to router in this network

.200 ,1

SG <------------------> Router <---------------------> PC

Network??? 192.168.116.0/24

1) check the rulebase - src:SG dst: 192.168.116.200 service: icmp request/replay

2) if you ping 192.168.116.200 you need a route on the router to the firewall for "Network???". Otherwise you have to ping the interface of the router in the network "Network???".

3) check IP spoofing on the firewall for network 192.168.116.0/24

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

ravinder_gulia · ‎2019-04-21

Hi Nicholas

Static route already added, that's why am able to ping Router Gateway 192.168.116.200. But The system IP not pining.

Regards

Ravinder Gulia

Nick_Doropoulos · ‎2019-04-22

Hi Ravinder,

Could you tell us what is the IP address of the Router's interface that is on the same subnet as the Check Point firewall?

Many thanks.

ravinder_gulia · ‎2019-04-23

Hi

That's the topology for this network. Route added at Firewall for the 192.168.116.0 Network and all services allowed in Policy.

Getting ping response on firewall from Router 192.168.116.200 but not from PC IP.

Firewall(172.100.71.9)----------->(172.100.71.10)Router(192.168.116.200)------------->PC(192.168.116.1)

_Val_ · ‎2019-04-23

Do you have implied or explicit rules allowing ICMP to the GW? If not, please add.

ravinder_gulia · ‎2019-04-23

Hi

will check for the implied rule to allow ICMP. and for explicit rule have made ANY ANY ANY Allow rule.

Are you a member of CheckMates?

Connectivity Issue