This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ravinder_gulia
Participant
‎2019-04-18 02:46 AM

Connectivity Issue

Hi All

Can we ping any PC directly connected to SG?

 

Connectivity:

SG----->Router(192.168.116.200)----Local Network---->PC(192.168.116.1)

 

Not able to ping PC from SG, But getting ping from SG to Router Local network Gateway IP 192.168.116.200. Why?

As able to reach local network gateway, then why not getting Ping from local PC.

Please suggest how can achieve this.

What have to do for this

 

0 Kudos
9 Replies
Nick_Doropoulos
Advisor
‎2019-04-18 05:46 AM

topology.PNG

 

Hi Ravinder,

Assuming your topology resembles the one above, I would say that all you need to do is to add a route on your gateway.

In Clish: 

set static-route 192.168.116.0/24 nexthop gateway address [ip-address-of-router-residing on the same subnet as your firewall] priority 1 on

save config

ping 192.168.116.1

I hope this helps.

0 Kudos
Daniel_Taney
Advisor
‎2019-04-18 07:25 AM
In response to Nick_Doropoulos

I would also recommend checking logs to make sure ICMP isn't being dropped for some reason. Depending on your Global Properties and/or Access Policy, you may need a rule explicitly allowing this. You may have some drop rule dropping it.

You may also want to look for Anti-Spoofing events in your logs if your Topology isn't defined properly and the GW thinks the remote network on the other side of the router is spoofing. (Doubtful if other traffic isn't getting blocked, but might be worth a quick check)

R80 CCSA / CCSE
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-18 11:17 AM
In response to Nick_Doropoulos

What is the default route on the PC? Is that 192.168.116.200 then it should work unless the FW won't allow it, also keep in mind that the Windows Firewall also blocks incoming Ping for any non RFC1918 address.
Can you ping the IP of the FW from the PC?
Regards, Maarten
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-04-18 01:01 PM
In response to Nick_Doropoulos

Whitch network is between SG and router?

Ping from SG to router in this network

                                                     .200                               ,1

SG <------------------> Router <---------------------> PC

        Network???                           192.168.116.0/24

 

1) check the rulebase - src:SG dst: 192.168.116.200 service: icmp request/replay

2) if you ping 192.168.116.200 you need a route on the router to the firewall for "Network???". Otherwise you have to ping the interface of the router in the network "Network???".

3) check IP spoofing on the firewall for network 192.168.116.0/24

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
ravinder_gulia
Participant
‎2019-04-21 10:27 PM
In response to Nick_Doropoulos

Hi Nicholas

Static route already added, that's why  am able to ping Router Gateway 192.168.116.200. But The system IP not pining.

 

Regards

Ravinder Gulia

 

0 Kudos
Nick_Doropoulos
Advisor
‎2019-04-22 12:17 AM
In response to ravinder_gulia

Hi Ravinder,

Could you tell us what is the IP address of the Router's interface that is on the same subnet as the Check Point firewall?

Many thanks.

0 Kudos
ravinder_gulia
Participant
‎2019-04-23 12:31 AM
In response to Nick_Doropoulos

Hi 

That's the topology for this network. Route added at Firewall for the 192.168.116.0 Network and all services allowed in Policy.

Getting ping response on firewall from Router 192.168.116.200 but not from PC IP.

Firewall(172.100.71.9)----------->(172.100.71.10)Router(192.168.116.200)------------->PC(192.168.116.1)

0 Kudos
_Val_
Admin
Admin
‎2019-04-23 12:19 AM

Do you have implied or explicit rules allowing ICMP to the GW? If not, please add.

0 Kudos
ravinder_gulia
Participant
‎2019-04-23 12:35 AM
In response to _Val_

Hi

will check for the implied rule to allow ICMP. and for explicit rule  have made ANY ANY ANY Allow rule.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top