Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

Unable to ping Checkpoint Gateway ip from gns3 router

Hello,

 

Any help/suggestion is appreciated.

I am new to checkpoint and have started learning. I am trying to set up lab for this in Vmware. I am almost done. The problem is i am unable to ping Checkpoint Gateway IP from Gns3 router or vice versa. Both share the same Vmnet adapter(subnet). I can see the logs but unable to ping. Tried many things but no luck

 

Please help

However I am able to ping Checkpoint gateway from Checkpoint Manager.

ping from manager to gatewayJPG.JPG

Logs

logs.JPG

 

 

Topology

topology.JPG

 

 

VMnet adapter Setting

vmnet setting.JPG

 

policy.JPGr1 unable to ping.JPG

 

Thanks

 

 

 

0 Kudos
Reply
14 Replies
Admin
Admin

Does the router in gns3 have a route configured for the 192.168.197 subnet?
0 Kudos
Reply
Participant

Hello PhoneBoy,

Thanks for replying, yes default route is present in gns3 router. Although it is directly connected network, it should ping even if there is no route.
0 Kudos
Reply
Participant

Hi,

yes, Gsn3 router has default route. although this is directly connected network even without default route it should ping

 

Thanks

0 Kudos
Reply
Participant

Please suggest ..

 

Thanks

0 Kudos
Reply

Could you show what you have configured in Network Management settings of the gateway and what are the general settings of both interfaces from SmartConsole?

0 Kudos
Reply
Participant

Hello,

Please find the setting below

 

Checkpoint gateway interface eth0 ip which goes to checkpoint manager

Checkpoint gateway eth0 ipCheckpoint gateway eth0 ip

 

 Checkpoint gateway eth1 ip which goes to gns3 router

Checkpoint gateway eth1 ipCheckpoint gateway eth1 ip

 

Ping from checkpoint manager cli

ping from manager to gatewayping from manager to gateway

 

Checkpoint manager interface eth0 ip which is connected to gateway

Checkpoint Manager eth0 ipCheckpoint Manager eth0 ip

 Ping from local pc to gateway and manager, unable to ping gateway but can ping manager int ip

My pc ip is 192.168.0.7/24

unable to ping checkpt gateway but can ping manager ipunable to ping checkpt gateway but can ping manager ip

 

Gateway vmnet network adapter setting

vmnet setting of checkpoint gatewayvmnet setting of checkpoint gateway

 

Manager vmnet network adapter setting

Vmnet setting of Checkpoint managerVmnet setting of Checkpoint manager

 Vmnet network setting

Vmware netwrok settingVmware netwrok setting

 

Please let me know what i can do to run whole setup. I tried disabling windows firewall but no luck. I also want connectivity from gateway to gns3 router. I am using cloud(vmnet1 to router interface Gi0)  to connect gns3 router to checkpoint gateway. Please suggest

Thanks.

 

0 Kudos
Reply
Admin
Admin

The endpoints need to know how to route traffic to each other.
What is the precise routing table on:

1. Your management VM (the one at 192.168.0.10)--get that with the command route print. There needs to be a route for 192.168.197.0.24 in there somewhere.
2. Your gns3 router--refer to the appropriate documentation. There needs to be a route in there for 192.168.0.0/24.

If either end is missing the correct route, then you will not be able to ping.
0 Kudos
Reply
Participant

Even though gns3 router has default route towards gateway, it cannot ping directly connected network (192.168.197.x/24). I have posted all snaps. I have also allowed policy from router to gateway on smartconsole. Not sure whats missing.. 😥😔

 

Thanks.

0 Kudos
Reply
Admin
Admin

If you do a tcpdump on the gateway interface facing the gns3, what do you see?
0 Kudos
Reply
Explorer

run below command on gateway and try to ping.

gateway> fw unloadlocal

 

0 Kudos
Reply
Champion
Champion

Is the IP address of the GNS3 router 192.168.197.52 or 192.168.197.152?  Your diagram says .52 but your rule allowing ICMP says .152.  Assuming that is not the problem, from GNS3 try to ping the firewall at .151, then immediately display the ARP cache on the GNS3 router.  Is the GNS3 router able to successfully map a MAC address to the firewall's IP address .151?  If yes the firewall is blocking it (probably due to the typo in your rulebase, but you can run fw ctl zdebug drop on the firewall and try the ping again to see why it is being dropped otherwise).  If no MAC address is shown with the firewall's IP address on the GNS3 router, you have a connectivity problem (or an IP configuration problem) between the GNS3 router and the firewall in VMWare. 

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Participant

Hi Timothy Hall,

Gns3 router has 192.168.197.152 ip address configured. By mistake its .52 in diagram. Please find below output

Ping from Gns3 router to gateway ip. The yellow colour highlighted logs is when i tried pinging from gateway to router interface IP. I tried disabling my windows firewall, but no luck. whats shall i do to make this work.

R1arp.JPG

fw ctl zdebug drop output from gateway.

gatewaylogs.JPG

 

Gns3 Vmsetting (192.168.197.x/24 running on Vmnet1)

gns3vmsetting.JPG

 

                                                     Gateway Vmnet setting (Vmnet 1 connected to Gns3 and vmnet2 checkpoint manager)

gateway vmsetting.JPG

 

                                                   All VMnet IP setting

All VM's setting.JPG

 

Thanks,

Nick

0 Kudos
Reply
Contributor

Hi Nick,

do you have this behaviour just wih icmp or also with ssh?
Taking a look to "debug arp" provided, it's seem R1 get an arp reply from the gateway at 05:03:46.371, after several failed attempts...

Can you check if this entry is then kept in R1 arp table?
What about gateway prospective? Can you check if it's aware of arp entry for R1 G10 intf ip, and from your computer?

arp -a

Check please the network driver configured in .vmx file (for each vm). The relevant row starts with:

ethernet0.xxxxx
ethernet1.xxxxx

and the driver used on the gateway via ethtool -i eth1

As previusly suggest,could be usefull perform a tcpdump -i any -e on the gateway before the ping to see if all the arp requests are seen

0 Kudos
Reply
Contributor

Hi,

what happens if you run cpstop?
Would be interesting to see if the issue persists when no policy/fw kernel is in the way.

0 Kudos
Reply