This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BaijuGopalan
Explorer
‎2020-04-20 08:02 AM

I am unable to ping Gateway from GNS3 unless i make global properties "allow all ICMP" to First.

Hi All, I am very new to Check Point, my lab setting as given below, here the problem is that, I am unable to ping the gateway inside vm from GNS3, I tried disabling all the windows firewall / anti virus /windows defender inside & out side vm.
I can ping only when i make changes in the global properties , "Accept ICMP request" to "FIRST". Could anyone please check the and help?..

My Lab Set-Up

SC –> 10.111.0.5

Mgmt Server – >10.111.0.4

Gateway1 inside (VmNet1)-> 10.111.0.1

Gateway1 outside (VmNet8)-> 172.168.1.2/30

Laptop IP 192.168.1.5

VmNet1 adaptor – 10.111.0.10

VmNet8 adaptor-172.168.1.11

BaijuGopalan_0-1587394285695.png

VmWare External & Internal connections

BaijuGopalan_1-1587394285704.png

Ping from Admin PC inside VM

BaijuGopalan_2-1587394285723.png

Ping from Gateway (10.111.0.1) to SC, Remote PC in GNS3, To vmnet1 & vmnet8 adaptor for Laptop

BaijuGopalan_3-1587394285744.png

Policies Applied

BaijuGopalan_4-1587394285785.png

Smart View Tracker

Can ping from inside to outside but not able to ping from outside (Remote_PC_GNS3) to inside

BaijuGopalan_5-1587394285823.png

Logs below

Inside to outside – ICMP Allowed – Rule 3 - TESTING

BaijuGopalan_6-1587394285860.png

Blocked – From outside to inside – Rule 2, Stealth

BaijuGopalan_7-1587394285897.png

 

Configuration in GNS3.

!

interface FastEthernet0/0

 ip address 172.168.1.1 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

ip forward-protocol nd

ip route 10.111.0.0 255.255.255.0 172.168.1.2

ip route 172.168.1.0 255.255.255.0 172.168.1.2

!

PING form Router

Cisco3725#ping 172.168.1.1 (self)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Cisco3725#ping 172.168.1.11 (Laptop)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.168.1.11, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms

Cisco3725#ping 172.168.1.2 (Gateway outside)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.168.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Ping to inside through 172.168.1.2 is blocked L

Cisco3725#ping 10.111.0.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.111.0.5, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Cisco3725#ping 10.111.0.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.111.0.4, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Cisco3725#ping 10.111.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.111.0.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

 

 

 

Windows FW & Antivirus disabled.

BaijuGopalan_8-1587394285916.png

------------------

ARP from router

Cisco3725#sh arp fast
Cisco3725#sh arp fastEthernet 0/0
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.168.1.1 - c201.24a4.0000 ARPA FastEthernet0/0
Internet 172.168.1.11 15 0050.56c0.0008 ARPA FastEthernet0/0
Internet 172.168.1.2 33 000c.29ac.0779 ARPA FastEthernet0/0
Cisco3725#
Cisco3725#
Cisco3725#
Cisco3725#ping 172.168.1.2

 
 

Debug report from firewall..
kiss_debug_report: start
;[fw4_0];FW-1: Initializing debugging buffer to size 1023K;
;[fw4_0];Setting the flags for debug module fw: drop;
;[fw4_0];fw_log_drop_ex: Packet proto=1 172.168.1.1:2048 -> 172.168.1.2:36473 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 2;
;[fw4_0];fw_log_drop_ex: Packet proto=1 172.168.1.1:2048 -> 172.168.1.2:34472 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 2;
;[fw4_0];fw_log_drop_ex: Packet proto=1 172.168.1.1:2048 -> 172.168.1.2:32471 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 2;
;[fw4_0];fw_log_drop_ex: Packet proto=1 172.168.1.1:2048 -> 172.168.1.2:30470 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 2;
;[fw4_0];fw_log_drop_ex: Packet proto=1 172.168.1.1:2048 -> 172.168.1.2:28469 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 2;
Defaulting all kernel debugging options

 

Gateway1-04-04-2020> show interface eth1
state on
mac-addr 00:0c:29:ac:07:79
type ethernet
link-state link up
mtu 1500
auto-negotiation on
speed 1000M
ipv6-autoconfig Not configured
duplex full
monitor-mode off
link-speed 1000M/full
comments VmNet8_GNS3/Laptop
ipv4-address 172.168.1.2/24
ipv6-address Not Configured
ipv6-local-link-address Not Configured

Statistics:
TX bytes:464 packets:8 errors:0 dropped:0 overruns:0 carrier:0

 

0 Kudos
1 Reply
FraP
Contributor
‎2020-04-20 12:08 PM

Check your rulebase 🙂
Remote_PC-GNS3 is missing as source in rule 1...so this packet is dropped on rule 2.
When you enable the ICMP from the global properties, it's work and here you can find why

Security Management R80.10 (Part of Check Point Infinity) 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events