Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
4
Replies

Access problem associated with CheckPoint FW and Cisco router

yuyanghuang
Level 1
Level 1

‎01-09-2002 12:25 AM - edited ‎03-01-2019 07:58 PM

The connection is as follow

A----Rotuer A---wAN----Router B---Checkpoint FW---C

The problem is that workstations(WS) on A can not access WS on C, while WS on A and B can access each other and WS on B can access WS on C. I have added rules on FW to permit http access and ICMP for netowrk A.

When I issued debug ip icmp on router B and ping A from FW, there was nothing to display. It just seemed that the packet went somewhere else not via the router.

The FW was imgrated from an old machine, there was no problem with old FW. What we changed is the interface address of the new FW.

Could you give me some ideals on solve such an issue? Thanks a lot.

Labels:
0 Helpful
4 Replies 4

michael_tong
Level 1
Level 1

‎01-09-2002 12:36 AM

First of all, please make sure the routing path was known by all device. I think it is ok for router A and B becuase A and ping to B. But how about the checkpoint FW? Is there a network A entry in its routing table? How about the default gateway setting in CheckPointFW? Point to Router B yet?

For your case (nothing to display in router B after turn on the debug mode), I think there is not ICMP packet was sent to router. This is becuase the CheckpointFW don't know where is Network A and drop all the packet.

0 Helpful

tony.h
Level 1
Level 1
In response to michael_tong

‎01-09-2002 02:42 AM

I have added a route to the network A and even make the router B as the default gateway. The more intersting is that when I can trace to B successfully, and only after I issued tracert on FW to A could I ping A from FW. After I stopped pinging for a few minutes, I can not ping again. On the A side, I can not ping to C when I can ping A from FW.I am very confused.

0 Helpful

jpaniagua
Level 1
Level 1
In response to tony.h

‎01-09-2002 06:11 AM

I think that you have a routing problem.

If you have active the antispoofing in the firewall

is normal that you can not ping to the firewall from

router B. Verify this rules in the firewall.

You need to verify a trace route from a station in the A network from the C network.

Probably you need redistribute network C into you routing process using a static route (configure

in router B the command: ip route networkC Mask ip_FW).

And, you need configure a static route in the firewall for network A (ip route networkA mask ip_routerB).

Regards, JM:

0 Helpful

tony.h
Level 1
Level 1
In response to jpaniagua

‎01-13-2002 04:30 PM

After re-confirming that there was no problem with routing, I verified the settings on Firewall. I found anti-spoofing was enabled on FW to allow access from addresses within the same network with one interface. After disabling it, access was recovered. Thanks.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card