Re: Router cannot ping Firewall

abbs_1984 · ‎12-25-2010

hey guys need some help

i have a branch router connected with MPLS with my Headoffice branch running on BGP

The configuration is as such

LAN--ROuter1(Branchoffice) --ROuter2(ISP ROUTER)---ROuter3(HeadOffice)--FIREWALL--LAN

all these routers are connected in MPLS with BGP propagating routes

at R1 BGP routes to R2 and R3 and default static route to next hop ISP ROUTER

at R2 BGP ISP router MPLS

at R3 BGP propagating routes to R1 R2 and default static route towards the firewall

on firewall a static route towards the R3 router

NO ACL's on any router

issue is R1 cannot ping Firewall but hosts on either sides of the firewall are able to ping each other.

Any suggestions y um not able to ping or traffic not hitting my firewall

Thanks

abbs

Nikita Singh · ‎12-25-2010

From Router 1 ping the FW sourcing from interface connecting to your lan on R1..does this work?

Mahesh Gohil · ‎12-25-2010

Hello abbs,

When you ping from R1 by default it will take R1-R2 wan interface link ip as a source IP

So apart fron what nikita said can you check whether static route for ip of R1-R2 connected interface is available in firewall.

Since I am poor in firewall it may possible that I may have missed something

Regards

Mahesh

srinivassara · ‎12-25-2010

hi,

By default firewall doesnt allow incoming traffice becoz outside interface uses security level 0. so you need to impliment acl on firwall.

rafat0426 · ‎12-27-2010

Hi,

2 things you need to do

1. configure access-list in Firewall and apply the same.

2. configure route static routes in firewall towards inside

access-list inside extended permit ip any any

access-group inside in interface inside

static routes

1. two static route for your Branches as

route inside (lansubnet of R1) (subnetmask) (nexthop )

route inside (wansubnet of R1) (subnetmask) (nexthop)

next hop should be router interface which is connected to firewall LAN

kindly let me know is this help you.

Thanks & Regards,

Raffath.

CSCO10985840 · ‎12-27-2010

Hello Abbas,

Since hosts from both the LAN side are pingable. So first you should try for extended ping i.e

1. From R1 :- R1 LAN Interface as source address and destination as R2 interface facing towards towards R3.

2. From R1 :- R1 LAN Interface as source address and destination as R3 interface facing towards towards Firewall.

3. From R1 :- R1 LAN Interface as source address and destination as Firewall WAN interface (External).

4. From R1 :- R1 LAN Interface as source address and destination as Firewall LAN interface (Internal).

If you follow the above sequence, then you will come to know the actual follow of packet and then what needs to be done next.

Do post with your result.

Cheers !!

shekhar.

abbs_1984 · ‎01-01-2011

Hey guys sorry for this late response, this is actully a problem with my client and he was not available last week so i dint have any access to the

routers

Scenario

R1----ISPRouter----R3 running on BGP

Users frm R1 site connected through MPLS come to R3 and get the internet from their

Anyways coming to the point

as you sugested, i tried Extended Ping and i found the router's outer interface which is directly connected to ISP MPLS Router is

not pinging the firewall ,then as you learned ppl suggested i put a static route for this WAN ip on my Firewall(not an ASA)

and the ping works fine now! thanks to you all.But still the problem remains the same.

when i ping GOOGLE.COM from PC it does'nt ping though they are able to access the internet by putting a proxy

of the Firewall IP. i thought since the router is not pinging um unable to ping GOOGLE YAHOO etc.

my client at Head office has its Mail server in US. so people in Head office directly log on to their by

hitting their URL in the browser.But the users in Branches connected to Head office cannot reach it nor ping it.

The mail settings are fine on firewall (ASTARO firewall GUI based) users at Head office working fine.

Thanks a ton to al you wondeful guys

rafat0426 · ‎01-01-2011

Hi Abbas ,

This is Because you dont have default-route in your branch Router , in this cases you have to use proxy that you are doing, so it will redirect all internet traffic to that proxy.

to resolve this issue in 2 ways you can do this

1. advertise default route in R3 BGP Configuration , below are the steps

R3 Configuration :

1. ip route 0.0.0.0 0.0.0.0 (next hop towards lan of R3)

2. router bgp (as no)

network 0.0.0.0

advertising default route into Bgp you must have a static route , so step 1 is must

2. you have to creat GRE Tunnel Between R1 & R3

R1

int tu0

ip address 10.0.0.1 255.255.255.252

tunnel source (R1 WAN IP)

tunnel destination (R3 WAN IP)

ip route 0.0.0.0 0.0.0.0 tu 0

R3

int tu 0

ip address 10.0.0.2 255.255.255.252

tunnel source (R3 WAN IP)

tunnel destination ( R1 WAN IP)

ip route 0.0.0.0 0.0.0.0 (next hop towards lan of R3).

kindly let me know is this help you.

Thanks & Regards,

Raffath.

abbs_1984 · ‎01-01-2011

Hi i have Attached are the configuration on both the routers

rafat0426 · ‎01-01-2011

Hi Abbas,

as per my understanding about your network , below are things you have to do in your routers.

if you could provide some more information it would be easy to solve the issue , like internet is connected to firewall or to which internet is connected.

any how you can look below as per my understanding , 192.168.150.3 is your

1. you no need to add below routes as this routes are already learn By BGP

in Head Office:

ip route 172.31.113.161 255.255.255.255 172.31.29.245
ip route 172.31.113.162 255.255.255.255 172.31.29.245
ip route 192.168.0.0 255.255.255.0 172.31.29.245
ip route 192.168.160.0 255.255.255.0 172.31.29.245
ip route 192.168.170.0 255.255.255.0 172.31.29.245
ip route 192.168.180.0 255.255.255.0 172.31.29.245
ip route 192.168.180.0 255.255.255.0 172.31.113.162
ip route 192.168.181.0 255.255.255.0 172.31.29.245

in Branch Office :

no need

ip route 0.0.0.0 0.0.0.0 fa0/1

2. for default route you can configure in Head Office router

Head office router configuration :

conf t

router bgp 64970

network 0.0.0.0

3. add a static route in firewall for your branch users to get internet.

ip route 10.10.10.0 255.255.255.0 192.168.150.10

ip route 192.168.180.0 255.255.255.0 192.168.150.10

abbs_1984 · ‎01-01-2011

Hi Raffat Thank you i was wondering why they have placed static routes when they have been running BGP.

Just a little question,The AD of static routes(Head office) and Default route(Branch router) are lower than the AD of BGP so are the packets here taking the static routes instead of BGP ?

192.168.150.3 is the outside interface of the firewall and therefore on Head Office Router

i have put a default route so that all the traffic gets routed through the firewall .

There is a static route on firewall but i 'll check it out once again as you mentioned in Point no 3

So i guess i only need to do the point no 2 that is remove the default route ip route 0.0.0.0 0.0.0.0 192.168.150.3

and replace with

Head office router configuration :

conf t router bgp 64970

network 192.168.150.3

am i heading right?

thank you

rafat0426 · ‎01-01-2011

Hi Syed,

No Syed Just follow this steps in Head office router

Head office configuration :

you must have ip route 0.0.0.0 0.0.0.0 192.168.150.3 , you shoud not remove this route from Head office router,

just you need add below commmands thats it

configure terminal

router bgp 64970

network 0.0.0.0

exit

HO#clear ip bgp *

in your firewall see below routes are there or not, if not there kindly add those routes

ip route 192.168.180.0 255.255.255.0 192.168.150.10

ip route 10.10.10.0 255.255.255.0 192.168.150.10

follow above steps and try to access internet without proxy in branch office , it will work sure

Thanks

Raffath.