Showing results for 
Search instead for 
Did you mean: 

Router cannot ping Firewall

hey guys need some help

i have a branch router connected with MPLS with my Headoffice branch running on BGP

The configuration is as such

LAN--ROuter1(Branchoffice) --ROuter2(ISP ROUTER)---ROuter3(HeadOffice)--FIREWALL--LAN

all these routers are connected in MPLS with BGP propagating routes

at R1 BGP routes to R2 and R3 and default static route to next hop ISP ROUTER

at R2 BGP ISP router MPLS

at R3 BGP propagating routes to R1 R2 and default static route towards the firewall

on firewall a static route towards the R3 router

NO ACL's on any router

issue is R1 cannot ping Firewall but hosts on either sides of the firewall are able to ping each other.

Any suggestions y um not able to ping or traffic not hitting my firewall



Nikita Singh
Cisco Employee

From Router 1 ping the FW sourcing from interface connecting to your lan on R1..does this work?

Mahesh Gohil
Rising star

Hello abbs,

When you ping from R1 by default it will take R1-R2 wan interface link ip as a source IP

So apart fron what nikita said can you check whether static route for ip of R1-R2 connected interface is available in firewall.

Since I am poor in firewall it may possible that I may have missed something





By default firewall doesnt allow incoming traffice becoz outside interface uses security level 0. so you need to impliment acl on firwall.


2 things you need to do

1. configure access-list in Firewall and apply the same.

2. configure route static routes in firewall towards inside

access-list inside extended permit ip any any

access-group inside in interface inside

static routes

1. two  static route for your Branches as

route inside (lansubnet of R1) (subnetmask) (nexthop )

route inside (wansubnet of R1) (subnetmask) (nexthop)

next hop should be router interface which is connected to firewall LAN

kindly let me know is this help you.

Thanks & Regards,



Hello Abbas,

Since hosts from both the LAN side are pingable. So first you should try for extended ping i.e

1. From R1 :- R1 LAN Interface as source address and destination as R2 interface facing towards towards R3.

2. From R1 :- R1 LAN Interface as source address and destination as R3 interface facing towards towards Firewall.

3. From R1 :- R1 LAN Interface as source address and destination as Firewall WAN interface (External).

4. From R1 :- R1 LAN Interface as source address and destination as Firewall LAN interface (Internal).

If you follow the above sequence, then you will come to know the actual follow of packet and then what needs to be done next.

Do post with your result.

Cheers !!


Hey guys sorry for this late response, this is actully a problem with my client and he was not available last week so i dint have any access to the



R1----ISPRouter----R3 running on BGP

Users frm R1 site connected through  MPLS come to R3 and get the internet from their

Anyways coming to the point

as you sugested, i tried Extended Ping and i found the router's outer interface which is directly connected to ISP MPLS Router is

not pinging the firewall ,then as you learned ppl suggested  i put a static route for this WAN ip on my Firewall(not an ASA)

and the ping works fine now! thanks to you all.But still the problem remains the same.

when i ping GOOGLE.COM from PC  it does'nt ping though they are able to access the internet by putting a proxy

of the Firewall IP. i thought since the router is not pinging um unable to ping GOOGLE YAHOO etc.

my client at Head office has its Mail server in US. so people in Head office directly log on to their by

hitting their URL in the browser.But the users in Branches connected  to Head office cannot reach it nor ping it.

The mail settings are fine on firewall  (ASTARO firewall GUI based) users at Head office working fine.

Thanks a ton to al you wondeful guys

Hi Abbas ,

This is Because you dont have default-route in your branch Router , in this cases you have to use proxy that you are doing,  so it will redirect all internet traffic to that proxy.

to resolve this issue in 2 ways you can do this

1. advertise default route in R3 BGP Configuration  , below are the steps

R3 Configuration :

      1.  ip route (next hop towards lan of R3)

     2.    router bgp (as no)



advertising default route into  Bgp you must have a static route , so  step 1 is must

2. you have to creat GRE Tunnel Between R1 & R3


int tu0

ip address

tunnel source (R1 WAN IP)

tunnel destination (R3 WAN IP)

ip route tu 0


int tu 0

ip address

tunnel source (R3 WAN IP)

tunnel destination ( R1 WAN IP)

ip route (next hop towards lan of R3).

kindly let me know is this help you.

Thanks & Regards,


Hi i have Attached are the configuration on both the routers

Hi Abbas,

as per my understanding about your network , below are things you have to do in your routers.

if you could provide some more information it would be easy to solve the issue , like  internet is connected to firewall or to which  internet is connected.

any how you can look below as per my understanding , is your

1. you no need to add below routes as this routes are already learn By  BGP

in Head Office:

ip route
ip route
ip route
ip route
ip route
ip route
ip route
ip route

in Branch Office :

no need

ip route fa0/1

2. for default route you can configure in Head Office router

Head office router configuration :

conf t

router bgp 64970


3. add a static route in firewall for your branch users to get internet.

ip route

ip route

Hi Raffat Thank you i was wondering why they have placed static routes when they have been running BGP.

Just a little question,The AD of static routes(Head office) and Default route(Branch router) are lower than the  AD of BGP so are the packets here taking the static routes instead of BGP ? is the outside interface of the firewall and therefore on Head Office Router

i have  put a default route so that all the traffic gets routed through the firewall .

There is a static route on firewall but i 'll check it out once again as you  mentioned in Point no 3

So i guess i only need to do the point no 2 that is remove the default route  ip route

and replace with

Head office router configuration :

conf t router bgp 64970


am i heading right?

thank you

Hi Syed,

No Syed Just follow this steps in Head office router

Head office configuration :

you must have ip route , you shoud not remove this route from Head office router,

just you need add below commmands thats it

configure terminal

router bgp 64970




HO#clear ip bgp *

in your firewall see below routes are there or not,  if not there  kindly add those routes

ip route

ip route

follow above steps and try to access internet without proxy in branch office , it will work sure