cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3886
Views
0
Helpful
11
Replies

Router cannot ping Firewall

abbs_1984
Level 1
Level 1

hey guys need some help

i have a branch router connected with MPLS with my Headoffice branch running on BGP

The configuration is as such

LAN--ROuter1(Branchoffice) --ROuter2(ISP ROUTER)---ROuter3(HeadOffice)--FIREWALL--LAN

all these routers are connected in MPLS with BGP propagating routes


at R1 BGP routes to R2 and R3 and default static route to next hop ISP ROUTER

at R2 BGP ISP router MPLS

at R3 BGP propagating routes to R1 R2 and default static route towards the firewall

on firewall a static route towards the R3 router

NO ACL's on any router


issue is R1 cannot ping Firewall but hosts on either sides of the firewall are able to ping each other.

Any suggestions y um not able to ping or traffic not hitting my firewall

Thanks

abbs

11 Replies 11

Nikita Singh
Cisco Employee
Cisco Employee

From Router 1 ping the FW sourcing from interface connecting to your lan on R1..does this work?

Mahesh Gohil
Level 7
Level 7

Hello abbs,

When you ping from R1 by default it will take R1-R2 wan interface link ip as a source IP

So apart fron what nikita said can you check whether static route for ip of R1-R2 connected interface is available in firewall.

Since I am poor in firewall it may possible that I may have missed something

Regards

Mahesh

srinivassara
Level 1
Level 1

hi,

By default firewall doesnt allow incoming traffice becoz outside interface uses security level 0. so you need to impliment acl on firwall.

Hi,

2 things you need to do

1. configure access-list in Firewall and apply the same.

2. configure route static routes in firewall towards inside

access-list inside extended permit ip any any

access-group inside in interface inside

static routes

1. two  static route for your Branches as

route inside (lansubnet of R1) (subnetmask) (nexthop )

route inside (wansubnet of R1) (subnetmask) (nexthop)

next hop should be router interface which is connected to firewall LAN

kindly let me know is this help you.

Thanks & Regards,

Raffath.

CSCO10985840
Level 1
Level 1

Hello Abbas,

Since hosts from both the LAN side are pingable. So first you should try for extended ping i.e

1. From R1 :- R1 LAN Interface as source address and destination as R2 interface facing towards towards R3.

2. From R1 :- R1 LAN Interface as source address and destination as R3 interface facing towards towards Firewall.

3. From R1 :- R1 LAN Interface as source address and destination as Firewall WAN interface (External).

4. From R1 :- R1 LAN Interface as source address and destination as Firewall LAN interface (Internal).

If you follow the above sequence, then you will come to know the actual follow of packet and then what needs to be done next.

Do post with your result.

Cheers !!

shekhar.

Hey guys sorry for this late response, this is actully a problem with my client and he was not available last week so i dint have any access to the

routers

Scenario

R1----ISPRouter----R3 running on BGP

Users frm R1 site connected through  MPLS come to R3 and get the internet from their

Anyways coming to the point

as you sugested, i tried Extended Ping and i found the router's outer interface which is directly connected to ISP MPLS Router is

not pinging the firewall ,then as you learned ppl suggested  i put a static route for this WAN ip on my Firewall(not an ASA)

and the ping works fine now! thanks to you all.But still the problem remains the same.

when i ping GOOGLE.COM from PC  it does'nt ping though they are able to access the internet by putting a proxy

of the Firewall IP. i thought since the router is not pinging um unable to ping GOOGLE YAHOO etc.

my client at Head office has its Mail server in US. so people in Head office directly log on to their by

hitting their URL in the browser.But the users in Branches connected  to Head office cannot reach it nor ping it.

The mail settings are fine on firewall  (ASTARO firewall GUI based) users at Head office working fine.

Thanks a ton to al you wondeful guys

Hi Abbas ,

This is Because you dont have default-route in your branch Router , in this cases you have to use proxy that you are doing,  so it will redirect all internet traffic to that proxy.

to resolve this issue in 2 ways you can do this

1. advertise default route in R3 BGP Configuration  , below are the steps

R3 Configuration :

      1.  ip route 0.0.0.0 0.0.0.0 (next hop towards lan of R3)

     2.    router bgp (as no)

            network 0.0.0.0

       

advertising default route into  Bgp you must have a static route , so  step 1 is must

2. you have to creat GRE Tunnel Between R1 & R3

R1

int tu0

ip address 10.0.0.1 255.255.255.252

tunnel source (R1 WAN IP)

tunnel destination (R3 WAN IP)

ip route 0.0.0.0 0.0.0.0 tu 0

R3

int tu 0

ip address 10.0.0.2 255.255.255.252

tunnel source (R3 WAN IP)

tunnel destination ( R1 WAN IP)

ip route 0.0.0.0 0.0.0.0 (next hop towards lan of R3).

kindly let me know is this help you.

Thanks & Regards,

Raffath.

Hi i have Attached are the configuration on both the routers

Hi Abbas,

as per my understanding about your network , below are things you have to do in your routers.

if you could provide some more information it would be easy to solve the issue , like  internet is connected to firewall or to which  internet is connected.

any how you can look below as per my understanding , 192.168.150.3 is your

1. you no need to add below routes as this routes are already learn By  BGP

in Head Office:

ip route 172.31.113.161 255.255.255.255 172.31.29.245
ip route 172.31.113.162 255.255.255.255 172.31.29.245
ip route 192.168.0.0 255.255.255.0 172.31.29.245
ip route 192.168.160.0 255.255.255.0 172.31.29.245
ip route 192.168.170.0 255.255.255.0 172.31.29.245
ip route 192.168.180.0 255.255.255.0 172.31.29.245
ip route 192.168.180.0 255.255.255.0 172.31.113.162
ip route 192.168.181.0 255.255.255.0 172.31.29.245

in Branch Office :

no need

ip route 0.0.0.0 0.0.0.0 fa0/1

2. for default route you can configure in Head Office router

Head office router configuration :

conf t

router bgp 64970

network 0.0.0.0

3. add a static route in firewall for your branch users to get internet.

ip route 10.10.10.0 255.255.255.0 192.168.150.10

ip route 192.168.180.0 255.255.255.0 192.168.150.10

Hi Raffat Thank you i was wondering why they have placed static routes when they have been running BGP.

Just a little question,The AD of static routes(Head office) and Default route(Branch router) are lower than the  AD of BGP so are the packets here taking the static routes instead of BGP ? 

192.168.150.3 is the outside interface of the firewall and therefore on Head Office Router

i have  put a default route so that all the traffic gets routed through the firewall .

There is a static route on firewall but i 'll check it out once again as you  mentioned in Point no 3

So i guess i only need to do the point no 2 that is remove the default route  ip route 0.0.0.0 0.0.0.0 192.168.150.3

and replace with

Head office router configuration :

conf t router bgp 64970

network 192.168.150.3

am i heading right?

thank you

Hi Syed,

No Syed Just follow this steps in Head office router

Head office configuration :

you must have ip route 0.0.0.0 0.0.0.0 192.168.150.3 , you shoud not remove this route from Head office router,

just you need add below commmands thats it

configure terminal

router bgp 64970

network 0.0.0.0

exit

exit

HO#clear ip bgp *

in your firewall see below routes are there or not,  if not there  kindly add those routes

ip route 192.168.180.0 255.255.255.0 192.168.150.10

ip route 10.10.10.0 255.255.255.0 192.168.150.10

follow above steps and try to access internet without proxy in branch office , it will work sure

Thanks

Raffath.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco