General discussion

Locked

Can't ping real IP in LAN w/ CheckPoint

By wai_pui_law ·
Dear all,

I have set up CheckPoint 4.1 on NT platform with the LAN and DMZ segments. All the servers in the LAN zone and the DMZ zones have been assigned real IP addresses.

The problem is that the users in the LAN cannot ping the real IP of "some" servers in the LAN zone, but they can ping the real IP of "all" servers in the DMZ zone. What is the cause for that only "some" real IP of servers in the LAN can be ping?

I want the users in the LAN can ping "all" servers' real IP addresses, is there any solution for that?

Best Regards,

WP

This conversation is currently closed to new comments.

16 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by frank.peeters In reply to Can't ping real IP in LAN ...

The cause of this problem is not necessarily the firewall rulebase.

Most of the time when 'some' servers don't seem to respond to ping, there is something wrong with the IP configuration on these servers. Not only the IP address, but also the subnet mask and default gateway need to be correct. If not, you will only be able to communicate on the same IP segment, not from behind a router or firewall.

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by wai_pui_law In reply to Can't ping real IP in LAN ...

All servers' IP addresses and their sunet mask and default gateway are correctly set, otherwise people outside the LAN cannot access them. The servers function properly except that the LAN users cannot ping their real IPs. (N.B. this just applyto some servers, for some servers, there is no such problem. I have already mentioned that in my question).

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by Zen37 In reply to Can't ping real IP in LAN ...

Well, if the IP configuration is fine on all devices, this is an interesting situation. Can you supply more details by answering the following;
>When you say "LAN", you are talking about ONE subnet or many?
>How are these devices connected? On aswitch or hub?
>If they are connected to a switch, are they all on the same vlan?
>You say you cannot ping some servers on your LAN from certain workstations, can you ping the workstation from the server?
>Can you ping anything from the affected servers?

If you answer those questions, i think i may have a better idea of your setup and of what may be wrong.

Looking forward to your reply.

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by wai_pui_law In reply to Can't ping real IP in LAN ...

Dear Martin,

My answers to your questions are as follows :-
>All the machines on the LAN are on ONE subnet.
>All the servers are connected to a switch, and all the workstations are connected to hubs.
>All the machines connected to the switch are on ONE vlan.
>No, I cannot ping "some" servers' real IP on the LAN from "all" the workstations. However, if I put the workstation on the DMZ, I can ping the real IPs of "all" servers in the LAN. I can ping the workstation from the server.
>From an affected server, I can ping all workstations on the LAN, all machines on the DMZ, the real IP of "some" servers on the LAN (and the real IP of itself). However, I still cannot ping the real IP of other affected servers.

Hope this informationis useful.

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by Zen37 In reply to Can't ping real IP in LAN ...

Ok i think i get it now.
What you call "real IP" is actually the NATed IP on the Firewall. It's very normal that you cannot ping or access those servers on their NATed IPs from the internal segment.
From the internal segment, you can only access them from their internal segment IPs. On The DMZ or the external, you "see" those servers only with the NATed addresses because of security.
From the internal to the DMZ, you will be able to see the servers with their actual IPs because there is noNATing in that direction.
So, on your internal DNS or WINS, your servers should have their internal addresses. From the DMZ or external DNS or WINS, the servers should have their NATed addresses for access.

Did i understand your network properly? If not, send me a drawing for a better understanding of your topography

Thanks

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by wai_pui_law In reply to Can't ping real IP in LAN ...

Dear Martin,

Then why I can access the NATed addresses for "some" servers in the LAN, and not for some others?

Thanks for help.

WP

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by Zen37 In reply to Can't ping real IP in LAN ...

The only thing i can see is that you have some rules that allow access of the NATed addresses from the internal. But i cannot logically see why that would be needed or allowed.

I could not provide a more precise answer without seeing a drawing of your network with full IP layout and your firewall rules.

Feel free (if you want) to send those to me at martin@fregeau.org so i can take a closer look at them. If not, i suggest you ask your CheckPoint firewall consultant for the answer.

Good luck.

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by wai_pui_law In reply to Can't ping real IP in LAN ...

I have no rules to control the access of the NATed addresses.

Now the problem is that only some servers in the LAN have such problem, and some do not have this problem.

My CheckPoint vendor told me that the LAN workstations cannot access anyNATed address of the servers in the LAN, but I can access some.

Anyone has any idea on that?

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by Zen37 In reply to Can't ping real IP in LAN ...

I'm sorry, misread the original question. I found the following in the DSL/Cable Modem router user guide, it may provide you with an answer;

"from multicasting. Using IPSec Pass Through
? This feature lets you use IPSec Pass Through. To use this feature, click on the
IP Filters block specific internal users from accessing the Internet and enable
VPN (Virtual Private Network) sessions. You can set up filters by using IP
addresses or network port numbers (or a range of ports).

Note: : Only oneVPN session may be conducted at a time."

Good luck

Collapse -

Can't ping real IP in LAN w/ CheckPoint

by Zen37 In reply to Can't ping real IP in LAN ...

Sorry, posted to the wrong question.
Ignore

Back to Security Forum
16 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums