Hello to everyone. I have a great question for you: My network consist of some parts: 1st. LAN is 192.168.0.x/24 2nd. LAN is 10.x.x.x/8 3rd. LAN is 172.16.x.x/12 there is a R70(FW-checkpoint) connects between 1st. and 2nd and 1st. and 3rd(DMZ). The third LAN is DMZ that of course attached to R70 also, and on my DMZ is an Edimax home router that connects my DMZ to the Internet. The problem is that: When i try the ping between 1st. LAN and the DMZ there is a reply, for instance my XP machine is 192.168.0.55 trying to rich my Edge server 172.16.0.10. But when i try ping between XP and the Edimax home router(172.16.2.1) there is only request time out. What could be my issue??? eternals81

Probably the first issue is posting the questions to the wrong forum. You might want to post this to a forum site specific to networking or one related to the Network+ certification.

Probably the first issue is posting the questions to the wrong forum. You might want to post this to a forum site specific to networking or one related to the Network+ certification.

thanks Mr. Wharty.eternals81

thanks Mr. Wharty.eternals81

Can anything in the 172.16.x.x network ping the router?

yes, every machine in the 172.16.x.x can ping it.eternals81

Can anything in the 172.16.x.x network ping the router?

yes, every machine in the 172.16.x.x can ping it.eternals81

Hi InvisibleMF81, Thanks for posting here. > But when i try ping between XP and the Edimax home router(172.16.2.1) there is only request time out. So do we have set an routing entry on this edge Edimax home router device which is similar like below : 192.168.0.0 255.255.255.0 <DMZ interface address on R70 > 172.16.2.1 1^st network (192.168.0.0/24)-----R70-----DMZ network(172.16.0.0/12)----- (172.16.2.1)edge Edimax home router Thanks. Tiger LiTiger Li TechNet Community Support

Hi InvisibleMF81, Thanks for posting here. > But when i try ping between XP and the Edimax home router(172.16.2.1) there is only request time out. So do we have set an routing entry on this edge Edimax home router device which is similar like below : 192.168.0.0 255.255.255.0 <DMZ interface address on R70 > 172.16.2.1 1^st network (192.168.0.0/24)-----R70-----DMZ network(172.16.0.0/12)----- (172.16.2.1)edge Edimax home router Thanks. Tiger LiTiger Li TechNet Community Support

Again please? i did not understand what is that mean: 192.168.0.0 255.255.255.0 <DMZ interface address on R70 > 172.16.2.1 1^st network (192.168.0.0/24)-----R70-----DMZ network(172.16.0.0/12)----- (172.16.2.1)edge Edimax home router ??eternals81

I can send you a picture of this network if you want.eternals81

Again please? i did not understand what is that mean: 192.168.0.0 255.255.255.0 <DMZ interface address on R70 > 172.16.2.1 1^st network (192.168.0.0/24)-----R70-----DMZ network(172.16.0.0/12)----- (172.16.2.1)edge Edimax home router ??eternals81

I can send you a picture of this network if you want.eternals81

The Edimax router needs a route to get back to the 192.168.x.x network. In the routing section of your Edimax router, you need to set the Network Address as 192.168.0.0 with a mask of 255.255.255.0 and the gateway is the 172.16.x.x ip that is defined on your R70. Below is the only image I could find of the Edimax interface and it may not be the same as yours, but it's worth a shot.

The Edimax router needs a route to get back to the 192.168.x.x network. In the routing section of your Edimax router, you need to set the Network Address as 192.168.0.0 with a mask of 255.255.255.0 and the gateway is the 172.16.x.x ip that is defined on your R70. Below is the only image I could find of the Edimax interface and it may not be the same as yours, but it's worth a shot.

Ok i'v enabled a static route under: Home / General Setup / Advanced Settings / NAT / Static Routing (my router model is BR6425N) and i'v configured: 1 192.168.0.0 255.255.255.0 172.16.0.100 0 LAN but it is still "request time out". my goal is to get to the internet from the Network=192.168.0.0/24 but it is not working. please help me if you can think of anything else. 10x. eternals81

sorry it is working now, it is just took time to configuration take place. only thing left is the access to the internet. when i opening the IE on my 192.168.0.0/24 network machine and type www.facebook.com it is showing me it: Internet Explorer cannot display the webpage Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address. What you can try: Check your Internet connection. Try visiting another website to make sure you are connected. Retype the address. Go back to the previous page. More information This problem can be caused by a variety of issues, including: Internet connectivity has been lost. The website is temporarily unavailable. The Domain Name Server (DNS) is not reachable. The Domain Name Server (DNS) does not have a listing for the website's domain. If this is an HTTPS (secure) address, click tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section. For offline users You can still view subscribed feeds and some recently viewed webpages. To view subscribed feeds Click the Favorites Center button , click Feeds, and then click the feed you want to view. To view recently visited webpages (might not work on all pages) Click Tools , and then click Work Offline. Click the Favorites Center button , click History, and then click the page you want to view. after i ping the site the result is: Pinging www.facebook.com [66.220.153.70] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. what could be my issue? i suppose it my DNS right? 10x . eternals81

When i ping every site from my 192.168.0.0/24 LAN Network it does translate them from names to IP addresses but it does not replying me on the ping itself!!!eternals81

The R70 may not be allowing the ICMP to complete since the destination subnet is not listed as DMZ or Internal. I would check the chekpoint logs to see if the R70 is blocking your ICMPs.

When i ping every site from my 192.168.0.0/24 LAN Network it does translate them from names to IP addresses but it does not replying me on the ping itself!!!eternals81

The R70 may not be allowing the ICMP to complete since the destination subnet is not listed as DMZ or Internal. I would check the chekpoint logs to see if the R70 is blocking your ICMPs.

I 'v checked the logs and the ping: C:\>ping 31.192.112.104 Pinging 31.192.112.104 with 32 bytes of data: Request timed out. Request timed out. Reply from 192.168.0.100: Destination host unreachable. Reply from 192.168.0.100: Destination host unreachable. Ping statistics for 31.192.112.104: Packets: Sent = 4, Received = 2, Lost = 2 (50% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Number: 256 Date: 13Apr2012 Time: 0:01:05 Type: Log Rule: 2 Rule UID: {95E3F3B3-A76F-493B-8E50-946666EFA1C4} Current Rule Number: 2-Standard Information: inzone: Internal outzone: Internal service_id: echo-request ICMP: Echo Request ICMP Type: 8 ICMP Code: 0 Product: VPN-1 Power/UTM Interface: eth1 Origin: cpmodule Action: Accept Source: Center-XP (192.168.0.55) Destination: Tube8 (31.192.112.104) Protocol: icmp Rule Name: Ping To The Internet Policy Info: Policy Name: Standard Created at: Fri Apr 13 02:59:52 2012 Installed from: cpmodule something is wrong?eternals81

Maybe i should create a static route just like you told me before but this time to the WAN ???eternals81

I 'v checked the logs and the ping: C:\>ping 31.192.112.104 Pinging 31.192.112.104 with 32 bytes of data: Request timed out. Request timed out. Reply from 192.168.0.100: Destination host unreachable. Reply from 192.168.0.100: Destination host unreachable. Ping statistics for 31.192.112.104: Packets: Sent = 4, Received = 2, Lost = 2 (50% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Number: 256 Date: 13Apr2012 Time: 0:01:05 Type: Log Rule: 2 Rule UID: {95E3F3B3-A76F-493B-8E50-946666EFA1C4} Current Rule Number: 2-Standard Information: inzone: Internal outzone: Internal service_id: echo-request ICMP: Echo Request ICMP Type: 8 ICMP Code: 0 Product: VPN-1 Power/UTM Interface: eth1 Origin: cpmodule Action: Accept Source: Center-XP (192.168.0.55) Destination: Tube8 (31.192.112.104) Protocol: icmp Rule Name: Ping To The Internet Policy Info: Policy Name: Standard Created at: Fri Apr 13 02:59:52 2012 Installed from: cpmodule something is wrong?eternals81

Maybe i should create a static route just like you told me before but this time to the WAN ???eternals81

Can you ping this address from within the DMZ? Like on your edge server? Also, your log entry is only the first part of the ICMP, you should have a log entry for Echo Response coming back in. Also, you will need a default route on your R70 to send all non-local traffic to the Edimax router to get out to the internet. The Subnet would be 0.0.0.0 mask 0.0.0.0 gateway 172.16.2.1 You seriously testing your setup with a porn site?

Can you ping this address from within the DMZ? Like on your edge server? Also, your log entry is only the first part of the ICMP, you should have a log entry for Echo Response coming back in. Also, you will need a default route on your R70 to send all non-local traffic to the Edimax router to get out to the internet. The Subnet would be 0.0.0.0 mask 0.0.0.0 gateway 172.16.2.1 You seriously testing your setup with a porn site?

Yes i can ping this address from within the Edge server and getting good reply from it. Where i can find the response entry logs? Yes, i made a default route to 172.16.2.1 - did not helped. This site is only an example :-) P.S. when i tested the ping from the 10.x.x.x/8 Lan to destination www.facebook.com i got this: Ping request could not find host www.facebook.com. Please check the name and try ag ain. but only after i added the forwarder in the local DNS to point to the Edge server where the DNS also installed i got this: Pinging www.facebook.com [69.171.247.37] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for : 69.171.247.37 Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), eternals81

Yes i can ping this address from within the Edge server and getting good reply from it. Where i can find the response entry logs? Yes, i made a default route to 172.16.2.1 - did not helped. This site is only an example :-) P.S. when i tested the ping from the 10.x.x.x/8 Lan to destination www.facebook.com i got this: Ping request could not find host www.facebook.com. Please check the name and try ag ain. but only after i added the forwarder in the local DNS to point to the Edge server where the DNS also installed i got this: Pinging www.facebook.com [69.171.247.37] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for : 69.171.247.37 Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), eternals81

You seem to have DNS and routing issues. If you can resolve the name to IP, then attempt a tracert from your XP client to www.facebook.com and see where the trace stops. If the last hop is your R70 interface, then you need that route on your R70. Can you do a print screen and paste it in here for your routes on the R70?

You seem to have DNS and routing issues. If you can resolve the name to IP, then attempt a tracert from your XP client to www.facebook.com and see where the trace stops. If the last hop is your R70 interface, then you need that route on your R70. Can you do a print screen and paste it in here for your routes on the R70?

C:\>tracert www.facebook.com Tracing route to www.facebook.com [69.171.247.53] over a maximum of 30 hops: 1 * * * Request timed out. 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. eternals81

It looks like your R70 is not responding to the tracert at all, did you enable 'log implied rules'? If not, that may give you more insight.

C:\>tracert www.facebook.com Tracing route to www.facebook.com [69.171.247.53] over a maximum of 30 hops: 1 * * * Request timed out. 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. eternals81

It looks like your R70 is not responding to the tracert at all, did you enable 'log implied rules'? If not, that may give you more insight.

Hi InvisibleMF81, Thanks for update. > Date: 13Apr2012 > Rule Name: Ping To The Internet >Policy Info: Policy Name: Standard Created at: Fri Apr 13 02:59:52 2012 Installed from: cpmodule > Yes i can ping this address from within the Edge server and getting good reply from it. Id suspect some misconfigurations on R70 caused this issue , I saw that we have defined policy and rule on it , could we double check that and by pass all traffics that to internet by going through et2(172.16.0.100) and 172.16.2.1 form etc1 and etc0. Also I notice that the time on R70 is not synced , could we correct that ? Thanks. Tiger LiTiger Li TechNet Community Support

Hi InvisibleMF81, Thanks for update. > Date: 13Apr2012 > Rule Name: Ping To The Internet >Policy Info: Policy Name: Standard Created at: Fri Apr 13 02:59:52 2012 Installed from: cpmodule > Yes i can ping this address from within the Edge server and getting good reply from it. Id suspect some misconfigurations on R70 caused this issue , I saw that we have defined policy and rule on it , could we double check that and by pass all traffics that to internet by going through et2(172.16.0.100) and 172.16.2.1 form etc1 and etc0. Also I notice that the time on R70 is not synced , could we correct that ? Thanks. Tiger LiTiger Li TechNet Community Support

Maybe i did it but i do not think it will call that way. what do you mean and where i can do it?eternals81

So first i need to correct time sync? how do i do it, just modify the time date it self on the admin web console?eternals81

Maybe i did it but i do not think it will call that way. what do you mean and where i can do it?eternals81

So first i need to correct time sync? how do i do it, just modify the time date it self on the admin web console?eternals81

Maybe i should install the ISA proxy server on the DMZ, maybe it will route the request from the LAN=192.168.0.0/24 to the Internet??? is it possible?eternals81

Maybe i should install the ISA proxy server on the DMZ, maybe it will route the request from the LAN=192.168.0.0/24 to the Internet??? is it possible?eternals81

Hi Russ, maybe it is better for me to get to the internet from LAN 192.168.0.x, the reply is not so important for me. When i creating the rule on the R70 i enabling the log with the rule. am i wrong??eternals81

Hi Russ, maybe it is better for me to get to the internet from LAN 192.168.0.x, the reply is not so important for me. When i creating the rule on the R70 i enabling the log with the rule. am i wrong??eternals81

If you have a rule allowing HTTP from 192.168.0.0 to any on your R70, and you have the route in the R70 that points all default traffic to the Edimax, it should work just fine. I did read somewhere that on secureplatform, you have to reboot it after you add or change the routes. Maybe you should give that a go.

If you have a rule allowing HTTP from 192.168.0.0 to any on your R70, and you have the route in the R70 that points all default traffic to the Edimax, it should work just fine. I did read somewhere that on secureplatform, you have to reboot it after you add or change the routes. Maybe you should give that a go.

I did insert a rule looks like that and i did restart a R70 as you told me, i noticed that install policy time in R70 is april 16 2012 but the XP machine time is may 26 2012, still there is no ping and no internet. As you see i did implied log policy rule in the track column. I even did netstat in XP and i see when i trying to go to http://www.walla.co.il site port 80 there is SYN_SENT.eternals81

there is a problem uploading an images of jpeg to forum site??eternals81

I did insert a rule looks like that and i did restart a R70 as you told me, i noticed that install policy time in R70 is april 16 2012 but the XP machine time is may 26 2012, still there is no ping and no internet. As you see i did implied log policy rule in the track column. I even did netstat in XP and i see when i trying to go to http://www.walla.co.il site port 80 there is SYN_SENT.eternals81

there is a problem uploading an images of jpeg to forum site??eternals81

Hello. I noticed something: when i make only one rule on R70 - allow any any, after that i make a tracert to www.facebook.com and the output is: 1<ms .... 192.168.0.100 request time out request time out request time out request time out. maybe there is something wrong with my routes??? the maximum ping and reply is from my Edimax router(172.16.2.1). please help.eternals81

Hello. I noticed something: when i make only one rule on R70 - allow any any, after that i make a tracert to www.facebook.com and the output is: 1<ms .... 192.168.0.100 request time out request time out request time out request time out. maybe there is something wrong with my routes??? the maximum ping and reply is from my Edimax router(172.16.2.1). please help.eternals81

I somehow find an answer but maybe you can help me to implement it: http://www.tek-tips.com/viewthread.cfm?qid=357539 10x. Waiting for your answer.eternals81

I somehow find an answer but maybe you can help me to implement it: http://www.tek-tips.com/viewthread.cfm?qid=357539 10x. Waiting for your answer.eternals81