I have a Watchguard Firebox III 500. Why can't I ping a printer with a jet direct card from the optional port to the trusted network, but I can ping a computer on the trusted network?
Thank you for any help, Joschi..
Some more information: The log says it allowed all 4 pings. No entries for denied responses. At the station, no response was received (100% lost).
There is no rule, by default, that permits traffic from the OPTIONAL (DMZ) network to the TRUSTED (LAN) network.
If you created a PING rule from DEFAULT to TRUSTED and included a single IP then you could ping ONLY that IP. If you do a rule of ICMP/PING from OPTIONAL to TRUSTED and TRUSTED to OPTIONAL, then you could ping in both directions.
Enable logging of allowed and disallowed for default and all other options so that you can see what is permitted and what is blocked.
You might also consider that the default NAT blocks 192.168.0.0/16 addresses, so you have to remove that range from the Blocked Sites in some cases.
Thank you for responding. I have a rule in place enabling ping in both directions. I can ping computers, but not printers with jetdirect cards.
The JetDirect can be setup to not respond, what version are you using.
Place a computer in the same network as the JetDirect and try to ping it
- does it respond.
Not sure of the version of jetdirect, but computers on same network as jetDirect card can ping. Computers on optional network can ping computers on same network as jetdirect cards. Computers on optional network cannot ping jetdirect card ip address.. Tried two diff. printers..
Enable logging and see if something shows in the logs - enable allows and blocks in the logs.
Reboot the firewall if all else fails and try again.
I have done so in the Ping rule, but don't see any blocked attempts. Which rules do you recommend I set logging options for? Can I use NAT in some way to make the jetdirect card think its coming from a computer on the same network? I would like to try that in order to rule out the firewall.
What networks are you using for your two networks?
My PING rule, using the real PING rule from the "Add Services" as the following settings:
INCOMING PING CONNECTIONS ARE: Enabled and Allowed From: Optional, Trusted To: ANY
Outgoing Ping connections are: Enabled and Allowed From: External, Optional, Trusted To: Any
Use Default Simple NAT Properties: Port (n/a), Protocol=PING, Client Port=CLIENT
Under Logging, on all 4 options, set/Check Enter it in the LOG.
Save and reboot firewall.
Perhaps the printer is missing the default gateway so it does not know where to send the reply packet to.
-Russ.
If you use NAT on your policy into the trusted zone, then the printer will be able to respond to that IP which will be on it's own network, which should solve your problem.
Or, as I mentioned, you could put a default gateway on the printer pointed to the trusted IP of your WatchGuard.
-Russ.
The GW on all Optional network devices should be the IP of the firebox in the Optional network.
The GW on all Trusted network devices should be the IP of the firebox in the Trusted network.
That is a possibility. Although DHCP is enabled on the printer. I am printing the configuration now. the gateway is present.
If DHCP is enabled on the printer, and the printer is in the OPTIONAL network, then that could be the problem.
When DHCP Service is configured on the Firebox it only issues one set of IP addresses, not separate ones for each network. What I mean is that you can't have one DHCP scope for Trusted and another for Optional.
Your printers should NOT be setup as DHCP unless you use a DHCP Reservation, they should always be at the same fixed IP in your network.
Print the config and make sure the printer has an IP in the right network, then set the DGW to the IP of the firebox in the same network as it's connected.
With the gateway already on the printer, my only option was to try NAT. I tried adding a dynamic NAT entry from system host ip ( on optional network) to printer ip (on trusted network) but still cannot ping. I looked in ping rule, but NAT is not an option there.
Do you have the firewall in Drop-In mode or Routed Mode?
routed.
So, you setup your Trusted and Optional networks as how:
Open the Policy Manager, select Network Configuration:
External: Static IP
Trusted Interface: enter IP/mask Optional Interface: enter IP/mask
On the "Secondary Networks" tab, do you have any entries?
Under NAT setup, what settings do you have? X Enable Dynamic NAT? what Dynamic NAT Entries do you have?
Your PING RULE, please identify the settings:
INCOMMING PING CONNECTIONS ARE: what? From..... To.......
OUTGOING PING CONNECTIONS ARE: what? From.... To......
Printer IP Address, MASK, GW?
Please provide the above or we can't tell you what is wrong.
The printer is on a different network (base) address than the system. However they r on the same subnet. From system to system it works fine. Just not system to printer.
How come you won't post answers to the questions I posted?
If you would just answer the questions I posted we could have had this fixed in minutes. I will be out of the office for a while, so it could take some time due to your delays.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.