Unable to ping LAN machines from Opt5
-
So those are you pfsense host addresses, since they are not networks.. Taking 127.16 is a typo for 172.16.3
So your lenovo's are on a 172.16.1/22 ?? Which is the same as your servers network? 172.16.3/22 and 172.16.1/22 are the same network.. since /22 would be 172.16.0.0 - 172.16.3.255
So why do you have the same network sitting on different sides of a asa with transit network of 192.168.52.0/24 ??
Why don't you draw up this mess it seems you have..
-
Sorry for the typo, you are correct 172 not 127.
LAN - SERVERS - LENOVO are all separate interfaces on the pfsense box (pictures attached)
What indication was that lenovo are on 172.16.1/22
If I disable all Lenovo rules and the Lenovo interface, the problem of pinging between SERVERS and LAN still exists.
The picture of the "mess" attached.
-
So your lenovo boxes point to your asa as their gateway? Or are they on the other side of your site to site?
if on that 192 segment, why would you think they would be able to ping stuff on your server segment? So you have a route on asa? Pointing back to pfsense? Your going to create a asymmetrical route issue with that, and its just bad practice and hair pinning.
If have to set it up like this then use host routing on your devices.. But better solution would be to connect your asa with transit network..
Why are you creating a gateway on this lenovo segment?? You just turned it into a wan, and most likely NAT is happening as well. Where exactly are these boxes??
"Sitting on 172.16.1.15 / mask : 255.255.252.0 GW: 172.16.3.254 trying to ping 172.16.5.69 mask 255.255.252.0 GW 172.16.7.254 fails but the reverse works fine."
Your saying your pinging from 172.16.1.15 – where exactly is that in your drawing?? That is the same network as your server segment..
-
Your saying your pinging from 172.16.1.15 – where exactly is that in your drawing??
Bottom-right on OPT5.
-
The Lenovo stuff was all configured that way years ago with the help of the PFSense support team to get things to work with PFSense and the capabilities it had 4 years ago. I have not had any need to change that as of yet. All of the machines that we access are on the other side of the ASA. I can ping and access those perfectly fine from the LAN interface and can access the resources they serve up with no problems.
If your though process going down the road of the LENOVO interface and network behind this is preventing pings to go from the SERVER interface to the LAN interface, I disabled that interface and all the rules as a test and pings from the SERVER interface to the LAN interface still fail.
As pointed out by someone else, 172.16.1.15 is on the picture bottom - right and I am trying to ping the picture of the workstation just to the right of it.
-
Apologies to all who took time to look at this…
I just needed to go home, go to bed and start this day over. Turns out I was not seeing the icmp to the machines on the LAN due to a windows 10 policy getting changed to turn back on the firewall and block ICMP after it being opened up previously.
I had checked mine and several other machines to make sure the windows firewall was not on, those all happen to be win 10 and after that the policy went out turning it back on and I failed to re check that before posting this.
Everything is working as it should and as it has been for many years.
-
Why does he even freaking mention lenovo here when all he was doing is being servers to lan??
-
What am I not shocked to see you felt the need to reply with another condescending remark. Why did I mention Lenovo because it was in the screen shot that was asked for. The original question was between the server interface and Lan and you are he one that insisted on going down the why in the hell are you doing the Cisco Asa this way.
We all can't be as smart as you are. I am sure you have never made an honest mistake and asked for some suggestions.
I am sure there will be yet another reply showing your superiority.
-
a windows 10 policy getting changed to turn back on the firewall and block ICMP
Yes, mistakes happen, but you can't fault people for getting testy when it's the same rookie mistake over and over and over and over again. Not that you did it multiple times, but it's the same thing all day every day. Windows firewall. They post rules, get indignant that THEY know WTF, when everyone here knows that the rules posted always work, it's NOT a bug in pfSense, and there's something wrong with the OP's network.
I guess those who get testy should just stop responding or take a break.
-
Not sure where I got testy other than trying to understand his setup??
"ping address in SERVERS from Lenovo fails."
"LAN - SERVERS - LENOVO are all separate interfaces on the pfsense box (pictures attached)"
"Destination LenovoMachines is a range of ip numbers that go out to a cisco asa."WTF does lenovo have to do with anything is my question.. It seems he has a lan 172.16.4/22 segment and a server 172.16.0/22 segment.. WTF does lenovo have to do with these 2 segments talking to each other?? But seems I am a dick for asking…