3

I'm having problems with hosts being able to ping other hosts they shouldn't be able to communicate with.

Fairly simple network - relevant hardware:

  • HP Procurve 2810-24G switch
  • Juniper Netscreen 208 firewall
  • Netgear GS-108PE switch

I simply want to accomplish 2 objectives: use the HP switch for serving both the Trust and DMZ subnets (using VLANs), and run an 802.1Q VLAN trunk to the Netgear switch so its ports can have access to more than one VLAN in the rest of the network.

I used to do this with an identical HP switch (which failed and has been replaced) and before that an HP Procurve 2400M switch.

I have 3 VLANs configured:

  • ID: 1 (DEFAULT_VLAN - can't delete)
  • ID: 2 (DMZ)
  • ID: 3 (Trust)

I have assigned 2 separate groups of ports on the HP switch as untagged VLAN ports for VLANs 2 and 3. I have assigned 2 "trunk" ports as tagged VLAN ports for VLAN 2 and 3. The 2 trunk ports connect to a port on the Netgear switch, and a port on the old HP switch. (Mostly for testing) The Netgear and old HP are configured similiarly to the new HP in regards to VLANs, untagged and trunk ports.

The firewall has its DMZ and Trust interfaces connected to each of the appropriate groups of untagged VLAN ports on the new HP switch. The firewall is set to block almost all traffic by default to/from the DMZ and Trust networks to each other, except for very limited things. ICMP for sure is blocked.

I have connectivity to/from the internet on both the Trust and DMZ port groups on all the switches. The problem is, I can also ping DMZ ports from Trust ports/hosts, on any of the switches. But I cannot ping from DMZ hosts to Trust hosts.

Needless to say, this sort of shoots down the point of having the segments firewalled from each other.

I have tried changing the Default VLAN from 1 to 3, I have tried disconnecting the non-core switches, I have tried disconnecting any devices which have multiple interfaces eg where one connects to VLAN 2 and the other connects to VLAN 3. None of these things changes the fact that I can ping from hosts on the VLAN 3 port group to the VLAN 2 port group.

Am I doing something dumb here?

Phil K
  • 61
  • 5
  • Asymmetric Ping is usually a firewall problem. I suggest you do a test that takes the Procurve out of the equation, and see if the firewall behaves in isolation. – richardb Apr 19 '15 at 07:57
  • Quick test pulling "TRUST" cable out of firewall and indeed, I can still ping hosts on the DMZ side from the firewall's TRUST port. Ugh. I checked the policies already, this is so weird. Will do more testing in a bit, disconnecting the other switch ports, thanks. – Phil K Apr 19 '15 at 08:21
  • OK, I'm a bonehead. I had a policy rule that was causing the pingability, ICMP echo hidden in a group list and I didn't see it. :-0 I still have an issue getting VLAN 2 connectivity to a port on the Netgear that is tagged with that VLAN ID, but everything else works, and most importantly, I don't have a serious security problem. @richardb Thanks.. I don't know how to mark this answered, I don't see the checkmark.. I posted it a short time before I completed my signup.. – Phil K Apr 19 '15 at 10:08
  • Someone needs to write an answer, before you can mark it as answered :) I would rewrite your last comment as an answer and accept it. – richardb Apr 19 '15 at 10:12

1 Answers1

3

I had a firewall policy rule that was causing the pingability, ICMP echo permission hidden in a group service list and restricted to certain hosts and I didn't see it. :-0 Also had an issue getting VLAN 2 connectivity to a port on the Netgear that is tagged with that VLAN ID, but that appeared to resolve with a restart of that device. (Which wasn't clear in the UI for that setting) All good now.

Phil K
  • 61
  • 5
  • Was it a pre-configured group service list (name please?), or one you configured yourself and forgot about? Also, "Accept" you own answer :) – Mathias R. Jessen Jun 13 '15 at 00:47