Solved

Cannot ping outside IP of Firebox

Posted on 2010-08-24
9
2,190 Views
Last Modified: 2013-11-16
I cannot ping the outside interface of the Watchguard x550e that I'm trying to setup up. The network layout is as follows,

Internal IP - 192.168.10.x
Outside IP - 65.220.x.x

I can ping all inside hosts and I can ping external IPs if plugged in directly in into the firebox with a laptop that is not part of the domain. Its only when I try to use a computer within the Win2008 domain that I fail. Any pointers are appreciated.
0
Comment
Question by:bornsavage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 

Expert Comment

by:janfrancart
ID: 33515591
Hi, have you enabled the ICMP protocol for incomming connections? Otherwise the firebox will deny the traffic.
Regards,
0
 

Author Comment

by:bornsavage
ID: 33515611
Yes ICMP is enabled. I can ping if connected directly into the firebox with a laptop that is not part of the domain. I dont have vlans or any switch configuration between the firewall and the domain.
0
 

Expert Comment

by:janfrancart
ID: 33515697
So, your pc's connected to the LAN interface can not ping the external IP of the firebox?

If you place another pc in the WAN side, you can ping the WAN IP?

There are no other devices between the firebox and the Internet connection? (routers, modems that could be using the WAN IP in stead of the firebox)


0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:bornsavage
ID: 33515837
Ok,


Verizon Box<---->Firebox<----->HP Switch(dumb)<-------->LAN


If I plug a laptop which is not part of the domain into the HP switch or the firebox I can get out fine. The problem is only with computers part of the 200 domain.
0
 

Expert Comment

by:janfrancart
ID: 33515943
So you can't reach any IP outside of the firebox?

Are the gateway and the subnets set up fine on the fiirebox and the clients (both domain and non-domain)?

There are no duplicate DHCP servers active (on the domain and on the firebox?)

Maybe some authentication issue on the firebox, did you have a look at the integrated log of the firebox? If it denies traffic it should be listed in the log files.

Good luck
0
 

Author Comment

by:bornsavage
ID: 33516152
Yes, I cant reach any IPs outside the firewall from the inside network.
Gateway and subnet settings are accurate.
I am assigning static IPs so DHCP is not an issue.
The firebox as of now is configured in the minimal state- 1 internal and 1 external IP, no policies except ICMP.

Thanks for the help.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 300 total points
ID: 33517701
How have you configured the ICMP service; is it like this:
Enabled and allowed; from any; to any

If yes, you would not get any response.

Depending on which machine you wish to respond to ICMP echo packets you should configure the service as:
Enabled and allowed; from any OR Specific-ip-subnet-or-ip; to external-ip->internal-ip-of-machine

See article below on adding static NAT:
http://watchguard.custhelp.com/app/answers/detail/a_id/1295/kw/adding%20static%20NAT/session/L3NpZC9MVUVNX2k4aw%3D%3D

Thank you.
0
 

Assisted Solution

by:janfrancart
janfrancart earned 200 total points
ID: 33518545
If you make a test rule allow all traffic from. any to any network for all protocols, do you have communication then?
Is there something in the watchguard log?

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33528871
Sounds like your router is set to explicitly deny ICMP echos.

Check your router configuration  "Access Control Lists" to see if you are denying ICMP echos. Most IT security admins will do this to prevent ping scanners from finding the router.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question