• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2352
  • Last Modified:

Cannot ping outside IP of Firebox

I cannot ping the outside interface of the Watchguard x550e that I'm trying to setup up. The network layout is as follows,

Internal IP - 192.168.10.x
Outside IP - 65.220.x.x

I can ping all inside hosts and I can ping external IPs if plugged in directly in into the firebox with a laptop that is not part of the domain. Its only when I try to use a computer within the Win2008 domain that I fail. Any pointers are appreciated.
0
bornsavage
Asked:
bornsavage
2 Solutions
 
janfrancartCommented:
Hi, have you enabled the ICMP protocol for incomming connections? Otherwise the firebox will deny the traffic.
Regards,
0
 
bornsavageAuthor Commented:
Yes ICMP is enabled. I can ping if connected directly into the firebox with a laptop that is not part of the domain. I dont have vlans or any switch configuration between the firewall and the domain.
0
 
janfrancartCommented:
So, your pc's connected to the LAN interface can not ping the external IP of the firebox?

If you place another pc in the WAN side, you can ping the WAN IP?

There are no other devices between the firebox and the Internet connection? (routers, modems that could be using the WAN IP in stead of the firebox)


0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
bornsavageAuthor Commented:
Ok,


Verizon Box<---->Firebox<----->HP Switch(dumb)<-------->LAN


If I plug a laptop which is not part of the domain into the HP switch or the firebox I can get out fine. The problem is only with computers part of the 200 domain.
0
 
janfrancartCommented:
So you can't reach any IP outside of the firebox?

Are the gateway and the subnets set up fine on the fiirebox and the clients (both domain and non-domain)?

There are no duplicate DHCP servers active (on the domain and on the firebox?)

Maybe some authentication issue on the firebox, did you have a look at the integrated log of the firebox? If it denies traffic it should be listed in the log files.

Good luck
0
 
bornsavageAuthor Commented:
Yes, I cant reach any IPs outside the firewall from the inside network.
Gateway and subnet settings are accurate.
I am assigning static IPs so DHCP is not an issue.
The firebox as of now is configured in the minimal state- 1 internal and 1 external IP, no policies except ICMP.

Thanks for the help.
0
 
dpk_walCommented:
How have you configured the ICMP service; is it like this:
Enabled and allowed; from any; to any

If yes, you would not get any response.

Depending on which machine you wish to respond to ICMP echo packets you should configure the service as:
Enabled and allowed; from any OR Specific-ip-subnet-or-ip; to external-ip->internal-ip-of-machine

See article below on adding static NAT:
http://watchguard.custhelp.com/app/answers/detail/a_id/1295/kw/adding%20static%20NAT/session/L3NpZC9MVUVNX2k4aw%3D%3D

Thank you.
0
 
janfrancartCommented:
If you make a test rule allow all traffic from. any to any network for all protocols, do you have communication then?
Is there something in the watchguard log?

0
 
ChiefITCommented:
Sounds like your router is set to explicitly deny ICMP echos.

Check your router configuration  "Access Control Lists" to see if you are denying ICMP echos. Most IT security admins will do this to prevent ping scanners from finding the router.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now