?
Solved

Cannot ping outside IP of Firebox

Posted on 2010-08-24
9
Medium Priority
?
2,247 Views
Last Modified: 2013-11-16
I cannot ping the outside interface of the Watchguard x550e that I'm trying to setup up. The network layout is as follows,

Internal IP - 192.168.10.x
Outside IP - 65.220.x.x

I can ping all inside hosts and I can ping external IPs if plugged in directly in into the firebox with a laptop that is not part of the domain. Its only when I try to use a computer within the Win2008 domain that I fail. Any pointers are appreciated.
0
Comment
Question by:bornsavage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 

Expert Comment

by:janfrancart
ID: 33515591
Hi, have you enabled the ICMP protocol for incomming connections? Otherwise the firebox will deny the traffic.
Regards,
0
 

Author Comment

by:bornsavage
ID: 33515611
Yes ICMP is enabled. I can ping if connected directly into the firebox with a laptop that is not part of the domain. I dont have vlans or any switch configuration between the firewall and the domain.
0
 

Expert Comment

by:janfrancart
ID: 33515697
So, your pc's connected to the LAN interface can not ping the external IP of the firebox?

If you place another pc in the WAN side, you can ping the WAN IP?

There are no other devices between the firebox and the Internet connection? (routers, modems that could be using the WAN IP in stead of the firebox)


0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:bornsavage
ID: 33515837
Ok,


Verizon Box<---->Firebox<----->HP Switch(dumb)<-------->LAN


If I plug a laptop which is not part of the domain into the HP switch or the firebox I can get out fine. The problem is only with computers part of the 200 domain.
0
 

Expert Comment

by:janfrancart
ID: 33515943
So you can't reach any IP outside of the firebox?

Are the gateway and the subnets set up fine on the fiirebox and the clients (both domain and non-domain)?

There are no duplicate DHCP servers active (on the domain and on the firebox?)

Maybe some authentication issue on the firebox, did you have a look at the integrated log of the firebox? If it denies traffic it should be listed in the log files.

Good luck
0
 

Author Comment

by:bornsavage
ID: 33516152
Yes, I cant reach any IPs outside the firewall from the inside network.
Gateway and subnet settings are accurate.
I am assigning static IPs so DHCP is not an issue.
The firebox as of now is configured in the minimal state- 1 internal and 1 external IP, no policies except ICMP.

Thanks for the help.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1200 total points
ID: 33517701
How have you configured the ICMP service; is it like this:
Enabled and allowed; from any; to any

If yes, you would not get any response.

Depending on which machine you wish to respond to ICMP echo packets you should configure the service as:
Enabled and allowed; from any OR Specific-ip-subnet-or-ip; to external-ip->internal-ip-of-machine

See article below on adding static NAT:
http://watchguard.custhelp.com/app/answers/detail/a_id/1295/kw/adding%20static%20NAT/session/L3NpZC9MVUVNX2k4aw%3D%3D

Thank you.
0
 

Assisted Solution

by:janfrancart
janfrancart earned 800 total points
ID: 33518545
If you make a test rule allow all traffic from. any to any network for all protocols, do you have communication then?
Is there something in the watchguard log?

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 33528871
Sounds like your router is set to explicitly deny ICMP echos.

Check your router configuration  "Access Control Lists" to see if you are denying ICMP echos. Most IT security admins will do this to prevent ping scanners from finding the router.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question