Solved

Cannot ping outside IP of Firebox

Posted on 2010-08-24
9
2,122 Views
Last Modified: 2013-11-16
I cannot ping the outside interface of the Watchguard x550e that I'm trying to setup up. The network layout is as follows,

Internal IP - 192.168.10.x
Outside IP - 65.220.x.x

I can ping all inside hosts and I can ping external IPs if plugged in directly in into the firebox with a laptop that is not part of the domain. Its only when I try to use a computer within the Win2008 domain that I fail. Any pointers are appreciated.
0
Comment
Question by:bornsavage
9 Comments
 

Expert Comment

by:janfrancart
ID: 33515591
Hi, have you enabled the ICMP protocol for incomming connections? Otherwise the firebox will deny the traffic.
Regards,
0
 

Author Comment

by:bornsavage
ID: 33515611
Yes ICMP is enabled. I can ping if connected directly into the firebox with a laptop that is not part of the domain. I dont have vlans or any switch configuration between the firewall and the domain.
0
 

Expert Comment

by:janfrancart
ID: 33515697
So, your pc's connected to the LAN interface can not ping the external IP of the firebox?

If you place another pc in the WAN side, you can ping the WAN IP?

There are no other devices between the firebox and the Internet connection? (routers, modems that could be using the WAN IP in stead of the firebox)


0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:bornsavage
ID: 33515837
Ok,


Verizon Box<---->Firebox<----->HP Switch(dumb)<-------->LAN


If I plug a laptop which is not part of the domain into the HP switch or the firebox I can get out fine. The problem is only with computers part of the 200 domain.
0
 

Expert Comment

by:janfrancart
ID: 33515943
So you can't reach any IP outside of the firebox?

Are the gateway and the subnets set up fine on the fiirebox and the clients (both domain and non-domain)?

There are no duplicate DHCP servers active (on the domain and on the firebox?)

Maybe some authentication issue on the firebox, did you have a look at the integrated log of the firebox? If it denies traffic it should be listed in the log files.

Good luck
0
 

Author Comment

by:bornsavage
ID: 33516152
Yes, I cant reach any IPs outside the firewall from the inside network.
Gateway and subnet settings are accurate.
I am assigning static IPs so DHCP is not an issue.
The firebox as of now is configured in the minimal state- 1 internal and 1 external IP, no policies except ICMP.

Thanks for the help.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 300 total points
ID: 33517701
How have you configured the ICMP service; is it like this:
Enabled and allowed; from any; to any

If yes, you would not get any response.

Depending on which machine you wish to respond to ICMP echo packets you should configure the service as:
Enabled and allowed; from any OR Specific-ip-subnet-or-ip; to external-ip->internal-ip-of-machine

See article below on adding static NAT:
http://watchguard.custhelp.com/app/answers/detail/a_id/1295/kw/adding%20static%20NAT/session/L3NpZC9MVUVNX2k4aw%3D%3D

Thank you.
0
 

Assisted Solution

by:janfrancart
janfrancart earned 200 total points
ID: 33518545
If you make a test rule allow all traffic from. any to any network for all protocols, do you have communication then?
Is there something in the watchguard log?

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33528871
Sounds like your router is set to explicitly deny ICMP echos.

Check your router configuration  "Access Control Lists" to see if you are denying ICMP echos. Most IT security admins will do this to prevent ping scanners from finding the router.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Resolve DNS query failed errors for Exchange
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question