Solved

Cannot ping outside IP of Firebox

Posted on 2010-08-24
9
2,108 Views
Last Modified: 2013-11-16
I cannot ping the outside interface of the Watchguard x550e that I'm trying to setup up. The network layout is as follows,

Internal IP - 192.168.10.x
Outside IP - 65.220.x.x

I can ping all inside hosts and I can ping external IPs if plugged in directly in into the firebox with a laptop that is not part of the domain. Its only when I try to use a computer within the Win2008 domain that I fail. Any pointers are appreciated.
0
Comment
Question by:bornsavage
9 Comments
 

Expert Comment

by:janfrancart
ID: 33515591
Hi, have you enabled the ICMP protocol for incomming connections? Otherwise the firebox will deny the traffic.
Regards,
0
 

Author Comment

by:bornsavage
ID: 33515611
Yes ICMP is enabled. I can ping if connected directly into the firebox with a laptop that is not part of the domain. I dont have vlans or any switch configuration between the firewall and the domain.
0
 

Expert Comment

by:janfrancart
ID: 33515697
So, your pc's connected to the LAN interface can not ping the external IP of the firebox?

If you place another pc in the WAN side, you can ping the WAN IP?

There are no other devices between the firebox and the Internet connection? (routers, modems that could be using the WAN IP in stead of the firebox)


0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:bornsavage
ID: 33515837
Ok,


Verizon Box<---->Firebox<----->HP Switch(dumb)<-------->LAN


If I plug a laptop which is not part of the domain into the HP switch or the firebox I can get out fine. The problem is only with computers part of the 200 domain.
0
 

Expert Comment

by:janfrancart
ID: 33515943
So you can't reach any IP outside of the firebox?

Are the gateway and the subnets set up fine on the fiirebox and the clients (both domain and non-domain)?

There are no duplicate DHCP servers active (on the domain and on the firebox?)

Maybe some authentication issue on the firebox, did you have a look at the integrated log of the firebox? If it denies traffic it should be listed in the log files.

Good luck
0
 

Author Comment

by:bornsavage
ID: 33516152
Yes, I cant reach any IPs outside the firewall from the inside network.
Gateway and subnet settings are accurate.
I am assigning static IPs so DHCP is not an issue.
The firebox as of now is configured in the minimal state- 1 internal and 1 external IP, no policies except ICMP.

Thanks for the help.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 300 total points
ID: 33517701
How have you configured the ICMP service; is it like this:
Enabled and allowed; from any; to any

If yes, you would not get any response.

Depending on which machine you wish to respond to ICMP echo packets you should configure the service as:
Enabled and allowed; from any OR Specific-ip-subnet-or-ip; to external-ip->internal-ip-of-machine

See article below on adding static NAT:
http://watchguard.custhelp.com/app/answers/detail/a_id/1295/kw/adding%20static%20NAT/session/L3NpZC9MVUVNX2k4aw%3D%3D

Thank you.
0
 

Assisted Solution

by:janfrancart
janfrancart earned 200 total points
ID: 33518545
If you make a test rule allow all traffic from. any to any network for all protocols, do you have communication then?
Is there something in the watchguard log?

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33528871
Sounds like your router is set to explicitly deny ICMP echos.

Check your router configuration  "Access Control Lists" to see if you are denying ICMP echos. Most IT security admins will do this to prevent ping scanners from finding the router.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question