Validate public IP address

I got a /23 public subnet from my provider with their gateway within that subnet x.x.91.1/23. I configured my FW with an IP address from that subnet x.x.90.1 and ping is allowed on the FW outside interface, I am trying to setup a IPSec vpn from this site back to the HQ. From HQ and my PC at home, I can ping their gateway x.x.91.1 but cannot ping  x.x.90.1. I checked in looking glass bgp table and that subnet is routable on the Internet.
They said that everything is configured correctly on their end and the issue is from my end. I am not sure I agree with them but I am not sure how to validate my argument. Thanks
Who is Participating?
/23 is two Class C segments means

The ip you get can be a single ip with netmask 255.255 254.0

A /23 would mean that there are 509 unique hosts on that segment.

Previously or by standard, the gateway was the first ip in the segment. Some choose to move the default gateway to deal with anyone who is unfamiliar with the meteor such that event if they piggy back, they will not be able to use the network without knowing the default gateway.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
First, setup your entire system without a VPN.

Get everything working first, then integrate your VPN.

Also keep in mind for IPSec to work, both ends must be working... so... first you setup both ends without IPSec + get everything working.

Then setup IPSec at both ends + verify all's well.

Then integrate your 1 way or 2 way VPN.

Setting up IPSec tends to be overkill. SSL + SSH work as well or better (faster) + can be setup in a few seconds.
yo_beeDirector of Information TechnologyCommented:
Why do you need that many public addresses. That is a large chunk.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Also another item to test, to ensure you actually have all IPs your suppose to have.

First, get rid of your Firewall, if your Firewall is a device. Firewall devices are far less flexible to debug than iptables on a machine.

Ping the first IP + last IP in your assigned IP range, both should be dead/non-responsive.

Now configure your first + last IP as aliases off one of one of your physical interfaces, like eth0 or whatever interface naming scheme is being used.

Once your configure your first + last IP as aliases, you should be able to ping them.

If this test fails, then your first step is to open a support ticket with your hosting/provisioning company + have them fix your networking.

Best to ensure your full range works, else you may end up debugging problems which can never be fixed, due to broken networking.
yo_beeDirector of Information TechnologyCommented:
I would not recommend removing your FW from your network to test any connectivity.  You can setup a 1 to 1 NAT to test the IP's  recommended in the previous comment.  From there you will get some validity.  Once tested close up the NAT.
leblancAccountingAuthor Commented:
I am not sure why they gave us /23. We order 1 public IP address and they gave us /23.
All the Internet traffic will be send back to the HQ. So my default route will be send through the tunnel. I remove all of the tunnel configuration. I just assigned my FW interface with a public IP address from that subnet /23. So as far as the Internet is concerned I should be able to ping that interface from anywhere on the Internet because it is a routable public IP address. Correct?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.