Validate public IP address

I got a /23 public subnet from my provider with their gateway within that subnet x.x.91.1/23. I configured my FW with an IP address from that subnet x.x.90.1 and ping is allowed on the FW outside interface, I am trying to setup a IPSec vpn from this site back to the HQ. From HQ and my PC at home, I can ping their gateway x.x.91.1 but cannot ping  x.x.90.1. I checked in looking glass bgp table and that subnet is routable on the Internet.
They said that everything is configured correctly on their end and the issue is from my end. I am not sure I agree with them but I am not sure how to validate my argument. Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
First, setup your entire system without a VPN.

Get everything working first, then integrate your VPN.

Also keep in mind for IPSec to work, both ends must be working... so... first you setup both ends without IPSec + get everything working.

Then setup IPSec at both ends + verify all's well.

Then integrate your 1 way or 2 way VPN.

Setting up IPSec tends to be overkill. SSL + SSH work as well or better (faster) + can be setup in a few seconds.
yo_beeDirector of Information TechnologyCommented:
Why do you need that many public addresses. That is a large chunk.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Also another item to test, to ensure you actually have all IPs your suppose to have.

First, get rid of your Firewall, if your Firewall is a device. Firewall devices are far less flexible to debug than iptables on a machine.

Ping the first IP + last IP in your assigned IP range, both should be dead/non-responsive.

Now configure your first + last IP as aliases off one of one of your physical interfaces, like eth0 or whatever interface naming scheme is being used.

Once your configure your first + last IP as aliases, you should be able to ping them.

If this test fails, then your first step is to open a support ticket with your hosting/provisioning company + have them fix your networking.

Best to ensure your full range works, else you may end up debugging problems which can never be fixed, due to broken networking.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

yo_beeDirector of Information TechnologyCommented:
I would not recommend removing your FW from your network to test any connectivity.  You can setup a 1 to 1 NAT to test the IP's  recommended in the previous comment.  From there you will get some validity.  Once tested close up the NAT.
leblancAccountingAuthor Commented:
I am not sure why they gave us /23. We order 1 public IP address and they gave us /23.
All the Internet traffic will be send back to the HQ. So my default route will be send through the tunnel. I remove all of the tunnel configuration. I just assigned my FW interface with a public IP address from that subnet /23. So as far as the Internet is concerned I should be able to ping that interface from anywhere on the Internet because it is a routable public IP address. Correct?
/23 is two Class C segments means

The ip you get can be a single ip with netmask 255.255 254.0

A /23 would mean that there are 509 unique hosts on that segment.

Previously or by standard, the gateway was the first ip in the segment. Some choose to move the default gateway to deal with anyone who is unfamiliar with the meteor such that event if they piggy back, they will not be able to use the network without knowing the default gateway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.