To be a bit pedantic, certbot is just asking Let's Encrypt to validate, and it's Let's Encrypt which is actually trying to connect from multiple places to ensure that you actually control the domain name as seen by everywhere on the Internet.
There should be five currently, with more likely to happen in the future.
In order to prove that you control the name, you need to prove control as seen by everywhere on the Internet. Usually, even networks with strict controls have their DNS server publicly available, so you may be able to set up DNS-01. But that would require your domain administrators to delegate some level of control over the name to you to be able to fulfill the challenge, and it can be harder to set up.
You may want to look through this FAQ, I hope it answers a lot of questions about multi-perspective validation and how to deal with it:
Another workaround to try if you're just trying to get things working is to try some other CAs, like Buypass Go or ZeroSSL. You can often just change the --server argument in Certbot, though some CAs require registering a separate account first. But all CAs will be checking from multiple locations if they aren't already, so this really isn't going to address your root problem.