Firebox 1000 WG and VPN problem. Assistance request. TIA.

I have a Firebox 1000 on the network using the 192.168.1.x subnet. Now, the VPN users are logging on and getting 192.168.11.x address...which is fine...unless, they happen to be using a dsl service or a router configured with default ip address using

192.168.1.x. When they log on to there internet service and the modem gives them a 1.x address or their router does, then connect VPN...they get the 11.x address okay, but the system thinks their spoofing because it sees the 1.x address. I can't change the ip address of the network....not an option. And it would be too much trouble to individually change the settings of the individual home network...especially if they go out to some wifi zone and get the 1.x address anyway....won't solve the problem.

What options do I have to fix this problem? Any help would be greatly appreciated...and thanks!

Reply to
Ricky
Loading thread data ...

I hope that's a typo in the second network range (VPN = 192.168.11???)

Your problem is that you didn't put your protected Firebox network in a different network than the default networks provided by home user NAT boxes.

I suggest that you reset the Firebox Trusted interface to

192.168.8.1/24, the Optional Interface to 192.168.16.1/24 then setup VPN addresses as 192.168.8.50~59 (as big a range as you need).

It seems that you really did mean .11, and I can't understand why .11, it's not in your network as described above. Why is your VPN setting on the firewall NOT giving them a IP in the same range as the Trusted network?

So, it would be like this:

HOME USER COMPUTER 192.168.1.x NAT ROUTER PUBLIC INTERNET

PUBLIC INTERNET FireBox Firewall Trusted 192.168.8.1/24 Optional 192.168.16.1/24 FB VPN IP Leases: 192.168.8.50~59 (or more if needed)

Now, you need to create rules so that VPN users can access network resources, create at least ONE group, put users VPN login's into the group, create a rule and give that group the access they need.

Reply to
Leythos

Reply to
Ricky

If you are using 192.168.0 or 192.168.1 then you're going to have problems with home users, that's just the way it is - the vendors have their devices default to 192.168.0 and 192.168.1. You must change

192.168.1 address scheme in your network to something else.

Also, if the VPN connection is to the firebox, and the firebox is NOT at .11, then you've got some serious routing issues because of using .11.

Like it or not, you need to change that 192.168.1 range to something else.

If you are running out of IP, maybe it's time to consider moving to another scheme or a larger subnet 192.168.8.0/23 or make the main office

10.1.0.0/16 so that you have a larger network in that location, but not the default for 10.0.0.0 like some other vendors products default too.

You would need to remove the 10.0.0.0 restriction from the firewall also.

Reply to
Leythos

My problem is that it would be a huge undertaking to reset the domain block 1.x....huge. It would affect several companies and take serveral days with several people. Now, that doesn't sound so daunting....but it is from where we stand...

I know it makes logical sense...but I have to find a way for now until we can change programs, routers, and the shebang....

Know what I mean?

Reply to
Ricky

Yep, seen it many times. Your only choice is to create a cheat-sheet that shows users how to change their home network from 192.168.1 or

192.168.0 to 192.168.250.x/24
Reply to
Leythos

Which is doable...but then, I can't get them to change the addressing at wifi spots in the city...where they seem to also want to access the system. So..my only option (at this point) is to change the subnet :{.

Anybody look>>> My problem is that it would be a huge undertaking to reset the domain

Reply to
Ricky

Don't take this wrong, I'm really interested to know (and this isn't sarcasm but how did you miss the fact that all the vendor NAT routers and most of the public spots are using 192.168.0.0/24 and

192.168.1.0/24?

Don't feel bad, I've seen it hundreds of times.

Reply to
Leythos

No offense taken at all. This is an existing network...one that I inherited. I didn't set up the ip structure...wish I had...and the guy who had is gone now. I'm restructuring by taking out is overly paraniod infrastructure that was pretty much stifling the business and putting in newer equipment. The sad thing is that now, so much is embedded that it will take a lot of work to change it.

I will. Plans are in motion to make this right. I spent a great deal of time with watchguard today and came to the same conclusion...this won't work. Thats okay. Needs to be done. We are half the crew now and I'm replacing the outdated crap that was and putting in new. On top of that, I'm learning as I go.

Which is why I appreciate your help. This group was a great f>>> Which is doable...but then, I can't get them to change the addressing

Reply to
Ricky

When it comes to watchguard and tunnels or rules, feel free to contact me directly (see sig below for email) anytime. I have a lot of them in the field and several on the shelf that I use to test/plan customer layouts with.

Reply to
Leythos

It's too bad that you've had to do that, but with many boxes that's really your only choice. If you're already been down the road with Watchguard and they agree, then you're just going to have to bite the bullet if you want to keep your equipment as is. You do have one other option to think about though, and that's either replacing or supplementing your existing VPN hardware. Some other boxes are capable of mapping all your internal (head office) addresses as well as all the client addresses to deal with overlapping subnets. It's not particularly easy, but it's quite feasible. Check in the knowledgebase for the search terms "overlapping subnets vpn" to pop out the tech articles on how to do it for whatever other vpn products you're considering. I'm 90% sure a Netscreen can do it -- I've done it with site-to-site, just not client-to-site but I think the mechanics would be the same. On a Fortigate, you can set it up to assign the clients IP's from the internal network and I *think* I did this once even though my local subnet was the same -- this of course only works when split tunnelling is disabled otherwise your routing table would make no sense. I'd have to check/test just to be perfectly sure on that one though.

So what I'm saying is that while it may indeed be impossible with your current box, you might be able to get away with it on another box that you could either a) hang on the outside on another IP and give it an inside interface on your DMZ or b) put inside your DMZ and forward protocol 50 and UDP 500 to it via your WatchGuard. A good SE for one of the other products on the market should also be able to advise you about it.

Or c) replace your watchguard of course but you may not want to do that, that's fine. Options a) and b) let you have a very simply configured vpn concentrator, or at least as simply as possible in the cirucmstance, no R&R on your main firewall, you just leave it in place.

Adding another appliance might not be your first choice, but from the sounds of it the subnet change is pretty daunting in your case, and you have to ask yourself, what if another person/vendor/parnter comes along that has unfortunatly picked your new IP range for their own... it can still happen... if it did wouldn't it be nice to be able to deal with it? Boxes like this should cost like $500 to $1000 so it's not a huge investment.

-Russ.

Reply to
Somebody.

The WatchGuard can do all of that too, but it's not a good way to do it

- it will create a bigger mess later that would just require more work to properly correct.

I would suggest that the subnets be properly mapped based on the information we have from this thread, it's not worth the continuing issue of overlapping subnets.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.