Watch Guard Firebox 1000 and VPN

We are trying to VPN into the network and have total access to all network resources. I would like to terminal service into the server if possible but the VPN is the most important part at this time.

Thanks, I have greated a done everything you have said. I am able to connect from an outside source and when I connect I am able to ping the Router but not any of the computers on the network. Did I forget something.

Yes I did create a rule just like you said. I am able to login and then ping the router. I enabled ping everything and I still could not ping any other devices. I am able to ping the Ip address from any computer on the internal network however. On my properties of the Any PPtp rule it has Port with nothing under it and protocol with Any on it, Client Port is empty as well. I can not add Any to the Port section.

There are several methods and we need more information:

1) Are you trying to VPN into the network and have total access to all network resources?

2) Are you trying to remote-desktop into the server only?

If you setup a PPTP user in the WatchGuard, you can PPTP into the firewall itself, and if you create a rule, you can access the entire network once you authenticate with the VPN. Windows remote access is not needed at this point - once you get a IP you are the same as being in the local network.

The simple method would be to create PPTP users for the Firewall itself, open the Policy Manager, click on Network, Remote User, PPTP, and then add a couple fixed IP addresses and enable remote users.

Now click on Setup, Authentication Servers, Firebox Users tab, add a couple users and put them in the PPTP_Users group.

One last thing - and this is not the approved method, but will get you up and running - go back and secure this later: Add an ANY rule, call it ANY_PPTP and make Incoming Enabled and Allowed, add PPTP_Users to From and External, Firebox, Optional, Trusted to the TO box, click OUTGOING tab, and do the same thing in reverse (PPTP_Users goes in the TO box this time, same for the From box).

Now, save this - you can't check this from inside your network, you have to PPTP from outside the network.

Create a Windows XP (or anything that supports PPTP) connection to the public IP of the Firewall and authenticate with the firewall. This will give you an IP in the network, you need to configure the PPTP to use the DNS server INSIDE your trusted network if you want to use name resolution.

Hope this helps. Please bottom post.

Now this is interesting. I have just connected to one of my servers through the vpn however I am unable to connect to the main server. Is it possible that I have to set up something on the server? I have 4 servers here and can only connect to the one that has the Watchguard program on it. I am so confused as to why I can connect to it.

Did you create the ANY rule like I mentioned - you need to ADD an ANY service (all ports/types) that lets the PPTP_Users group access the network. Just making the connection via PPTP without the rule means you can only access the firewall, nothing else.

Please bottom post next time.

One more thing - if you didn't assign a DNS entry of an internal DNS server (in your trusted network) to the Networking DNS options of the PPTP connection, then you can only ping by IP, not by name. Without the DNS entry you can't use UNC paths/names.

Ping might be blocked on the watchguard.

The ANY service already has the proper ports/services in the rule, you don't need to add anything to it to make it work.

So, the question is this - from an external public connection, you PPTP into the Firebox, the firebox provides you an IP (meaning that you did set a number of IP up in the REMOTE USER SETUP / PPTP tab? Try setting "Enable drop from 128bit to 40 bit".

One last thing, if you are not using the "Strong Software Encryption" version, then you can't do a VPN/PPTP into the firewall.

If this doesn't work you are going to have to call them.

I can vpn to the router and then ping only one of the servers. I can then map a drive using the IP Address of that server the server askes me to login which works no problem. The subnet of our network is 255.255.255.0 and the ip addresses are

10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet of 255.255.255.0. What what to set up is so that our users can vpn in from home to check their email and do work if they need to. However the server they need to get to I can not access. Does this make any sense.

Ok I will try that tomorrow and advise you if it works. Thanks again for all your help.

Define "connect to it"?

What is the subnet of the Trusted network at your 4-servers location?

What is the subnet of the place where you are at trying to test the VPN?

If you are using 192.168.1.0/24 for both networks, or any other subnet that is the same on both ends, you will have nothing but troubles - they must be different, and you should not make either one of them the default for typical devices already on the market: As an example, many routers use 192.168.1.0/24 and 192.168.0.0/24 for their subnets, put the Firewall Trusted zone at 192.168.16.0/24 so that you can easily segment the network if needed, do the DMZ at 192.168.32.0/24 - this means that people using the default address space on those home user routers can access your network properly.

The firewall does not connect to a server, it's a stand-alone unit. The only connection is from the Firewall HTTP Proxy service to the WebBlocker database service running on a server (if you installed it), all other connections are from the management software on a server/workstation to the firewall.

Mark

In article , snipped-for-privacy@sympatico.ca says... [snip]

Ok, so, you can ping one server, and map a share to it, but not the other servers.

So, the question is simple - what is the difference between the network settings on the server you can connect to and the ones you can't connect too?

If you can't ping them by IP address (and the ANY_PPTP rule should allow you total access if you set it up correctly), then it's got to be some form of subnet issue.

Did you setup the Network Configuration TAB properly - meaning that your network Trusted interface should be 10.10.10.0/24 and you need to then go into the BLOCKED SITES settings (in 7.1 you find this under Setup, Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and

192.168.x.y).

In the Windows XP VPN connection I have "Security Tab", X Advanced Settings, X Allow these Protocols, check everything except "For MS_CHAP based...." (the last box). I also have "Require encryption, disconnect if server declines".

Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted networks DNS server for DNS (so it would be 10.10.10.x for yours). I also have "Use remote gateway" checked under the advanced options. Under Advanced TAB, I do not have anything checked - no ICF and don't allow other users to connect through this connection...

Double check everything, make sure that you've got your IP Addresses and MASK's set properly - a 255.255.255.0 is a /24.

let me know if this works.

Not a problem, that's what we're here for.

Hello again, I have checked the network configuration and it is as follows. Trusted interface is 10.10.10.7/24 There is nothing in the blocked Sites

as for the network setting all of our servers are assigned an Ip address which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is

10.10.10.1 so all servers point to it as the Primary. I also just created a Seondary DNS it is 10.10.10.2 As for the AnyPPTP rule it looks like this Incoming Enabled and allowed From - PPTP_Users To - External Firebox Optional Trusted

Outgoing Enabled and allowed From - External Firebox Optional Trusted To - PPTP_Users

I have connected via a VPN from outside of our network and everytime I connect I can ony ping 1 or 2 servers. I am unable to ping our main server which has the loggins and exchange however I just mapped to our applications server and copied files from my computer to it.

What I find really strange is that sometimes I can ping and connect to one server but the next time I can not. I am beging to get frustrated.

The firmware version that I am using looks like it is 6.0.B1140 Thats what it says under help and watchguard version

Thanks will look into that You have been agreat help thanks alot.

Steven

You need to look at the real-time logs, but I suspect that the problem is not with the firebox. What version of the Firmware are you running?