Watchguard Firebox 2 (PPTP and GRE Pass Through)

Hi

Heres the issue

Windows 2003 Server (Small Business Server) Ethernet: 10.10.10.200 Subnet: 255.255.255.0 Default Gateway: 10.10.10.250

DNS: 10.10.10.200

Watchguard Firebox 2 System Manager 7.0 Trusted Interface: 10.10.10.250 External Interface: 81.5.135.20 Optional Interface: Not Configured

What we are trying to do is create a VPN connection to the Windows

2003 server from a remote VPN client. To create this we have done the following.

New Policy

Inbound - Any Outbound - Any

NAT: 81.5.135.20 - 10.10.10.200

When i complete this the remote VPN client stays on the verifying username and password process.

When connecting up a spare firewall that we have Watchguard SOHO 6 we are able to receive pptp traffic but when using the Watchguard Firebox

2 this doesnt work.

Looking at the traffic monitor i can see that the firewall is reporting a GRE error.

To resolve this issue i used the PPTP rule that is already available in the list of policies that are able to be created. When doing this i have noticed that the NAT option is disabled. To sort this we have tried to create a 1 - 1 NAT using another IP address out of your IP range.

Any ideas would be great

Reply to
Matt.Jones
Loading thread data ...

I've seen this with a Firebox X Edge. The rule is there for PPTP forwarding through to the 2003 RRAS server but it just doesn't work. The client disconnects immediately and the Watchguard logs report packets on 1723 being dropped. After extensive searching on the web this seems to be a random problem that crops up with certain combinations of NAT devices. In my case I am going through an ISA 2004 on my side, then through the Watchguard Firebox X Edge on the other and this double-NAT combination doesn't work.

I can successfully pass PPTP through my ISA + many other devices (including other Watchguards), and if I PPTP through JUST the Watchguard (bypassing my ISA), that also works.

In all my research on this it seems the only solution is to change the NAT device at either your end or the other end...

Dan

Reply to
dan.hobart

Why would anyone want to PPTP to the server when the firebox 2 acts as a VPN (pptp or ipsec) endpoint and provides all that is needed without having to expose the server itself. I never setup the servers as VPN endpoints, only the firewall, which lets US control who reaches the server and what ports they can use to reach the server.

Even the Firebox II device has PPTP pre-defined rules that can be added, and yes, some cheap NAT routers don't properly pass GRE.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.