Question

Setting up VPN FW router (Draytek 5510) with multiple Watchguard Firebox X Series 500 FW's - locally and through MPLS

Asked by: neo3998

I

(using made up IP's)

I have this setup in head office:
Cisco MPLS router connecting to 3 other sites
draytek 5510 VPN FW router - internal IP 192.168.21.252, external IP 193.85.110.99
Watchguard Firebox X series 500 - internal IP 192.168.21.1

Hosting centre/phone system:
Cisco MPLS router connecting to 3 other sites - internal IP's 192.168.22.253 and 192.168.25.253 (2 cards)
Watchguard Firebox X series 500 - internal IP 192.168.22.1
Watchguard Firebox X series 500 - internal IP 192.168.25.1

Hong Kong Call Centre:
Cisco MPLS router connecting to 3 other sites - internal IP 192.168.23.253
Watchguard Firebox X series 500 - internal IP 192.168.23.1

Australia Call centre:
Cisco MPLS router connecting to 3 other sites - internal IP 192.168.24.253
Watchguard Firebox X series 500 - internal IP 192.168.23.1

The problem I am having is that the users are coming in through the VPN using IPsec tunnels, through 193.85.110.99 (Draytek 5510 external IP) at the head office.  I can ping and connect to everything on the internal 192.168.21.n but cannot route to any of the subnets through the MPLS.  What do I have to do to get this working.  The main reason I have put the VPN in place is so that users can use soft phones from home through the VPN.  They cannot use the softphones as the software cannot see the Avaya VOIP switch on the 192.168.22.n.  

Please take into consideration that each site has its own Cisco MPLS router.  Do I have to configure routing through them as they are looked after by our MPLS providers and I dont have access to them.  I want to setup all the routing through the firewalls.  

Does anyone have any suggestions?

If this doesnt make sense then please contact me - I need this in place ASAP, by the end of the week if possible :(

Thanks

Neo3998

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-03-10 at 16:39:02ID24218230
Tags

firewall

,

watchguard

,

firebox

,

draytek

,

NAT

,

routing

,

MPLS

,

VPN

Topics

Watchguard Firewall

,

Virtual Private Networking (VPN)

,

Networking Hardware Firewalls

Participating Experts
1
Points
500
Comments
20

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Firebox
    My company is using the Firebox III 700. I have never used it before. How can I tell what users are doing? My boss is concerned with the security. Can I show him something that would indicate I am blocking the bad traffic? Can I administer this box from home using th...
  2. WatchGuard Firebox III 1000 and Nokia IP130
    WatchGuard Firebox III 1000 and Nokia IP130 Currently I have a WatchGuard Firebox III 1000. What I need to do is drop a Nokia IP130 SSL VPN appliance into my network I know someone is probably wondering why I am adding the Nokia VPN appliance when the WatchGuard Firebox of...
  3. WatchGuard Firebox III 1000 and Nokia IP130
    WatchGuard Firebox III 1000 and Nokia IP130 Currently I have a WatchGuard Firebox III 1000. What I need to do is drop a Nokia IP130 SSL VPN appliance into my network I know someone is probably wondering why I am adding the Nokia VPN appliance when the WatchGuard Firebox of...
  4. Cisco VPN Client to Watchguard firebox 700
    Hello. Is it possible to use a Cisco VPN Client to connect to a Watchguard firebox 700? Regards Daniel
  5. Migration of WatchGuard Firebox x1000 to WatchGuard …
    It seems like no specify document I can find regarding migration of WFS 7.3 to WSM 8.3. I have a WatchGuard Firebox x1000 and a software is running WFS 7.3 version, with VPN and DHCP. We have bought a new WatchGuard Firebox x1650 with new software called WSM 8.3. My Compan...
  6. Watchguard Firebox 700 with a SIP VOIP phone
    We have a client with a Watchguard Firebox 700 doing NAT. We are attempting to hook up a SIP VOIP Phone (http://www.grandstream.com/pdf/GXP2000UsersManual.pdf). The phone is grabbing an internal ip address assigned by DHCP from our server. We are able dial out with out th...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: neo3998Posted on 2009-03-11 at 04:02:59ID: 23855611

anyone out there? This is getting urgent now :(

 

by: dpk_walPosted on 2009-03-11 at 22:46:39ID: 23865105

I had posted the same comment in your other question, pasting again:

I am assuming that when you are connecting through MPLS then things work fine [per your original post]; the problem is only seen when you have users coming through VPN, I have few questions on this:
1. Are the users coming as part of BOVPN between the two FBX500 boxes; OR
2. The users are remote users who VPN into FBX500 at some specific site [say HK]; and you already have BOVPN implemented between HK and Hosting centre [HC]; OR
3. The users are remote users who VPN into FBX500 at some specific site [say HK]; and you do have VPN between the HK and HC using MPLS; OR
4. The users are remote users who VPN into FBX500 at some specific site [say HK]; and you do not have any VPN between HK and HC.

In case 1, there should be firewall policies on both X500 to allow traffic from/to remote subnets.
In 2, you must incorporate zero route [Force all traffic through tunnel] for remote users; further if the remote users are connecting on some IP subnet which is not same as the internal IP subnet, we need to include both the subnets in the VPN configuration.
In 3, FBX would have route in place to forward traffic to other subnet through MPLS router; in MPLS router we need to have all the routing information.
Further the remote users should be configured as zero route tunnel.
In 4, I do not think this is applicable case! :)

Please provide details.

Thank you.

 

by: neo3998Posted on 2009-03-12 at 12:13:02ID: 23872329

Hi,

Sorry for the "anyone out there" comment lol.  

I think I have explained too many sites, and gone through confusing and uneeded detail, so lets keep it simple:

site 1 (main site/VPN entry point):
draytek 5510 VPN FW router - internal IP 192.168.21.252, external IP 193.85.110.99 - users connect to this through VPN
Cisco MPLS router - internal ip 192.168.21.253 - cant ping from site 3 (user at home connecting through VPN)
Watchguard Firebox X series 500 - internal IP 192.168.21.1 (default GW for servers and WS's in site 1)

Site 2 (hosting centre where VOIP server are run from):
Cisco MPLS router - internal IP 192.168.22.253
Watchguard Firebox X series 500 - internal IP 192.168.22.1 (default GW for servers and WS's in site 2)

Site 3 (user connecting into site 1 through VPN):
Draytek 2820 VPN router - internal IP 193.168.50.1, external IP is dynamic, working through Dynamic DNS
Worstation - internal IP 192.168.50.3

site 3 needs to VPN into Draytek 5510 FW in site 1 (external IP 193.85.110.99), this VPN is tested and working.  The workstation in site 3 (192.168.50.3) can ping everything in site 1 apart from the Cisco router (192.168.21.253).  Site 3 worstation cannot ping anything in site 2 (192.168.22.n).  All equipment in site 1 can ping all equipment in site 2.  Site 1 and 2 are connected via MPLS through the Cisco MPLS routers.  Both site 1 and 2 have 2 Cisco routers, one for MPLS routing and one for internet.  

Please let me know if you need any more detail.  

I basically need the VPN router to see the 192.168.22.n as at the moment it can only see the 192.168.21.n apart from the Cisco router (192.168.21.253)

Thanks

Neo3998

 

by: neo3998Posted on 2009-03-12 at 12:14:25ID: 23872347

p.s the reason i am trying to set this up is so that i can run VOIP soft phones from users homes running through the VPN and routing between sites via the MPLS.  

TIA

 

by: dpk_walPosted on 2009-03-13 at 02:35:48ID: 23877290

As you have MPLS between 192.168.21.x and 192.168.22.x sites, you must have added routes on draytek and X500 as:
site 1: 192.168.22.0/24 GW 192.168.21.253 [Cisco router]
site 2: 192.168.21.0/24 GW 192.168.22.253 [Cisco router]

On cisco router at site1, you should also have ACL which would allow traffic from 192.168.50.0/24; also a route to send traffic back to 192.168.50.0/24 subnet through 192.168.21.252 [draytek]; also at site2 it should accept packets from back .21 and .50 subnets and route back as well.

As users are connecting to draytek, you should configure either zero route tunnel OR provide access to two subnets for remote users [192.168.21.0/24; 22.0/24] on draytek [not sure on the options, but can look at manuals and help if need (please provide the current version of software)], so from client which is at 192.168.50.x, would send traffic for both subnets to draytek.
Draytek would send all traffic from .50.0/24 and .21.0/24 to cisco router; which would send it to the site2. Site2 router would allow traffic from both .21 and .51 subnets and would routes back to site1. at site1, draytek would then route the packets to remote users thus completing the loop.

Hope I have not confused you.

Please check and update.

Thank you.

 

by: neo3998Posted on 2009-03-13 at 08:31:39ID: 23880394

Brilliant explanation and not at all confusing, thankyou.  I cannot make the changes until saturday evening now as I have to wait for a window to perform this work.  I will let you know how i get on.

Thanks again

Neo3998

 

by: dpk_walPosted on 2009-03-13 at 08:52:51ID: 23880639

Please update how things go.

Thank you.

 

by: neo3998Posted on 2009-03-17 at 09:41:09ID: 23909889

I have tried the suggestions that you made and have not had any luck.  I have also attached a very simplified diagram of the scenario at hand.  Could you please let me know if you have any ideas??

 

by: dpk_walPosted on 2009-03-18 at 04:13:42ID: 23917277

Can you ping the cisco router from the remote draytek router; and vice versa; if nothing; then we need to resolve this issue first.

If above works then only the remote users would be able to ping anything.

Please check and update.

Thank you.

 

by: neo3998Posted on 2009-03-18 at 04:19:49ID: 23917319

remote user can ping everything on the 172.21.21x range and nothing past that.  

 

by: neo3998Posted on 2009-03-18 at 04:23:16ID: 23917352

oops remote user can ping and tracert anyhting on 192.168.21.x range from 192.168.50.x range, the cisco is 192.168.21.253 and I can ping this fine.  When inside the 192.168.21.x network i can ping and tracert to all devices on the 192.168.22.x network, but cannot ping or tracert anything on this network from 192.168.50.x range.  

 

by: dpk_walPosted on 2009-03-18 at 04:32:54ID: 23917412

Can you run some packet capture and see if the packets from remote users are coming for .21 and .22 subnets to the .50 network itself; if yes, then are they getting routed over tunnel and getting to the other end. If yes, then are they getting routed over MPLS and finally on the reverse path.

Please have the remote user connected and control the session using RDP or some other remote connection tool; put a source filter on packet capture and then see for incoming packets.

Here we are not sure on the point of failure; so need these many details.

Thank you.

 

by: neo3998Posted on 2009-03-18 at 05:47:36ID: 23917994

Hi,

I am a little confused by your response.  I am not entirely sure what you want me to do, sorry.  I understand you want me to RDP/Dameware to a machine from 172.21.50.n to another machine on the 172.21.21.n, but I cannot RDP/Dameware to any machines on the 172.21.22.n from the 172.21.50.n.

how do i set a source filter on packet capture?

Thanks

Neo3998

 

by: dpk_walPosted on 2009-03-18 at 07:57:21ID: 23919421

The reason I wanted you to run packet capture was to check if the packets are reaching from draytek to cisco at all; and then onto the MPLS and back; if this basic thing is not working then the VPN itself would not work.
We first need to get ping or any other direct traffic from router on .60. network to cisco and over MPLS and back.

You can leave the RDP part at this time; sorry to confuse you.

Please update.

 

by: neo3998Posted on 2009-03-20 at 05:09:42ID: 23938552

right when i run tracert from 192.168.50.n to anywhere on 192.168.21.n it can get through fine and vice versa, from 192.168.21.n back to the 192.168.50.n.  

tracert from 192.168.22.n to 192.168.21.n fine, but when i try to tracert to 192.168.50.n it cannot get through.  It can ony get to the WAN interface of the router and no further.  The next hope would be 192.168.21.252 (Draytek VPN FW router), but for some reason the router will not let traffic through or in, this includes ICMP.  

Do you know anything about Drayteks??? The router cannot route through this router and I fear it may be a config error.  Could someone please help me with the draytek routing.  Can the 192.168.50.n only see the 192.168.21.n because it has an IP address on the same internal range?

I am baffled on the next step.  here is the routing table from the 192.168.21.252 Draytek router:

Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via 193.82.112.97,   WAN1
C~        192.168.21.0/   255.255.255.0 is directly connected,    LAN
S~        192.168.22.0/   255.255.255.0 via 172.21.21.253,    LAN
S~        192.168.23.0/   255.255.255.0 via 172.21.21.253,    LAN
S~        192.168.24.0/   255.255.255.0 via 172.21.21.253,    LAN
S~        192.168.25.0/   255.255.255.0 via 172.21.21.253,    LAN
S~        192.168.50.0/   255.255.255.0 via 79.78.168.189,    VPN
C       193.85.110.96/ 255.255.255.240 is directly connected,   WAN1

now the VPN route set here via IP is linked to a DynDNS address rather than IP, would this cause a problem routing to the rest of the subnets??  Also the WAN1 IP address is confusing me as I have set it to 193.85.110.99 on the router and it is displaying .96.  

Please let me know if you need any more detail.

Thanks

Neo3998

 

by: dpk_walPosted on 2009-03-20 at 21:00:12ID: 23945911

Don't know much about Draytek; had assisted a customer setup VPN but nothing more.

Am I missing something here:
>> S~        192.168.22.0/   255.255.255.0 via 172.21.21.253,    LAN
Should the gateway be 192.168.21.253 instead. What IP is 172.21.21.253?

Also, in draytek for VPN, do you specify public IP,  or does the gateway IP change when the IP changes at the other end, and is refreshed by dynDNS.

>> C       193.85.110.96/ 255.255.255.240 is directly connected,   WAN1
193.85.110.96 indicates subnet IP and not IP address. So, it is correct.

Thank you.

 

by: neo3998Posted on 2009-03-21 at 09:02:58ID: 23947775

Hi,

Sorry that is my error yes it is set as 192.168.21.253, I have also asked the question to one of my freinds who knows my network, but he is baffled as to why the draytek cannot talk to the Watchguard FW.  

if I look at the IPsec tunnel in connection manager on the router it shows that DynDNS is refreshing the GW IP when the ISP IP address changes.  

I dont know where to go next with this one!!! can the draytek and the WG FW actually talk to one another, and why cant anything route through the 192.168.21.252 Draytek router?  Would this be anything to do with the 192.168.50.n being attached via VPN.  If VPN is setup they should be able to use all network resources accordingly, am I right here? This is the first VPN that I have setup and if the telephone equipment was actually on this subnet there wouldnt have been an issue.  

Arrrghhh why cant this range see the other subnets?

I'm stumped :(

Thanks

Neo3998

 

by: dpk_walPosted on 2009-03-21 at 18:47:14ID: 23949807

Can you also give sanitized routes from 192.168.21.253 router; please remote all MAC addresses, WAN IP information.
I think as from 192.168.50.x you can access 192.168.21.x subnet, there is something on cisco router which does not router traffic over MPLS and hence you cannot see 192.168.22.x subnet.

Also, I was thinking on another line, is it really necessary for 192.168.50.x subnet to get routed to 192.168.22.x through 192.168.21.x; can't we just create a VPN from draytek at 192.168.50.x to WG at 192.168.22.x. This would simplify things.

Please advice.

Thank you.

 

by: dpk_walPosted on 2009-05-10 at 19:25:36ID: 24351154

User respond is needed; were still working on problem resolution.

You might dispose as "delete no point refund".

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...