Question

Site-to-Site VPN Problem with Cisco 837's and Watchguard Firewalls

Asked by: zhoffman

I am attempting to configure a site-to-site VPN between two Cisco 837's.  On the inside of the Cisco's are Watchguard firewalls: one Firebox X700 (Main) and the other is a SOHO 6tc (Branch).  Both connections are using ADSL with static IP's.  This VPN is for VoIP traffic and for Windows SMB traffic which is why I'm not setting up the VPN at the Firewalls, I need to have priority queueing.

My problem is here: the VPN between the two routers works, but I can't get traffic to go from one private LAN to the other.  I would guess it has to do something with the firewalls but can't figure out what.

I have public static IP's on both the routers and the external side of the firewalls.

192.168.10.0/24 LAN -------- 192.168.10.1/24 FW Trusted ------ 216.x.x.42/29 FW External -------- 216.x.x.41/29 Router

Can someone please help me with what I need to do to get traffic to properly flow from one private LAN to the other?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-07-08 at 15:13:11ID21052649
Tags

watchguard

,

x700

,

cisco

Topic

Virtual Private Networking (VPN)

Participating Experts
2
Points
500
Comments
5

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Watchguard VPN
    I am using a Watchguard X700 firewall. I have set up several mobile users on the VPN. The VPN works fine, as long as I want to look at one particular subnet on the network. Right now when I come into the firewall I can then VNC to anything on the 172.16.xxx.xxx network. ...
  2. Cisco VPN Client to Watchguard firebox 700
    Hello. Is it possible to use a Cisco VPN Client to connect to a Watchguard firebox 700? Regards Daniel
  3. VPN Passthrough Watchguard Firebox
    I have a Watchguard Firebox. I want a VPN passthrough to a Windows 2003 server. I created a PPTP packet filter and pointed it to the IP address of the RRAS server. I cannot connect to the server. It appears that it is not passing the traffice through. Any help is greatly ap...
  4. VPN to routed network - Watchguard Firebox
    I have a watchguard firebox at a remote office that establishes a BOVPN tunnel to our main location. This has been in place for several years and works fine for access from the remote branch to the main branch. Recently, we have added other remote branches that are NOT vpn lo...
  5. Setting up VPN FW router (Draytek 5510) with multiple…
    I (using made up IP's) I have this setup in head office: Cisco MPLS router connecting to 3 other sites draytek 5510 VPN FW router - internal IP 192.168.21.252, external IP 193.85.110.99 Watchguard Firebox X series 500 - internal IP 192.168.21.1 Hosting centre/phone system...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: td_milesPosted on 2004-07-08 at 22:36:31ID: 11509117

you should create the site-to-site VPN between the two watchguard boxes, not the two 837's. This would be a much easier way to do it, is there any reason not to ?

 

by: zhoffmanPosted on 2004-07-09 at 04:29:14ID: 11510469

Well, I actually already had setup the VPN before between the two Watchguards, and yes it was easier, but I need to have some sort of QoS (like priority queueing) for the VoIP traffic.  Otherwise, the VoIP traffic will be stomped on and compromise the quality of the call.  

If I could setup the VPN between the two Watchguards and still be able to have my QoS, I would be elated.  But as it stands, if I have the VPN on the Watchguards, then setting up the QoS on the router does no good since it would just be seeing the encrypted VPN traffic and not the actual packets thus unable to provide QoS.

Please let me know if you have any other ideas, thanks!

 

by: td_milesPosted on 2004-07-09 at 16:23:31ID: 11516669

I'm assuming that your wacthguards are set up to do NAT, what you need to do is:

1. exempt the traffic between the two LAN from NAT and permit it through on your watchguards.
2. setup the watchguards to ROUTE the traffic to the 837.
3. setup the 837's to route the traffic back to the watchguards

looking at 2 & 3 in detail, the watchguards probably already have a default route that sends everything to the 837, correct ? The cisco routers will need to have a route added that says:

ip route 192.168.10.0 255.255.255.0 <outside_ip_of_watchguard>
(obviously you need to put the correct subnets & IP  addresses of the watchguards on each end).

This should mean that when a PC on LAN1 goes to send traffic to a PC on LAN2, it sends the traffic to watchguard1 (as the default gateway for the PC). Watchguard1 then DOESN'T NAT it and sends it on to router1. Router1 encrypts it and sends it over IPSec tunnel to router2. Router2 decrypts and then forwards traffic to watchguard2. Watchguard2 routers the traffic to LAN2.

You'll be increasing the potential security problems. One thing to make sure of is that you DENY any traffic coming or going from the WAN interface of the 837's that is from your private subnets. You don't want unencrypted traffic leaking out and as you are routing the private traffic to your watchguards and they are permitting it through, you don't want bogus traffic coming in.

This should allow you to do what you need with the traffic at the 837's. Given that the traffic will be travelling over the Internet, I'm not sure now effective you're queueing will be, but I guess every little bit helps.


 

by: tim_holmanPosted on 2004-07-11 at 10:43:50ID: 11524068

If both ends are behind NAT, then make sure TCP port 4500 is allowed through the firewall, and NAT-T (NAT traversal) enabled on both peers.

As for the QoS idea, why not put the router directly behind each Watchguard, and ensure VoIP traffic gets marked up ?  Then make sure the VoIP rule on the Watchguard is right at the top of the rulebase, so gets processed first ?

 

by: zhoffmanPosted on 2004-07-14 at 13:03:50ID: 11553157

td_miles,

Thanks for your help.

I basically did what you said.  I got the VPN setup between the two 837's first with tunnel pointed to the two public sides of the routers.  Then the access list pointed at the two different private LAN's.  I then added the route which pointed all of the LAN traffic from the router to the external (public IP) of the Watchguard.  I exempted the LAN to LAN traffic from being NAT'ed at the Watchguard and made sure all the appropriate ports were open on the firewall to allow for just the traffic (VoIP and Windows SMB) to flow through.

Below is the final config from the router for anyone in the future who may want to see it.  The Watchguard config stuff is exactly was recommended by td_miles above.  Thanks again, man!

Current configuration : 2998 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname corp-rtr
!
logging queue-limit 100
no logging buffered
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxx password 7 xxxxxxxxxxx
username xxxxxxx privilege 15 password 7 xxxxxxxxxxxxxx
ip subnet-zero
no ip domain lookup
ip name-server 156.xxx.xxx.11
ip name-server 156.xxx.xxx.13
!
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 0 xxxxxxx address 161.xxx.xxx.33
crypto isakmp key 0 xxxxxxx address 161.xxx.xxx.121
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to 161.xxx.xxx.33
 set peer 161.xxx.xxx.33
 set transform-set SDM_TRANSFORMSET_1
 match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to 161.xxx.xxx.121
 set peer 161.xxx.xxx.121
 set transform-set SDM_TRANSFORMSET_2
 match address 103
!
!
!
!
interface Ethernet0
 description $ETH-LAN$
 ip address 161.xxx.xxx.41 255.255.255.248
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer1
 ip unnumbered Ethernet0
 ip mtu 1492
 encapsulation ppp
 no ip route-cache
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username xxxxxxxxxxxxx password 7 xxxxxxxxxxxxxx
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.10.0 255.255.255.0 161.xxx.xxx.42
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 remark SDM_ACL Category=18
access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high udp 1718
priority-list 1 protocol ip high udp 1719
priority-list 1 protocol ip high tcp 1720
priority-list 1 protocol ip high tcp 10032
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 privilege level 15
 login local
 length 0
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...