?
Solved

Allow inbound RDP connection through Watchguard 700

Posted on 2005-02-26
11
Medium Priority
?
1,691 Views
Last Modified: 2013-11-16
I am trying to allow a single user to access her office computer from home through their Watchguard 700 firewall. I have added a service to allow port 3389 and configured NAT to point to her computer, but I can not reach it from outside the network. I can access it from the internal network, so I know that the computer is configured properly to accept RDP requests. Do I need to establsh a connection to the Watchguard via VPN before attempting the RDP connection?

Thanks in advance.
0
Comment
Question by:rcg112355
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 16

Expert Comment

by:samccarthy
ID: 13414992
No, a RDP connection will work fine through a 700.  I have mine going to my desktop behind a 1000.  Did you use a redirect from your external IP to her Internal IP.  Mine shows up as 205.xxx.xxx.xxx > 192.168.1.52.
0
 

Author Comment

by:rcg112355
ID: 13415014
That is exactly what I did. In the NAT I directed 66.xxx.xxx.xxx to 192.168.1.129.
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13415061
OK, maybe I'm confused where you are putting yours.  I added a service, RDP, TCP 3389 and the From was the External Interface IP and the to was my local IP.  Did you go elsewhere?
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 5

Accepted Solution

by:
tmehmet earned 150 total points
ID: 13415423
Is the external IP that is being NAT'd already being used to NAT something else ?

I am not sure about the 700 but if it cant do service based NAT and if your already doing NAT for something else then it may not work if you are tryig to use the same external IP for both. You will need a dedicated IP for your RDP service.

Check if Dynamic NAT is enabled from 'external to trusted' (or which ever interface your 192* network is on), if it is it may conflict.

Check if the 192* network is being blocked, by default it is, i remember that accessing RFC 1918 address from external does not work. (granted this was in the early days).

Check that you do not have user authentication enabled for the service, if you do the user will need to authenticate on the firewall first before being allowed to access the RDP service (BTW - once you fix the issue, enable this feature, do not allow RDP straight thru ..ever..)

Check the personal firewall settings on the XP box and make sure that the IP accessing the XP box permits addresses other than the local network, you may have to specify the 66* address. If you are uptodate with patches and service packs for XP, you most likely have a personal firewall only allowing local network access for RDP.

you only need a vpn client if you enabled a remote user vpn, if you dont recall setting it up then it wont be there. Suggesting, once you fix the problem, I highly recommend the use of the IPSEC vpn client.

cheers.



0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13415467
I must disagree, you do not need a seperate IP for the RDP to work.  I have a 1000 that uses the same external IP for quite a few things and have never had an issue.

RDP does work inside the network, so that is setup properly and from the firewall, it only looks like a local address anyway and we aren't talking anything about VPN here.  
0
 
LVL 5

Expert Comment

by:tmehmet
ID: 13415602
My comments are addressed to the person asking  about vpn's which you did not answer.

I cant figure out how you can possibly disagree,  the device is capable of service based and dynamic NAT? just becuase you use service based nat, it does not mean that the config on this firewall is the same as yours. You did not even ask so clearly you dont know the device very well.

>RDP does work inside the network, so that is setup properly

??????? you dont know that . working locally does not mean anyone outside of local can use it, you have no clue what the XP configs are and you did not ask, just becuase you dont know to ask you cant dismiss it becuase you dont understand the problem even exists.

>and from the firewall, it only looks like a local address anyway

NO IT DOES NOT. You do not understand TCP, to send packet back to a public IP the src tcp header field must contain the real IP address otherwise it will never leave the private local network. ..but I'm here to help not teach you the basics of tcp/ip.

these kinds of comments are unhelpful and waste time.

 rcg112355, my questions are valid, please check your config for potenital conflicts and check your XP machines.


0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13416584
I'm not going to sit here and debate you, No, a vpn is not necessary for RDP to work properly.  I believe I made that clear in my first post.  The poster said it worked properly internally, so it is setup correctly.  All that client machine cares about is a valid request hitting port 3389.  If it works inside the network, then it is setup right.

tmehmet, You seem to be getting all bent out of shape here.  If you don't like my comments or suggestions, ignore them.  The poster will make his or her own decision.  You are no one to say mine, or anyone elses comments are unhelpful and waste time, nore are you in any position to know or not know what understanding of TCP or anything else, I or anyone else has.  Those are inappropriate comments in this forum and I feel, unprofessional.  

If you disagree, then just say, "I'm sorry, I must disagree on xyz and give your comments".  That's all that needs to happen.
0
 

Author Comment

by:rcg112355
ID: 13417005
I don't have access to the office today since it's Sunday, but I can add that they had a Linksys Router in place of the Watchguard and we NAT'ed that through to the XP computer with no trouble at all. That would seem to rule out the XP firewall as the culprit. I will have to try to investigate the other possibilities tomorrow.
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13417026
You are right rcg......  If it worked before and nothing changed on the workstation, but only the router was changed out with the Watchguard, then that is exactly where we look.  You have a Firebox X700 correct?  I have a Firebox X1000.  Same Box, just a little more capabilty in mine.  Same OS, Same Management software, same setup of rules, Nat, Ports, etc.
0
 

Author Comment

by:rcg112355
ID: 13444351
It was the authentication on the Firebox. Once I set up the user in the Firebox authentication it worked fine.

Thanks
0
 
LVL 5

Expert Comment

by:tmehmet
ID: 13444810
well done rgc,

these things are normally something simple, its just a case of working thru the potential problem areas step by step.

I would consider using a vpn however, the rdp protocol is not secure.

cheers
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question