[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Firebox 500 VPN passthrough

Posted on 2006-05-15
5
Medium Priority
?
967 Views
Last Modified: 2013-11-16
I am trying to set-up a  Firebvox 500 to allow VPN connections over either a PPTP or IPSEC connection.  However in either case, any time I try and connect the connection is logged as denied in the Firebox system manager.  

A summary of the network settings:

60.x.x.x - Firebox External / Public IP

90.0.0.1 - Firebox Internal

90.0.0.2 - External NIC for RRAS on Windows 2003 Server

I have tried using the PPTP or IPSEC service in the Firebox policy manager, but as many people have pointed out, it does not allow NAT selection.  In addition when I try 1 on 1 NAT, I am unable to set-up a route becuase I receive a message stating that the trusted, external or optional ip's can't be used in the route.  Any suggestions would be appreciated!
Thanks!
0
Comment
Question by:nwcc_seattle
  • 2
3 Comments
 
LVL 4

Expert Comment

by:StonewallJacoby
ID: 16695375
Some some more info would be helpful.

Are we talking about:

1.  Outgoing VPN connections FROM clients INSIDE the firewall TO servers OUTSIDE the firewall, typically using someone's VPN client software (Nortel Contivity, etc.) running on the INSIDE client?

2.  "Branch Office VPN" connections (Watchguard's terminology) to establish a standing tunnel two locations?

3.  "Mobile User VPN" connections (Watchguard's terminology) to connect FROM clients OUTSIDE the firewall TO servers INSIDE the firewall?

If what you are after is #1, then all you should have to do is add the IPSEC sdervice and enable it outbound; the least secure config is to allow outbound "Any" to Any". Try it this way and verify connectivity, then clamp down on it as needed.

If what you are after is #2 or #3, then it's a little more complicated.
0
 
LVL 1

Author Comment

by:nwcc_seattle
ID: 16695531
#3, except we are not using Watchguard's VPN software.  We are trying to use the native client in XP / 2000.   Any to ANY doesn't work, as the watchguard doesn't know where to forward the data packets to....

0
 
LVL 4

Accepted Solution

by:
StonewallJacoby earned 2000 total points
ID: 16698471
I have never used the XP native client.  I use the Watchguard client.

Does the X500 have any MUVPN licenses installed?  The X500 currently comes with 5 mobile user licenses, but they dont come preinstalled.  Remember, you have to install them or this feature won't work.

The mobile user VPN process is kind of complicated, but this is a classic firewall admin task.  It involves authorization, authentication, encryption, and routing.  Watchguard has an excellent guide here: http://www.fireboxsupport.com/FB_MUVPN.htm

Let me know how it turns out!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 12 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question