Firebox 500 VPN passthrough

Posted on 2006-05-15
Last Modified: 2013-11-16
I am trying to set-up a  Firebvox 500 to allow VPN connections over either a PPTP or IPSEC connection.  However in either case, any time I try and connect the connection is logged as denied in the Firebox system manager.  

A summary of the network settings:

60.x.x.x - Firebox External / Public IP - Firebox Internal - External NIC for RRAS on Windows 2003 Server

I have tried using the PPTP or IPSEC service in the Firebox policy manager, but as many people have pointed out, it does not allow NAT selection.  In addition when I try 1 on 1 NAT, I am unable to set-up a route becuase I receive a message stating that the trusted, external or optional ip's can't be used in the route.  Any suggestions would be appreciated!
Question by:nwcc_seattle
    LVL 4

    Expert Comment

    Some some more info would be helpful.

    Are we talking about:

    1.  Outgoing VPN connections FROM clients INSIDE the firewall TO servers OUTSIDE the firewall, typically using someone's VPN client software (Nortel Contivity, etc.) running on the INSIDE client?

    2.  "Branch Office VPN" connections (Watchguard's terminology) to establish a standing tunnel two locations?

    3.  "Mobile User VPN" connections (Watchguard's terminology) to connect FROM clients OUTSIDE the firewall TO servers INSIDE the firewall?

    If what you are after is #1, then all you should have to do is add the IPSEC sdervice and enable it outbound; the least secure config is to allow outbound "Any" to Any". Try it this way and verify connectivity, then clamp down on it as needed.

    If what you are after is #2 or #3, then it's a little more complicated.
    LVL 1

    Author Comment

    #3, except we are not using Watchguard's VPN software.  We are trying to use the native client in XP / 2000.   Any to ANY doesn't work, as the watchguard doesn't know where to forward the data packets to....

    LVL 4

    Accepted Solution

    I have never used the XP native client.  I use the Watchguard client.

    Does the X500 have any MUVPN licenses installed?  The X500 currently comes with 5 mobile user licenses, but they dont come preinstalled.  Remember, you have to install them or this feature won't work.

    The mobile user VPN process is kind of complicated, but this is a classic firewall admin task.  It involves authorization, authentication, encryption, and routing.  Watchguard has an excellent guide here:

    Let me know how it turns out!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now