Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Firebox X and VPN Client Access?

Posted on 2008-10-03
14
Medium Priority
?
565 Views
Last Modified: 2013-11-16
I recently started working as a System Admin as a company that uses WatchGuard Firebox at a branch site.  I need to be able to have VPN client access to the branch.  I understand that you can either use MUVPN if using IPSec or the built in windows connection wizards if using PPTP.  DHCP is not set up at the branch because all IP addresses are static.  I am assuming that I need to enable DHCP to give IP address to the VPN Clients once they connect.  

How do I go about setting up PPTP and, if necesarry, a DHCP server on the Firebox?
0
Comment
Question by:mansurw02
  • 6
  • 4
  • 4
14 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 22636098
You do not need DHCP configured on firebox for VPN; when you configure PPTP or IPSec you specify virtual IP or pool from which the remote clients would get the IP.

Please specify which model of firebox you have and the version of software; in X core or peak series you use policy manager; in X Edge series it is done using webUI.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22637700
Alright, I was able to VPN using PPTP.  Your previous answers have been pretty helpful.  Now, my problem is that I can connect via the windows vpn client but I can't seem to ping anything on the network once connected.  I have the Firebox X5500e and I am configuring it using WSM 10.2.2.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638859
Can you ping the firewall?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mansurw02
ID: 22638876
Yup.  That's my destination when I VPN in.  I can connect to it and ping it.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638895
and you have a ANY policy?
0
 

Author Comment

by:mansurw02
ID: 22638912
When I configured the the Mobile VPN PPTP, a policy was automatically made.  It is From ANY To Firebox.  I assume this would qualify as the ANY policy you are referring to.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638956
Is this Fireware?  If so:

By the Any policy
Add an Any packet filter policy with these properties:

Incoming Allowed policy:
 - From: PPTP users or groups
 - To: trusted, optional, network or host IP address, or alias

Outgoing Allowed policy:
 - From: trusted, optional, network or host IP address, or alias
 - To: PPTP users or groups

Make sure that you save your configuration file to the Firebox after you make these changes.

0
 

Author Comment

by:mansurw02
ID: 22639087
I am now trying IPSec via MUVPN.  I am able to connect using the MUVPN client.  The problem now is that when I try to ping any server behind the firebox that I VPN'ed in to, the client asks for my user name and password again.  I re-enter it and the connection remains but the pings do not work.  Every time I send a ping request to the servers behind the firebox, the same thing happens.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22639092
ok, then it is not authenticating you.  What MUVPN client are you using?  7 or 10?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22639586
What is the IP subnet of the client; is it same as the subnet behind firebox [read trusted network]; if yes, you would not be able to ping anything and would need to change the IP subnet at one of the locations.

Enable logging on the service; and then when you ping [provided client and firebox are on different subnets] you should see allow entries in traffic monitor of system manager.

Please check and update.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22645691
The IP subnet of the client is 192.X.X.X/24 on the LAN and the VPN IP once I connect is 10.0.0.202 (I configured an IP on the same subnet of the servers I want to access when I set up VPN for IPSec on WSM.  You are saying this is incorrect?).  The subnet behind the VPN is 10.0.0.0/24.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22647250
Are there multiple clients installed; also can you get some logs from the client and watchguard traffic monitor which would explain if the tunnel is working fine or not.
Please sanitize all logs; remove all public IP or mask two octets with x; remove username/password/hashes before posting.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22651950
So I decided to try something other than pinging and was able to SSH in to my servers just fine.  I am not sure why pinging is not working because I do not believe that ICMP packets are being blocked.   Anyways, finding out why pinging isnt working would be nice but it is not crucial at the moment.  Thanks for the help dpk.  I have benefited a lot from your responses here and in other WatchGuard posts.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22656635
Welcome! :)

Have you created specific service to allow traffic from the remote client or is there ANY service; if ANY service then we would like to check following:
1. Is there a personal firewall enabled on the machines behind firebox themselves; which is denying incoming ICMP traffic and there is exception for SSH.
2. Do you get any deny entries in traffic monitor when the ICMP traffic is denied; there is a possibility that a more restrictive policy for ICMP is getting hot first before the more generic policy to allow packets is hiot. Enable logging on the services and change the view of the the services in policy manager so you would be able to see the order in which they are hit. The policies are hit from top to bottom.

Other than these two I am not sure what else might be causing such a behavior.

If specific service then I would be interested to know if ICMP is allowed through the specific service.

Please check and update.

Thank you.
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month11 days, 12 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question