Solved

Firebox X and VPN Client Access?

Posted on 2008-10-03
14
530 Views
Last Modified: 2013-11-16
I recently started working as a System Admin as a company that uses WatchGuard Firebox at a branch site.  I need to be able to have VPN client access to the branch.  I understand that you can either use MUVPN if using IPSec or the built in windows connection wizards if using PPTP.  DHCP is not set up at the branch because all IP addresses are static.  I am assuming that I need to enable DHCP to give IP address to the VPN Clients once they connect.  

How do I go about setting up PPTP and, if necesarry, a DHCP server on the Firebox?
0
Comment
Question by:mansurw02
  • 6
  • 4
  • 4
14 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22636098
You do not need DHCP configured on firebox for VPN; when you configure PPTP or IPSec you specify virtual IP or pool from which the remote clients would get the IP.

Please specify which model of firebox you have and the version of software; in X core or peak series you use policy manager; in X Edge series it is done using webUI.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22637700
Alright, I was able to VPN using PPTP.  Your previous answers have been pretty helpful.  Now, my problem is that I can connect via the windows vpn client but I can't seem to ping anything on the network once connected.  I have the Firebox X5500e and I am configuring it using WSM 10.2.2.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638859
Can you ping the firewall?
0
 

Author Comment

by:mansurw02
ID: 22638876
Yup.  That's my destination when I VPN in.  I can connect to it and ping it.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638895
and you have a ANY policy?
0
 

Author Comment

by:mansurw02
ID: 22638912
When I configured the the Mobile VPN PPTP, a policy was automatically made.  It is From ANY To Firebox.  I assume this would qualify as the ANY policy you are referring to.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638956
Is this Fireware?  If so:

By the Any policy
Add an Any packet filter policy with these properties:

Incoming Allowed policy:
 - From: PPTP users or groups
 - To: trusted, optional, network or host IP address, or alias

Outgoing Allowed policy:
 - From: trusted, optional, network or host IP address, or alias
 - To: PPTP users or groups

Make sure that you save your configuration file to the Firebox after you make these changes.

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:mansurw02
ID: 22639087
I am now trying IPSec via MUVPN.  I am able to connect using the MUVPN client.  The problem now is that when I try to ping any server behind the firebox that I VPN'ed in to, the client asks for my user name and password again.  I re-enter it and the connection remains but the pings do not work.  Every time I send a ping request to the servers behind the firebox, the same thing happens.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22639092
ok, then it is not authenticating you.  What MUVPN client are you using?  7 or 10?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22639586
What is the IP subnet of the client; is it same as the subnet behind firebox [read trusted network]; if yes, you would not be able to ping anything and would need to change the IP subnet at one of the locations.

Enable logging on the service; and then when you ping [provided client and firebox are on different subnets] you should see allow entries in traffic monitor of system manager.

Please check and update.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22645691
The IP subnet of the client is 192.X.X.X/24 on the LAN and the VPN IP once I connect is 10.0.0.202 (I configured an IP on the same subnet of the servers I want to access when I set up VPN for IPSec on WSM.  You are saying this is incorrect?).  The subnet behind the VPN is 10.0.0.0/24.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22647250
Are there multiple clients installed; also can you get some logs from the client and watchguard traffic monitor which would explain if the tunnel is working fine or not.
Please sanitize all logs; remove all public IP or mask two octets with x; remove username/password/hashes before posting.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22651950
So I decided to try something other than pinging and was able to SSH in to my servers just fine.  I am not sure why pinging is not working because I do not believe that ICMP packets are being blocked.   Anyways, finding out why pinging isnt working would be nice but it is not crucial at the moment.  Thanks for the help dpk.  I have benefited a lot from your responses here and in other WatchGuard posts.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22656635
Welcome! :)

Have you created specific service to allow traffic from the remote client or is there ANY service; if ANY service then we would like to check following:
1. Is there a personal firewall enabled on the machines behind firebox themselves; which is denying incoming ICMP traffic and there is exception for SSH.
2. Do you get any deny entries in traffic monitor when the ICMP traffic is denied; there is a possibility that a more restrictive policy for ICMP is getting hot first before the more generic policy to allow packets is hiot. Enable logging on the services and change the view of the the services in policy manager so you would be able to see the order in which they are hit. The policies are hit from top to bottom.

Other than these two I am not sure what else might be causing such a behavior.

If specific service then I would be interested to know if ICMP is allowed through the specific service.

Please check and update.

Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now