[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 568
  • Last Modified:

Firebox X and VPN Client Access?

I recently started working as a System Admin as a company that uses WatchGuard Firebox at a branch site.  I need to be able to have VPN client access to the branch.  I understand that you can either use MUVPN if using IPSec or the built in windows connection wizards if using PPTP.  DHCP is not set up at the branch because all IP addresses are static.  I am assuming that I need to enable DHCP to give IP address to the VPN Clients once they connect.  

How do I go about setting up PPTP and, if necesarry, a DHCP server on the Firebox?
0
mansurw02
Asked:
mansurw02
  • 6
  • 4
  • 4
1 Solution
 
dpk_walCommented:
You do not need DHCP configured on firebox for VPN; when you configure PPTP or IPSec you specify virtual IP or pool from which the remote clients would get the IP.

Please specify which model of firebox you have and the version of software; in X core or peak series you use policy manager; in X Edge series it is done using webUI.

Thank you.
0
 
mansurw02Author Commented:
Alright, I was able to VPN using PPTP.  Your previous answers have been pretty helpful.  Now, my problem is that I can connect via the windows vpn client but I can't seem to ping anything on the network once connected.  I have the Firebox X5500e and I am configuring it using WSM 10.2.2.
0
 
DewFreakCommented:
Can you ping the firewall?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
mansurw02Author Commented:
Yup.  That's my destination when I VPN in.  I can connect to it and ping it.
0
 
DewFreakCommented:
and you have a ANY policy?
0
 
mansurw02Author Commented:
When I configured the the Mobile VPN PPTP, a policy was automatically made.  It is From ANY To Firebox.  I assume this would qualify as the ANY policy you are referring to.
0
 
DewFreakCommented:
Is this Fireware?  If so:

By the Any policy
Add an Any packet filter policy with these properties:

Incoming Allowed policy:
 - From: PPTP users or groups
 - To: trusted, optional, network or host IP address, or alias

Outgoing Allowed policy:
 - From: trusted, optional, network or host IP address, or alias
 - To: PPTP users or groups

Make sure that you save your configuration file to the Firebox after you make these changes.

0
 
mansurw02Author Commented:
I am now trying IPSec via MUVPN.  I am able to connect using the MUVPN client.  The problem now is that when I try to ping any server behind the firebox that I VPN'ed in to, the client asks for my user name and password again.  I re-enter it and the connection remains but the pings do not work.  Every time I send a ping request to the servers behind the firebox, the same thing happens.
0
 
DewFreakCommented:
ok, then it is not authenticating you.  What MUVPN client are you using?  7 or 10?
0
 
dpk_walCommented:
What is the IP subnet of the client; is it same as the subnet behind firebox [read trusted network]; if yes, you would not be able to ping anything and would need to change the IP subnet at one of the locations.

Enable logging on the service; and then when you ping [provided client and firebox are on different subnets] you should see allow entries in traffic monitor of system manager.

Please check and update.

Thank you.
0
 
mansurw02Author Commented:
The IP subnet of the client is 192.X.X.X/24 on the LAN and the VPN IP once I connect is 10.0.0.202 (I configured an IP on the same subnet of the servers I want to access when I set up VPN for IPSec on WSM.  You are saying this is incorrect?).  The subnet behind the VPN is 10.0.0.0/24.
0
 
dpk_walCommented:
Are there multiple clients installed; also can you get some logs from the client and watchguard traffic monitor which would explain if the tunnel is working fine or not.
Please sanitize all logs; remove all public IP or mask two octets with x; remove username/password/hashes before posting.

Thank you.
0
 
mansurw02Author Commented:
So I decided to try something other than pinging and was able to SSH in to my servers just fine.  I am not sure why pinging is not working because I do not believe that ICMP packets are being blocked.   Anyways, finding out why pinging isnt working would be nice but it is not crucial at the moment.  Thanks for the help dpk.  I have benefited a lot from your responses here and in other WatchGuard posts.
0
 
dpk_walCommented:
Welcome! :)

Have you created specific service to allow traffic from the remote client or is there ANY service; if ANY service then we would like to check following:
1. Is there a personal firewall enabled on the machines behind firebox themselves; which is denying incoming ICMP traffic and there is exception for SSH.
2. Do you get any deny entries in traffic monitor when the ICMP traffic is denied; there is a possibility that a more restrictive policy for ICMP is getting hot first before the more generic policy to allow packets is hiot. Enable logging on the services and change the view of the the services in policy manager so you would be able to see the order in which they are hit. The policies are hit from top to bottom.

Other than these two I am not sure what else might be causing such a behavior.

If specific service then I would be interested to know if ICMP is allowed through the specific service.

Please check and update.

Thank you.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 6
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now