Solved

Firebox X and VPN Client Access?

Posted on 2008-10-03
14
518 Views
Last Modified: 2013-11-16
I recently started working as a System Admin as a company that uses WatchGuard Firebox at a branch site.  I need to be able to have VPN client access to the branch.  I understand that you can either use MUVPN if using IPSec or the built in windows connection wizards if using PPTP.  DHCP is not set up at the branch because all IP addresses are static.  I am assuming that I need to enable DHCP to give IP address to the VPN Clients once they connect.  

How do I go about setting up PPTP and, if necesarry, a DHCP server on the Firebox?
0
Comment
Question by:mansurw02
  • 6
  • 4
  • 4
14 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22636098
You do not need DHCP configured on firebox for VPN; when you configure PPTP or IPSec you specify virtual IP or pool from which the remote clients would get the IP.

Please specify which model of firebox you have and the version of software; in X core or peak series you use policy manager; in X Edge series it is done using webUI.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22637700
Alright, I was able to VPN using PPTP.  Your previous answers have been pretty helpful.  Now, my problem is that I can connect via the windows vpn client but I can't seem to ping anything on the network once connected.  I have the Firebox X5500e and I am configuring it using WSM 10.2.2.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638859
Can you ping the firewall?
0
 

Author Comment

by:mansurw02
ID: 22638876
Yup.  That's my destination when I VPN in.  I can connect to it and ping it.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638895
and you have a ANY policy?
0
 

Author Comment

by:mansurw02
ID: 22638912
When I configured the the Mobile VPN PPTP, a policy was automatically made.  It is From ANY To Firebox.  I assume this would qualify as the ANY policy you are referring to.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638956
Is this Fireware?  If so:

By the Any policy
Add an Any packet filter policy with these properties:

Incoming Allowed policy:
 - From: PPTP users or groups
 - To: trusted, optional, network or host IP address, or alias

Outgoing Allowed policy:
 - From: trusted, optional, network or host IP address, or alias
 - To: PPTP users or groups

Make sure that you save your configuration file to the Firebox after you make these changes.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:mansurw02
ID: 22639087
I am now trying IPSec via MUVPN.  I am able to connect using the MUVPN client.  The problem now is that when I try to ping any server behind the firebox that I VPN'ed in to, the client asks for my user name and password again.  I re-enter it and the connection remains but the pings do not work.  Every time I send a ping request to the servers behind the firebox, the same thing happens.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22639092
ok, then it is not authenticating you.  What MUVPN client are you using?  7 or 10?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22639586
What is the IP subnet of the client; is it same as the subnet behind firebox [read trusted network]; if yes, you would not be able to ping anything and would need to change the IP subnet at one of the locations.

Enable logging on the service; and then when you ping [provided client and firebox are on different subnets] you should see allow entries in traffic monitor of system manager.

Please check and update.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22645691
The IP subnet of the client is 192.X.X.X/24 on the LAN and the VPN IP once I connect is 10.0.0.202 (I configured an IP on the same subnet of the servers I want to access when I set up VPN for IPSec on WSM.  You are saying this is incorrect?).  The subnet behind the VPN is 10.0.0.0/24.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22647250
Are there multiple clients installed; also can you get some logs from the client and watchguard traffic monitor which would explain if the tunnel is working fine or not.
Please sanitize all logs; remove all public IP or mask two octets with x; remove username/password/hashes before posting.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22651950
So I decided to try something other than pinging and was able to SSH in to my servers just fine.  I am not sure why pinging is not working because I do not believe that ICMP packets are being blocked.   Anyways, finding out why pinging isnt working would be nice but it is not crucial at the moment.  Thanks for the help dpk.  I have benefited a lot from your responses here and in other WatchGuard posts.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22656635
Welcome! :)

Have you created specific service to allow traffic from the remote client or is there ANY service; if ANY service then we would like to check following:
1. Is there a personal firewall enabled on the machines behind firebox themselves; which is denying incoming ICMP traffic and there is exception for SSH.
2. Do you get any deny entries in traffic monitor when the ICMP traffic is denied; there is a possibility that a more restrictive policy for ICMP is getting hot first before the more generic policy to allow packets is hiot. Enable logging on the services and change the view of the the services in policy manager so you would be able to see the order in which they are hit. The policies are hit from top to bottom.

Other than these two I am not sure what else might be causing such a behavior.

If specific service then I would be interested to know if ICMP is allowed through the specific service.

Please check and update.

Thank you.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now