KenBlessing
asked on
how do i use a Cisco VPN Client to access a VPN through a Watchguard Firewall
I have a watchguard firebox with three existing muvpn connection using the watchguard client, they work just fine. I then have a programmer that needs access from outside. He has a Cisco vpn client installed from another one of his customers. I need to get the Cisco vpn client to connect though my watchguard firewall.
I have spoken with watchguard and set up the firewall to allow the vpn client through but once it gets through the firewall I get an error that the host computer is not responding.
Watchguard says that Phase two is not configured properly but they can't help fix it.
What is phase to of the connection and what do I have to point it at.
please help
I have spoken with watchguard and set up the firewall to allow the vpn client through but once it gets through the firewall I get an error that the host computer is not responding.
Watchguard says that Phase two is not configured properly but they can't help fix it.
What is phase to of the connection and what do I have to point it at.
please help
Pugglewuggle
You need to have NAT-T enabled on the VPN client and on the VPN server (router/etc.). I assume this is the classic Cisco VPN client for IPsec and not the new AnyConnect client?
NAT-T enabled on Cisco VPN client by default. NAT-T uses UDP 4500 for communication. What is you VPN server behind the firewall? Cisco router or ASA?
ASKER
ILeibinusa
I will admit I know very little about my Watchguard VPN and I know even less about Cisco VPNs. I do know that I don't have a VPN server behind my firewall. The Watchguard VPN is handled in the Firewall.
I am getting the Idea that I am not going to get this Cisco client to work with my Watchguard firewall.
What do I need behind my Firewall for the Cisco Client to work?
Thanks for any and all help.
I will admit I know very little about my Watchguard VPN and I know even less about Cisco VPNs. I do know that I don't have a VPN server behind my firewall. The Watchguard VPN is handled in the Firewall.
I am getting the Idea that I am not going to get this Cisco client to work with my Watchguard firewall.
What do I need behind my Firewall for the Cisco Client to work?
Thanks for any and all help.
ASKER
yes the Nat-t is turned on in the client and it is a clasic vpn client.
I have two Cisco routers sitting in my rack that we are not using a 2500 and a 2600. I don't know how to configure them but can these be used to take care of this issue?
I have two Cisco routers sitting in my rack that we are not using a 2500 and a 2600. I don't know how to configure them but can these be used to take care of this issue?
Hi Ken,
All I mean by VPN server is the router or other device providing the VPN service that you connect to. If you're just trying to connect from your desktop, setting up either of those routers for a site-to-site VPN is kind of pointless. Also, the only thing you need behind the firewall to get it working is your PC with the VPN client installed. :-) Let's focus on getting your VPN traffic to traverse the Watchguard.
Can you log into the VPN when elsewhere, or have you only tried behind the Watchguard? Also, I assume the VPN server is NOT in the internal network and is at a different location?
All I mean by VPN server is the router or other device providing the VPN service that you connect to. If you're just trying to connect from your desktop, setting up either of those routers for a site-to-site VPN is kind of pointless. Also, the only thing you need behind the firewall to get it working is your PC with the VPN client installed. :-) Let's focus on getting your VPN traffic to traverse the Watchguard.
Can you log into the VPN when elsewhere, or have you only tried behind the Watchguard? Also, I assume the VPN server is NOT in the internal network and is at a different location?
ASKER
Hi Pugglewuggle
sorry I guess I left out some info.
I need to connect a mobil vpn user from outside to my network. My user with the cisco vpn cleint usually works from his home in VA and my network in is NY. As far as I can tell the vpn client can travers the firewall but doesn't have anything to connect to on the inside.
I hope this helps
sorry I guess I left out some info.
I need to connect a mobil vpn user from outside to my network. My user with the cisco vpn cleint usually works from his home in VA and my network in is NY. As far as I can tell the vpn client can travers the firewall but doesn't have anything to connect to on the inside.
I hope this helps
Cisco VPN client use cisco priopriety protocols, which is not supported on watchguard. you do need a cisco router/ASA behind watchguard wich will terminate Cisco VPN client connection. Cisco 2600 can work as the VPN server.
ASKER
Leibinusa
ok, so Can someone tell me how to configure the 2600 for this task.
I would need Cisco for dummies type instructions.
Thanks
ok, so Can someone tell me how to configure the 2600 for this task.
I would need Cisco for dummies type instructions.
Thanks
Cisco partners will have engineers to help you. Of course, you have to pay for their services.
ASKER
ok that is what I thought. I don't think it is worth the trouble. I guessI will just pull the cisco and put in the watchguard. It wount make my programer happy but that is someone elses problem.
Well, my company is a Cisco partner but I'm based in TX. I'll be happy to help you on here though. If you require advanced services we can always fly someone out! ;-P
One other question: how many outside users are we talking about? If it's more than just a few the 2600 won't have the necessary crypto (encrypted traffic) throughput to support them. Also, you must ensure you have a 3DES/strong encryption license for the IOS in the 2600.
Let me know!
One other question: how many outside users are we talking about? If it's more than just a few the 2600 won't have the necessary crypto (encrypted traffic) throughput to support them. Also, you must ensure you have a 3DES/strong encryption license for the IOS in the 2600.
Let me know!
ASKER
Hi Pugglewuggle
Thank you for the reply. I only have one outside cisco user. I don't beleive I have the 3DES/strong encryption licence for the 2600. It was given to us by one of our previous IPS as out internet gateway.
As for now we have decided to pull the cisco client and install the watchguard client.
I do apreciate all the responces but in the end we are not setup to run the Cisco VPN and this is our best option.
I will be looking into some kind of cisco classes so I can avoid this issue in the future.
Thank you for the reply. I only have one outside cisco user. I don't beleive I have the 3DES/strong encryption licence for the 2600. It was given to us by one of our previous IPS as out internet gateway.
As for now we have decided to pull the cisco client and install the watchguard client.
I do apreciate all the responces but in the end we are not setup to run the Cisco VPN and this is our best option.
I will be looking into some kind of cisco classes so I can avoid this issue in the future.
No problem!
Yes, the 2600 won't be good then. You really need something that has strong crypto these days. As far as recommendations on Cisco stuff as it is the industry standard, I highly recommend checking out Cisco's ASA products. It sounds like for your situation, the ASA 5505 should do the trick. Only about $350 and does 100Mbps crypto throughput. It supports up to AES-256 military grade encryption.
Regarding classes: they do help a bit from what I understand, but I've never actually taken a class. I've taught myself everything I know from hands on experience. Most Cisco admins will tell you: "You can take the class but unless you actually use the stuff for a while, it almost doesn't help." The best thing you can do is hook up that 2600 to a console cable and just play with it.
Let me know if there's anything else!
Yes, the 2600 won't be good then. You really need something that has strong crypto these days. As far as recommendations on Cisco stuff as it is the industry standard, I highly recommend checking out Cisco's ASA products. It sounds like for your situation, the ASA 5505 should do the trick. Only about $350 and does 100Mbps crypto throughput. It supports up to AES-256 military grade encryption.
Regarding classes: they do help a bit from what I understand, but I've never actually taken a class. I've taught myself everything I know from hands on experience. Most Cisco admins will tell you: "You can take the class but unless you actually use the stuff for a while, it almost doesn't help." The best thing you can do is hook up that 2600 to a console cable and just play with it.
Let me know if there's anything else!
Hi Ken,
Technically, the solution is to use Cisco stuff to connect to the VPN client.
As far as Watchguard's client goes, I don't believe it can connect to a Cisco VPN server.
Please reconsider deleting this question and see if points aren't dispersable based on the provided information.
Cheers!
Technically, the solution is to use Cisco stuff to connect to the VPN client.
As far as Watchguard's client goes, I don't believe it can connect to a Cisco VPN server.
Please reconsider deleting this question and see if points aren't dispersable based on the provided information.
Cheers!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.