Avatar of KenBlessing
KenBlessing asked on

how do i use a Cisco VPN Client to access a VPN through a Watchguard Firewall

I have a watchguard firebox with three existing muvpn connection using the watchguard client, they work just fine.  I then have a programmer that needs access from outside.  He has a Cisco vpn client installed from another one of his customers.  I need to get the Cisco vpn client to connect though my watchguard firewall.
I have spoken with watchguard and set up the firewall to allow the vpn client through but once it gets through the firewall I get an error that the host computer is not responding.
Watchguard says that Phase two is not configured properly but they can't help fix it.
What is phase to of the connection and what do I have to point it at.
please help
Software Firewalls

Avatar of undefined
Last Comment
Pugglewuggle

8/22/2022 - Mon
Pugglewuggle

You need to have NAT-T enabled on the VPN client and on the VPN server (router/etc.). I assume this is the classic Cisco VPN client for IPsec and not the new AnyConnect client?
leibinusa

NAT-T enabled on Cisco VPN client by default. NAT-T uses UDP 4500 for communication. What is you VPN server behind  the firewall? Cisco router or ASA?
ASKER
KenBlessing

ILeibinusa
I will admit I know very little about my Watchguard VPN and I know even less about Cisco VPNs.  I do know that I don't have a VPN server behind my firewall.  The Watchguard VPN is handled in the Firewall.
I am getting the Idea that I am not going to get this Cisco client to work with my Watchguard firewall.
What do I need behind my Firewall for the Cisco Client to work?
Thanks for any and all help.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
KenBlessing

yes the Nat-t is turned on in the client and it is a clasic vpn client.

I have two Cisco routers sitting in  my rack that we are not using a 2500 and a 2600.  I don't know how to configure them but can these be used to take care of this issue?
Pugglewuggle

Hi Ken,

All I mean by VPN server is the router or other device providing the VPN service that you connect to. If you're just trying to connect from your desktop, setting up either of those routers for a site-to-site VPN is kind of pointless. Also, the only thing you need behind the firewall to get it working is your PC with the VPN client installed. :-) Let's focus on getting your VPN traffic to traverse the Watchguard.

Can you log into the VPN when elsewhere, or have you only tried behind the Watchguard? Also, I assume the VPN server is NOT in the internal network and is at a different location?

ASKER
KenBlessing

Hi Pugglewuggle
sorry I guess I left out some info.
I need to connect a mobil vpn user from outside to my network.  My user with the cisco vpn cleint usually works from his home in VA and my network in is NY.  As far as I can tell the vpn client can travers the firewall but doesn't have anything to connect to on the inside.
I hope this helps
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
leibinusa

Cisco VPN client use cisco priopriety protocols, which is not supported on watchguard. you do need a cisco router/ASA behind watchguard wich will terminate Cisco VPN client connection. Cisco 2600 can work as the VPN server.
ASKER
KenBlessing

Leibinusa

ok, so Can someone tell me how to configure the 2600 for this task.
I would need Cisco for dummies type instructions.
Thanks
leibinusa

Cisco partners will have engineers to help you. Of course, you have to pay for their services.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
KenBlessing

ok that is what I thought.  I don't think it is worth the trouble. I guessI will just pull the cisco and put in the watchguard.  It wount make my programer happy but that is someone elses problem.

Pugglewuggle

Well, my company is a Cisco partner but I'm based in TX. I'll be happy to help you on here though. If you require advanced services we can always fly someone out! ;-P

One other question: how many outside users are we talking about? If it's more than just a few the 2600 won't have the necessary crypto (encrypted traffic) throughput to support them. Also, you must ensure you have a 3DES/strong encryption license for the IOS in the 2600.

Let me know!
ASKER
KenBlessing

Hi Pugglewuggle

Thank you for the reply. I only have one outside cisco user. I don't beleive I have the 3DES/strong encryption licence for the 2600.  It was given to us by one of our previous IPS as out internet gateway.

As for now we have decided to pull the cisco client and install the watchguard client.
I do apreciate all the responces but in the end we are not setup to run the Cisco VPN and this is our best option.

I will be looking into some kind of cisco classes so I can avoid this issue in the future.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pugglewuggle

No problem!

Yes, the 2600 won't be good then. You really need something that has strong crypto these days. As far as recommendations on Cisco stuff as it is the industry standard, I highly recommend checking out Cisco's ASA products. It sounds like for your situation, the ASA 5505 should do the trick. Only about $350 and does 100Mbps crypto throughput. It supports up to AES-256 military grade encryption.

Regarding classes: they do help a bit from what I understand, but I've never actually taken a class. I've taught myself everything I know from hands on experience. Most Cisco admins will tell you: "You can take the class but unless you actually use the stuff for a while, it almost doesn't help." The best thing you can do is hook up that 2600 to a console cable and just play with it.

Let me know if there's anything else!
Pugglewuggle

Hi Ken,

Technically, the solution is to use Cisco stuff to connect to the VPN client.

As far as Watchguard's client goes, I don't believe it can connect to a Cisco VPN server.

Please reconsider deleting this question and see if points aren't dispersable based on the provided information.

Cheers!
ASKER CERTIFIED SOLUTION
Pugglewuggle

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question