How to route Firebox x50 BOVPN over optional network... with a twist

In a branch office I am trying to link two networks together using a Watchguard Firebox x50 and VPN.  Here are the details:

Network A internal network optional port
Computers/printers use this
Cable access to internet
Primary firebox x50 router for this branch

Network B internal network
Asterisk Server/ SIP phones use this
T1 access to internet
Edgemarc router for VOIP traffic

* Network A&B are segmented via a VLAN

Network C network
Data center with primary firebox that links all branch offices together via VPN

Network D network
Corporate office (where I sit)

Both network A&B are the main characters in this, but the others come into play to some extent.

Network A is fully accessible via VPN and only connects to the B network via it's optional port.  Since Network B is isolated from the rest of the grid, I need some manner in which to manage both the Asterisk server and the SIP phones, so I configured the optional network in hopes that I could use the existing VPN and route from the trusted to the optional which in theory should give me access to the B network.  I can ping from the other remote locations (Data center, corp, etc) and the x50 on Network A shows the Asterisk server ( in it's ARP table, but I can't access it.

The VPN setup in the Data Center (controls access to all BOVPN's) is setup to connect to both the and networks at the remote site.  The VPN on Network A's Firebox is setup to allow access to both networks.  Making that change allows me to access (optional port of Network A) but I can't get any further.  I have also disabled traffic filters between the Trusted and Optional interfaces but still no dice.

Any ideas what I'm missing (besides the art of brevity)?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

When you say optional port is; I would like to know how is it connected to NetworkB; is there a direct cable which goes into the switch which has VLAN for network B or is there any router in between.
Also, on optional port have you configure VLAN id [option available in 10.x not sure about other versions].

By you description it appears that as you can ping optional network; the VPN tunnel is up. Please note the machines on network B should either have default gateway as optional port or they must have a route so that when traffic comes through the VPN tunnel it gets routed back and not go out the regular default gateway.

Thank you
ANSCorpAuthor Commented:
Thanks for the comments.

As for your first question, the optional port ( connects to a port on the switch that is part of the VOIP VLAN.  

This office is using a Firebox Edge x50 router (not a Core router) so it doesn't have the ability to assign a VLAN id to the optional port.

I can definitely ping the IP assigned to the optional port,, but not beyond it.  Rather than adding an additional gateway, I added a static route to the server for>, but it didn't appear to have an affect.  Also, I only have the ability to assign one gateway and no static routes to the phones so this method wouldn't give me the ability to manage the phones.

I'm beginning to think this just isn't possible the way I am doing it.

Basically, since the Edgemarc won't let me VPN into Network B, I need a way to manage the devices on that isolated network and I though that I could use the optional port to "peek" into the network.  I don't want the default gateways changed because that traffic should go across the Edgemarc.

If this option won't work, I'm up for any other suggestions...

On which server did you add the route; the route does not appear to be correct, as I understand you added static route on a host X which is on the network itself, to send packets for subnet to [X Edge] instead of the default router 192.168.22.y.

The static route should have been as below instead:
subnet:; netmask:; gateway
subnet:; netmask:; gateway
subnet:; netmask:; gateway

Now the server should send packets over the VPN tunnel.

I am not too sure about Edgemarc device; but if you can configure multiple default routes or policy based routing; then configure Edgemarc to forward all packets to if the destination subnet is or or

In above case there would not be change in the current topology. If not possible, then configure as below:
                                |-TRUST               |
Here, all machine on network would have NewRouter as default gateway; this newRouter would have capability to send packets to either [xEdge] or Edgemarc as the case may be depending on the destination subnets.

Thank you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ANSCorpAuthor Commented:
Thank you for the help.  Although your advise was correct, I didn't need to use it after all.  Turns out the Edgemarc router in the isolated network has VPN capabilities so I was able to use it to manage that network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.