Trouble getting VPN Pass through to work on a Watchguard Firebox w/7.3 software

Posted on 2009-06-30
Last Modified: 2013-11-16
I am not able to authenticate to my MS PPTP server on the other side of a Watchguard x700 w/7.3 software.

I have configured a 1-1 NAT w/an available routable IP address mapped to an internal address of

I have configure a packet filter from ANY to the outside routable I used.  I have also tried from any to the address.  

On the PPTP server I get a message about GRE not being passed but I am using the Watchguard PPTP filter that includes GRE.  I see where you can't static NAT GRE so, that is not an option.

I am looking for help in troubleshooting this problem.   Thanks....
Question by:pclark6127
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 32

Expert Comment

ID: 24751725
You should use the predefined PPTP service rather than a custom service; because the predefined service contains both TCP 1723 [for PPTP] and IP protocol # 47 [for GRE].

Please make sure that you configure 1-1 NAT, add NAT exception and that this public IP not part of alias on the external interface.

Please advice if you need more help.

Thank you.

Author Comment

ID: 24754934
Thanks..  I have done all this and it's still not working.  I have been advised by Watchguard to upgrade to 7.5 from 7.3.  I will be doing this today.  If it works I will update here.  Thanks..
LVL 32

Expert Comment

ID: 24755782
Not sure if upgrading to 7.5 would make any difference; please try that; one thing which I would be interested in knowing is that are you using software with high encryption [go to Help->About and it would tell].

Also, on the MS server the default gateway is the internal IP of FB and there are no multiple gateways configured on the MS server.

Thank you.
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.


Expert Comment

ID: 25735381
Hi I had this same issue and I can help you resolve it.

Expert Comment

ID: 25735439

I know you have gone over this already but I will explain the Steps you need I spent hours trying to figure this crap out. First it doesnt matter if you are using WFS 7.3 or 7.5 the Steps below will be a great Help.

1. Create a 1 to 1 NAT from External to real Base( The trick is you can not  have the Ip in the external interface or the alternate interface basiclly the alias ip's i am refering too).
You Will need 1 IP for this just dedicated  from External to your MS Server running RRAS.
For Example in 1 to 1 NAT select in hosts to NAT 1 Real Base usable public IP and real base is the internal I of the Microsoft RRAS Server.

2. Create a new policy  with the packet Filters using PPTP.

In the Incoming Tab Select ANY.. (Very Important)

Select to in the incoming to the Public IP you specfied in the 1 to 1 NAT.

Go to Logging and allow logging for incoming Packets and outgoing denied and Allowed.

Save the config and test it using the public ip address from a DSL line or what ever you can outside your network.

When you test this using a simple microsoft PPTP VPN watch the Firebox active traffic log in WSM
and you will see the policy for PPTP Pass GRE and TCP port 1723 through the firebox and to the RRAS server. Since in the earlier steps we enabled login you should be able to see the traffic pass. If you have any problems let me know I Watchgaurd WFS and Fireware Pro like the back of my hand Dozens and Dozens of hours of experience. My email is

Expert Comment

ID: 25735463
Also when you create the 1 to 1 NAt make sure you excude the same range
External to Realbase IP's in the Dynamic NAT tab Next to 1 to 1.

Accepted Solution

pclark6127 earned 0 total points
ID: 25944595
Had to upgrade my firewall version to get this to work.   Sorry, non of the solutions worked.  Thanks for trying.

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question