Trouble getting VPN Pass through to work on a Watchguard Firebox w/7.3 software

I am not able to authenticate to my MS PPTP server on the other side of a Watchguard x700 w/7.3 software.

I have configured a 1-1 NAT w/an available routable IP address mapped to an internal address of 10.0.0.96

I have configure a packet filter from ANY to the outside routable I used.  I have also tried from any to the 10.0.0.96 address.  

On the PPTP server I get a message about GRE not being passed but I am using the Watchguard PPTP filter that includes GRE.  I see where you can't static NAT GRE so, that is not an option.

I am looking for help in troubleshooting this problem.   Thanks....
LVL 1
pclark6127Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
You should use the predefined PPTP service rather than a custom service; because the predefined service contains both TCP 1723 [for PPTP] and IP protocol # 47 [for GRE].

Please make sure that you configure 1-1 NAT, add NAT exception and that this public IP not part of alias on the external interface.

Please advice if you need more help.

Thank you.
0
pclark6127Author Commented:
Thanks..  I have done all this and it's still not working.  I have been advised by Watchguard to upgrade to 7.5 from 7.3.  I will be doing this today.  If it works I will update here.  Thanks..
0
dpk_walCommented:
Not sure if upgrading to 7.5 would make any difference; please try that; one thing which I would be interested in knowing is that are you using software with high encryption [go to Help->About and it would tell].

Also, on the MS server the default gateway is the internal IP of FB and there are no multiple gateways configured on the MS server.

Thank you.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

stratlover4lifeCommented:
Hi I had this same issue and I can help you resolve it.
0
stratlover4lifeCommented:

I know you have gone over this already but I will explain the Steps you need I spent hours trying to figure this crap out. First it doesnt matter if you are using WFS 7.3 or 7.5 the Steps below will be a great Help.

1. Create a 1 to 1 NAT from External to real Base( The trick is you can not  have the Ip in the external interface or the alternate interface basiclly the alias ip's i am refering too).
You Will need 1 IP for this just dedicated  from External to your MS Server running RRAS.
For Example in 1 to 1 NAT select in hosts to NAT 1 Real Base usable public IP and real base is the internal I of the Microsoft RRAS Server.

2. Create a new policy  with the packet Filters using PPTP.

In the Incoming Tab Select ANY.. (Very Important)

Select to in the incoming to the Public IP you specfied in the 1 to 1 NAT.

Go to Logging and allow logging for incoming Packets and outgoing denied and Allowed.

Save the config and test it using the public ip address from a DSL line or what ever you can outside your network.

When you test this using a simple microsoft PPTP VPN watch the Firebox active traffic log in WSM
and you will see the policy for PPTP Pass GRE and TCP port 1723 through the firebox and to the RRAS server. Since in the earlier steps we enabled login you should be able to see the traffic pass. If you have any problems let me know I Watchgaurd WFS and Fireware Pro like the back of my hand Dozens and Dozens of hours of experience. My email is josh@tnsnet.org
0
stratlover4lifeCommented:
Also when you create the 1 to 1 NAt make sure you excude the same range
External to Realbase IP's in the Dynamic NAT tab Next to 1 to 1.
0
pclark6127Author Commented:
Had to upgrade my firewall version to get this to work.   Sorry, non of the solutions worked.  Thanks for trying.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.