Solved

Trouble getting VPN Pass through to work on a Watchguard Firebox w/7.3 software

Posted on 2009-06-30
7
1,597 Views
Last Modified: 2013-11-16
I am not able to authenticate to my MS PPTP server on the other side of a Watchguard x700 w/7.3 software.

I have configured a 1-1 NAT w/an available routable IP address mapped to an internal address of 10.0.0.96

I have configure a packet filter from ANY to the outside routable I used.  I have also tried from any to the 10.0.0.96 address.  

On the PPTP server I get a message about GRE not being passed but I am using the Watchguard PPTP filter that includes GRE.  I see where you can't static NAT GRE so, that is not an option.

I am looking for help in troubleshooting this problem.   Thanks....
0
Comment
Question by:pclark6127
  • 3
  • 2
  • 2
7 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24751725
You should use the predefined PPTP service rather than a custom service; because the predefined service contains both TCP 1723 [for PPTP] and IP protocol # 47 [for GRE].

Please make sure that you configure 1-1 NAT, add NAT exception and that this public IP not part of alias on the external interface.

Please advice if you need more help.

Thank you.
0
 
LVL 1

Author Comment

by:pclark6127
ID: 24754934
Thanks..  I have done all this and it's still not working.  I have been advised by Watchguard to upgrade to 7.5 from 7.3.  I will be doing this today.  If it works I will update here.  Thanks..
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24755782
Not sure if upgrading to 7.5 would make any difference; please try that; one thing which I would be interested in knowing is that are you using software with high encryption [go to Help->About and it would tell].

Also, on the MS server the default gateway is the internal IP of FB and there are no multiple gateways configured on the MS server.

Thank you.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Expert Comment

by:stratlover4life
ID: 25735381
Hi I had this same issue and I can help you resolve it.
0
 
LVL 1

Expert Comment

by:stratlover4life
ID: 25735439

I know you have gone over this already but I will explain the Steps you need I spent hours trying to figure this crap out. First it doesnt matter if you are using WFS 7.3 or 7.5 the Steps below will be a great Help.

1. Create a 1 to 1 NAT from External to real Base( The trick is you can not  have the Ip in the external interface or the alternate interface basiclly the alias ip's i am refering too).
You Will need 1 IP for this just dedicated  from External to your MS Server running RRAS.
For Example in 1 to 1 NAT select in hosts to NAT 1 Real Base usable public IP and real base is the internal I of the Microsoft RRAS Server.

2. Create a new policy  with the packet Filters using PPTP.

In the Incoming Tab Select ANY.. (Very Important)

Select to in the incoming to the Public IP you specfied in the 1 to 1 NAT.

Go to Logging and allow logging for incoming Packets and outgoing denied and Allowed.

Save the config and test it using the public ip address from a DSL line or what ever you can outside your network.

When you test this using a simple microsoft PPTP VPN watch the Firebox active traffic log in WSM
and you will see the policy for PPTP Pass GRE and TCP port 1723 through the firebox and to the RRAS server. Since in the earlier steps we enabled login you should be able to see the traffic pass. If you have any problems let me know I Watchgaurd WFS and Fireware Pro like the back of my hand Dozens and Dozens of hours of experience. My email is josh@tnsnet.org
0
 
LVL 1

Expert Comment

by:stratlover4life
ID: 25735463
Also when you create the 1 to 1 NAt make sure you excude the same range
External to Realbase IP's in the Dynamic NAT tab Next to 1 to 1.
0
 
LVL 1

Accepted Solution

by:
pclark6127 earned 0 total points
ID: 25944595
Had to upgrade my firewall version to get this to work.   Sorry, non of the solutions worked.  Thanks for trying.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now