Trouble getting VPN Pass through to work on a Watchguard Firebox w/7.3 software

Posted on 2009-06-30
Medium Priority
Last Modified: 2013-11-16
I am not able to authenticate to my MS PPTP server on the other side of a Watchguard x700 w/7.3 software.

I have configured a 1-1 NAT w/an available routable IP address mapped to an internal address of

I have configure a packet filter from ANY to the outside routable I used.  I have also tried from any to the address.  

On the PPTP server I get a message about GRE not being passed but I am using the Watchguard PPTP filter that includes GRE.  I see where you can't static NAT GRE so, that is not an option.

I am looking for help in troubleshooting this problem.   Thanks....
Question by:pclark6127
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 32

Expert Comment

ID: 24751725
You should use the predefined PPTP service rather than a custom service; because the predefined service contains both TCP 1723 [for PPTP] and IP protocol # 47 [for GRE].

Please make sure that you configure 1-1 NAT, add NAT exception and that this public IP not part of alias on the external interface.

Please advice if you need more help.

Thank you.

Author Comment

ID: 24754934
Thanks..  I have done all this and it's still not working.  I have been advised by Watchguard to upgrade to 7.5 from 7.3.  I will be doing this today.  If it works I will update here.  Thanks..
LVL 32

Expert Comment

ID: 24755782
Not sure if upgrading to 7.5 would make any difference; please try that; one thing which I would be interested in knowing is that are you using software with high encryption [go to Help->About and it would tell].

Also, on the MS server the default gateway is the internal IP of FB and there are no multiple gateways configured on the MS server.

Thank you.
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!


Expert Comment

ID: 25735381
Hi I had this same issue and I can help you resolve it.

Expert Comment

ID: 25735439

I know you have gone over this already but I will explain the Steps you need I spent hours trying to figure this crap out. First it doesnt matter if you are using WFS 7.3 or 7.5 the Steps below will be a great Help.

1. Create a 1 to 1 NAT from External to real Base( The trick is you can not  have the Ip in the external interface or the alternate interface basiclly the alias ip's i am refering too).
You Will need 1 IP for this just dedicated  from External to your MS Server running RRAS.
For Example in 1 to 1 NAT select in hosts to NAT 1 Real Base usable public IP and real base is the internal I of the Microsoft RRAS Server.

2. Create a new policy  with the packet Filters using PPTP.

In the Incoming Tab Select ANY.. (Very Important)

Select to in the incoming to the Public IP you specfied in the 1 to 1 NAT.

Go to Logging and allow logging for incoming Packets and outgoing denied and Allowed.

Save the config and test it using the public ip address from a DSL line or what ever you can outside your network.

When you test this using a simple microsoft PPTP VPN watch the Firebox active traffic log in WSM
and you will see the policy for PPTP Pass GRE and TCP port 1723 through the firebox and to the RRAS server. Since in the earlier steps we enabled login you should be able to see the traffic pass. If you have any problems let me know I Watchgaurd WFS and Fireware Pro like the back of my hand Dozens and Dozens of hours of experience. My email is josh@tnsnet.org

Expert Comment

ID: 25735463
Also when you create the 1 to 1 NAt make sure you excude the same range
External to Realbase IP's in the Dynamic NAT tab Next to 1 to 1.

Accepted Solution

pclark6127 earned 0 total points
ID: 25944595
Had to upgrade my firewall version to get this to work.   Sorry, non of the solutions worked.  Thanks for trying.

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question