Link to home
Start Free TrialLog in
Avatar of candrea71

asked on

Using a VPN on the Trusted from the DMZ

Hi all,
I know this can be a dummy's question, but I would like to see if it is possible to find a workaround before to invoke the external provider...

I have a Watchguard running Fireware 10 on my network, and a VNP between the Trusted ( and the external provider (213.X.X.X). Inside the network we use the VPN to connect a specific software to a SQL 2005 database engine.

I would like to use the same remote database accessing from another DMZ (
On the firewall I've created a new rule to address the requests started from to the external provider's IP (213.X.X.X).

It seems (and for sure it is correct) that the traffic is directed trought internet, and not using the VPN.

There is any way to tell the firebox to use the VPN?

Thanks a lot for your advice!

Avatar of Adrian Cantrill
Adrian Cantrill
Flag of Australia image

Im not sure the route for the DBconnection should terminate at the providers external IP ? check the VPN tunnel connection and see if you have a route for any traffic destined for the external providers network, have a check what the GW for that route is, and make sure you have the same set on the FW box for any traffic coming from the DMZ network.

Your routing is correctly identifying the 213 address as public, and i dont think you should change that, as it could effect the site<->VPN

We would needa bit more detail about the structure of the network around the DMZ to know how to make the configuraton changes.
Please provide some details on the VPN implemented by the service provider; does VPN start after the packets are NATted by firebox; if yes then any machine accessing internet [on trust or optional] would be able to get on the VPN.
If service provider has put some device on the trust network which is used for VPN; then for VPN both ends should know that the packet needs to be encrypted and decrypted. And in this case optional network needs to be configured on both ends.

Thank you.
Avatar of candrea71


Hi woolnoir,
you're right...the VPN tunnel connection route to a different IP of the provider that stay on the same subnet of tre IP of the database.
In the second period you ask me to check the gateway for the route, and put on the Fiebox as default gateway... correct?
I really don't know where to put this information on the Firebox, at least not in the Policy Manager -> Network _> Configuration...
Also I tested to ping the VPN gateway and the external database IP from the DMZ, with no reply (It surely works when done in the trusted).
What type of information can be usefull to archive the goal of letting traffing bypass the trusted and reach the VPN?

Hi dpk_wal,
ask the provider to adapt the VPN settings to allow traffic from another network is exactly what i prefeir not to do... I mean the best for me would be to find a good workaround to allow the traffic generated by the option to reach the external provider, passing trought the trusted.
If it is posseble in security also I mean :)))

it seems to me the VPN start when there is traffic,
From DMZ you should be able to ping the VPN gateway and external database and also connect to the internet; please ensure that dynamic NAT is configured.

By default, firebox allows dynamic NAT from all private IP:
    * – Any-External
    * – Any-External
    * – Any-External
If optional network is not on any of the subnets above, then proceed as below:
In Policy Manager go to Network -> NAT; Dynamic NAT tab; Add; from Optional; to External; click OK save to firebox.

With dynamic NAT, there should be no need to configure anything at ISP end.

Thank you.
Also, forgot to update that I would be responding next only on Monday 13th Sep.

Thank you.
Hi dpk_wal,
the DMZ has pubblic addresses, something like 83.103.x.x.
This is the reason why I tested the second solution (Policy Manager -> Network -> NAT -> Dynamic NAT) but no luck...
Tell I there are some information needed...
Can you update what entries you have under Dynamic NAT; you should have something like:
optional->external OR optional->external all

Thank you.
In the rule -> advantage tab -> i have the flag on dynamic NAT and tested both 'Use Network NAT settings' and 'All traffic on this policy' (tryed also to masquerate the IP with a trusted one using the 'set source IP' flag).
On the rule -> Policy ->To I also tested to put the Provider's tunnel as destination..
No luck :(
Avatar of dpk_wal
Flag of India image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Perfect, thanks a lot!!!