Solved

Watchgautd Site-to-site VPN Problem

Posted on 2010-09-19
9
491 Views
Last Modified: 2012-05-10
Hi There,

i give you a brife explnation on what do i want to achive with ipsec tunnel, i want to conect two site through Internet , Site A has watchgaurs (managed by me) as Internet gateway and the Site B has Cisco ASA as internet gateway which is managed by ISP.
I communicate with ISP and wemanaged to setup ipsec/BOVPN successfully, phase1 and phase 2 can establish. but i cannot any PC's behand firewalls.

Watchgaurd model is
site A ip subnet is 192.168.100.0 default gateway 192.168.100.1 (watchgaurd)
Site B ip subnet is 192.168.4.0 default gateway 192.168.4.3 (Cisco ASA)
 
Note: From a PC at site B, i can ping watchgaurs (192.168.100.1) Internal ip address but not any other machine behind it.

Also from a PC at site A, i cannot ping any ip address at site B.

so i think that routing/natting should working fine at Cisco ASA because site B can ping my watchggautd Internal IP.

i think there should be a routing/NAt issue at watchgaurd which cannot route packet to inside or from inside route to 192.168.4.0

I addedd watchgaurd and Cisco ASA configs, the red lin shows the new configs on ASA

your assist on this is much appreciate.



 watchgaurd.docx Cisco.doc
0
Comment
Question by:rafatifard
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 6

Expert Comment

by:kuoh
ID: 33714489
From what I can see of the ASA config, 192.168.4.3 is not one of its interfaces, although it could be an internal router.  I don't know much about Watchguards, but if you have to add a route back to 192.168.4.0, then you might try using their outside IP (125.7.91.218) as the gateway.
0
 
LVL 11

Expert Comment

by:diprajbasu
ID: 33715124
apart from the previous comment you can allow all port open between the vpn channel
0
 

Author Comment

by:rafatifard
ID: 33715162
you right, 192.168.4.3 is internal switch. where should i add route back, on watchgard ?

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:rafatifard
ID: 33715182
as far as i know all porrs (any) are open between trustes-external and the VPN tunnel, or if there is not the case, where should i add the policy, on whatcguard or ASA ? if yes can you send me an example.

Also, i can ping from a PC at site B to 192.168.100.1 (the internal watchgaurd IP address) but not get through any server/pc behind it. and from a PC at site A i cannot ping anything beyond the tunnel.
0
 

Author Comment

by:rafatifard
ID: 33721471
Hi There,

Any comment on this, i need an assist on this to fix the routing quickly

Mant thanks
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33721525
 Does the Watchguard have any sort of monitoring of the VPN tunnel statistics, like number of packets encrpted/decrypted?  If so, then try starting a continuous ping from site B to the Watchguard.  If everything is working like we think it is, the number of encrypt/decrypt packets should increase steadily.  Once that is confirmed, try pinging a known live IP in your network.  If both counters increase, then the problem is probably not on your side.  If however, you only see the decrypt counter increase, then that means the Watchguard isn't sending traffic back through the tunnel for some reason.  You may also want to trace route from both sites and see if there are any abnormal results, like public IPs showing up, indicating the traffic is going out the public interface rather than the tunnel.

  Right now, there are some devices on the other side that you don't have control of and we don't know the details of, like the managed switch at 192.168.4.3.  Since it's managed, is it also a layer 3 switch?  If so, there might be other routing issues that we're unaware of, but first we have to verify that traffic is indeed being encrypted on your side and being forwarded to the ASA.
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 33756277
it looks like both ends of the routes are missing. I would also make sure your tunnel is part of a ANY ANY rule if you are allowing everything through.
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33756581
Site B wouldn't be able to ping the Watchguard if that were the case.  We need to see some trace route and encrypt/decrypt stats to get a better idea of exactly where packets are getting lost.
0
 
LVL 4

Accepted Solution

by:
LBACIS earned 500 total points
ID: 33783632
Ok kuoh I have been doing this for 20 years, sorry for being a little off. If he can ping one way but not the other the single round would have the failed or non configured routes. The tunnel would not create if the dynamic VPN policies did not match. I would also look at that to make sure the policy was written for 2 way. Double check the dynamic NAT on the advanced tab of the VPN policy and make sure you have it checked. Or if you want to attach the policy here and I will look at it.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Creating a new VRF on Cisco Nexus 5596UP 8 39
How to append an output to existing file with DOS and IPerf 2 37
VPN Ports 8 33
VLAN Configuration on Cisco Switch 8 21
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question