• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2484
  • Last Modified:

Watchguard firebox x1250e PPTP VPN client cannot see subnets

I have a Watchguard firebox x1250e and configured a PPTP VPN for mobile clients.  I have three internal subnets, 192.168.33.x 192.168.43.x and 192.168.63.x   Remote clients can connect, but only see/ping the 33.x subnet.  Can't connect to any device on the 43.x and 63.x subnets.  The range in the PPTP setup is 33.111-33.119.  

The clients get all the IP settings except one thing I notice is the subnet mask is 255.255.255.255, I can't see where to configure that in the VPN set-up.

I also added in the PPTP-access-policy from:PPTP users To; 0.0.0.0/0 to try to resolve issue but still no good.
0
MattGardi
Asked:
MattGardi
  • 6
  • 5
2 Solutions
 
dpk_walCommented:
Please have a look at article below:
http://watchguard.custhelp.com/app/answers/detail/a_id/1766/related/1

Specifically below:
http://watchguard.custhelp.com/app/answers/detail/a_id/1781

Please note on the client make sure in the VPN/virtual adapter -> properties -> Networking -> TCP/IP -properties -> advanced -> general -> “use default gateway on remote network” is checked [is checked by default].

Not sure if 0.0.0.0/0 would work in policy; if not, set to specific network IPs: 192.168.43.0/24, 192.168.63.0/24 and 192.168.33.0/24

Please implement and update.

Thank you.
0
 
MattGardiAuthor Commented:
Thanks.  Yes, I had read those and it doesn't work with the use default gateway on remote network checked.

I have yet to try manually adding a route, but will first try adding the subnets as you suggested, test, and then try a manual route to the subnets from the client and test.
0
 
dpk_walCommented:
Sure, please update; if needed we can create batch file for end users to install the routes for them.

Thank you.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
MattGardiAuthor Commented:
Subnets in the policy did not work.  One thing that puzzles me is that the subnet mask of the client is 255.255.255.255 also I just noticed that the default gateway is the same as the ip issued to the VPN client.

I then added the route to the client and that did not work either.
0
 
dpk_walCommented:
Can you post sanitized route print statement [only mask public IP; please leave private IPs intact] before adding routes manually and after adding the routes.

Thank you.
0
 
dpk_walCommented:
Forgot to mention that on VPN DG and IP are same as the subnet mask is /32 [255.255.255.255]; this is normal.
0
 
MattGardiAuthor Commented:
See below.  You can see before and after and the results of a ping each time, also the ipconfig.

also you will see the subnets are really 35, 45 etc not the original 33 43 as I originally posted here.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 f1 d0 00 f1 d0 ...... GlobeTrotter Icon322 - Network Interface - Packe
t Scheduler Miniport
0x3 ...00 21 70 6f 7f 81 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x4 ...00 1f 3b cc 72 7d ...... Intel(R) Wireless WiFi Link 4965AGN - Packet Sch
eduler Miniport
0x5 ...00 ff 31 33 04 91 ...... TAP-Win32 Adapter OAS - Packet Scheduler Minipor
t
0x60007 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  166.214.235.184  166.214.235.186      41
          0.0.0.0          0.0.0.0   192.168.35.112  192.168.35.112       1
   xx.xxx.xxx.xxx  255.255.255.255  166.214.235.184  166.214.235.186      40
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    166.214.235.0    255.255.255.0  166.214.235.186  166.214.235.186      40
  166.214.235.186  255.255.255.255        127.0.0.1       127.0.0.1       40
  166.214.255.255  255.255.255.255  166.214.235.186  166.214.235.186      40
      169.254.0.0      255.255.0.0  166.214.235.186  166.214.235.186      20
   192.168.35.112  255.255.255.255        127.0.0.1       127.0.0.1       50
   192.168.35.255  255.255.255.255   192.168.35.112  192.168.35.112       50
        224.0.0.0        240.0.0.0  166.214.235.186  166.214.235.186      40
        224.0.0.0        240.0.0.0   192.168.35.112  192.168.35.112       1
  255.255.255.255  255.255.255.255  166.214.235.186  166.214.235.186      1
  255.255.255.255  255.255.255.255  166.214.235.186               4       1
  255.255.255.255  255.255.255.255  166.214.235.186               3       1
  255.255.255.255  255.255.255.255  166.214.235.186               5       1
  255.255.255.255  255.255.255.255   192.168.35.112  192.168.35.112       1
Default Gateway:    192.168.35.112
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\Administrator>ping 192.168.35.5

Pinging 192.168.35.5 with 32 bytes of data:

Reply from 192.168.35.5: bytes=32 time=219ms TTL=254
Reply from 192.168.35.5: bytes=32 time=113ms TTL=254
Reply from 192.168.35.5: bytes=32 time=127ms TTL=254
Reply from 192.168.35.5: bytes=32 time=122ms TTL=254

Ping statistics for 192.168.35.5:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 113ms, Maximum = 219ms, Average = 145ms

C:\Documents and Settings\Administrator>ping 192.168.45.142

Pinging 192.168.45.142 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.45.142:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Administrator>route add 192.168.45.0 mask 255.255.255.
0 192.168.35.112 metric 1

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : D830Ghost
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : GlobeTrotter Icon322 - Network Inter
face
        Physical Address. . . . . . . . . : 00-F1-D0-00-F1-D0
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 166.214.235.186
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 166.214.235.184
        DHCP Server . . . . . . . . . . . : 166.214.235.185
        DNS Servers . . . . . . . . . . . : 209.183.35.23
                                            209.183.33.23
        Lease Obtained. . . . . . . . . . : Tuesday, November 30, 2010 10:57:48
AM
        Lease Expires . . . . . . . . . . : Wednesday, December 08, 2010 8:17:22
 AM

Ethernet adapter Local Area Connection 2:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
roller
        Physical Address. . . . . . . . . : 00-21-70-6F-7F-81

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
        Physical Address. . . . . . . . . : 00-1F-3B-CC-72-7D

Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : TAP-Win32 Adapter OAS
        Physical Address. . . . . . . . . : 00-FF-31-33-04-91

PPP adapter SAO VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.35.112
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.35.112
        DNS Servers . . . . . . . . . . . : 192.168.35.201
                                            68.87.74.162
        Primary WINS Server . . . . . . . : 192.168.35.201
        Secondary WINS Server . . . . . . : 192.168.35.12

C:\Documents and Settings\Administrator>ping 192.168.45.142

Pinging 192.168.45.142 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.45.142:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Administrator>ping 192.168.35.5

Pinging 192.168.35.5 with 32 bytes of data:

Reply from 192.168.35.5: bytes=32 time=762ms TTL=254
Reply from 192.168.35.5: bytes=32 time=761ms TTL=254
Reply from 192.168.35.5: bytes=32 time=510ms TTL=254
Reply from 192.168.35.5: bytes=32 time=2388ms TTL=254

Ping statistics for 192.168.35.5:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 510ms, Maximum = 2388ms, Average = 1105ms

C:\Documents and Settings\Administrator>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 f1 d0 00 f1 d0 ...... GlobeTrotter Icon322 - Network Interface - Packe
t Scheduler Miniport
0x3 ...00 21 70 6f 7f 81 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x4 ...00 1f 3b cc 72 7d ...... Intel(R) Wireless WiFi Link 4965AGN - Packet Sch
eduler Miniport
0x5 ...00 ff 31 33 04 91 ...... TAP-Win32 Adapter OAS - Packet Scheduler Minipor
t
0x60007 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  166.214.235.184  166.214.235.186      41
          0.0.0.0          0.0.0.0   192.168.35.112  192.168.35.112       1
   xx.xxx.xxx.xxx  255.255.255.255  166.214.235.184  166.214.235.186      40
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    166.214.235.0    255.255.255.0  166.214.235.186  166.214.235.186      40
  166.214.235.186  255.255.255.255        127.0.0.1       127.0.0.1       40
  166.214.255.255  255.255.255.255  166.214.235.186  166.214.235.186      40
      169.254.0.0      255.255.0.0  166.214.235.186  166.214.235.186      20
   192.168.35.112  255.255.255.255        127.0.0.1       127.0.0.1       50
   192.168.35.255  255.255.255.255   192.168.35.112  192.168.35.112       50
     192.168.45.0    255.255.255.0   192.168.35.112  192.168.35.112       1
        224.0.0.0        240.0.0.0  166.214.235.186  166.214.235.186      40
        224.0.0.0        240.0.0.0   192.168.35.112  192.168.35.112       1
  255.255.255.255  255.255.255.255  166.214.235.186  166.214.235.186      1
  255.255.255.255  255.255.255.255  166.214.235.186               4       1
  255.255.255.255  255.255.255.255  166.214.235.186               3       1
  255.255.255.255  255.255.255.255  166.214.235.186               5       1
  255.255.255.255  255.255.255.255   192.168.35.112  192.168.35.112       1
Default Gateway:    192.168.35.112
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\Administrator>

0
 
MattGardiAuthor Commented:
Here is another thought, the subnets are Metro-E remote offices, linked by Cisco routers.  Do you think the IP of the remote client gets through to the firebox as 35.112, or is it appearing as something else once passing through the firebox into the 35 subnet?
0
 
MattGardiAuthor Commented:
Solved the issue.  I needed to make a route on the firebox to our internal gateway that sends traffic out to the respective subnet routers.

Thanks for your assistance.
0
 
dpk_walCommented:
Thank you for the update and points; I had overlooked adding routes on WG.
0
 
MattGardiAuthor Commented:
My comment was the solution but thanks for your help and info which was also accurate.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now