How to configure watchguard so two sites communicate with vpn.
My company has 2 sites.We try to establish a permanent connection between two sites.
One site runs in at subnet 172.27.1.0/24
and the other site at subnet 172.27.0.0/24
The first site communicates with outside wolrd with a router (ip 172.27.1.1).
The other site has a watchguard firewall (trusted interface 172.27.0.2) and one of its external interfaces has a router(192.168.0.1 255.255.255.0 getaway 192.168.0.254)
which has a permanent ssl vpn connection with the router on the other site.
The ssl vpn connection between 2 routers is established in subnet 10.27.1.0/24.
Is it possible the two subnets to communicate with this architecture?
I think my problem is to route all traffic through watchguard and I don't know how to do that.
Should I use NAT or something else in policies?
My watchguard model is XTM22 (firmware 11.4.2).
At the end I want the domain controllers in each site to ping each other with no problem.
One site runs in at subnet 172.27.1.0/24
and the other site at subnet 172.27.0.0/24
The first site communicates with outside wolrd with a router (ip 172.27.1.1).
The other site has a watchguard firewall (trusted interface 172.27.0.2) and one of its external interfaces has a router(192.168.0.1 255.255.255.0 getaway 192.168.0.254)
which has a permanent ssl vpn connection with the router on the other site.
The ssl vpn connection between 2 routers is established in subnet 10.27.1.0/24.
Is it possible the two subnets to communicate with this architecture?
I think my problem is to route all traffic through watchguard and I don't know how to do that.
Should I use NAT or something else in policies?
My watchguard model is XTM22 (firmware 11.4.2).
At the end I want the domain controllers in each site to ping each other with no problem.
Do you have XTM22's at each site?
Can you describe your network route in this format. Fill in the make, model and IP of each:
LAN at Site 1 > Firewall at Site 1 > Modem at Site 1> Internet < Modem at Site 2 < Firewall at Site 2 < LAN at Site 2
Can you describe your network route in this format. Fill in the make, model and IP of each:
LAN at Site 1 > Firewall at Site 1 > Modem at Site 1> Internet < Modem at Site 2 < Firewall at Site 2 < LAN at Site 2
ASKER
Ok let me try to rephrase..
SIte A
subnet 172.27.1.0/24
RouterA LAN ip 172.27.1.1 and a dynamic ip from ISP to connect to Internet.
So the domain controller(dcA) there has a static ip 172.27.1.10 subnet mask 255.255.255.0
getaway 172.27.1.1(router) and dns 127.0.0.1
Site B
The subnet for our intranet is 172.27.0.0/24.
Watchguard is the getway at ip 172.27.0.2(trusted interface).
Watchguard has 4 external interfaces with 4 routers which all establish internet connections and is working in load balancing traffic mode.
The domain controller(dcB) there has a static ip 172.27.0.10 subnet mask 255.255.255.0
getaway 172.27.0.2(watchguard) and dns 127.0.0.1
We want to use one of these routers( routerB in our case) to make a permanent vpn connection with the router of siteA.We did that using SSL VPN protocol.
So routers A and B except from the ip that take from ISP,they also have another ip for vpn so they can communicate each other.
RouterA has the ip of 10.27.1.6 and routerB has the ip of 10.27.1.1 .
The external interface of watchguard in which the routerB is connected has these settings
192.168.0.1 255.255.255.0 getaway 192.168.0.254
So I don't want the traffic to go around watchguard but through it.And yes if watchguard is down,everything is down.
When the dcB in siteB, pings dcA it should resolve the correct ip of dcA (172.27.1.10) and traffic should be routed through watchguard->routerB->inter
When the dcA in siteA pings dcB it should resolve the correct ip of dcB (172.27.0.10) and traffic should be routed though routerA->internet vpn->routerB->watchguard->
Is it possible and how?
We want to avoid buying a second watchguard for siteA and establish the vpn connection between the 2 watchguards.
SIte A
subnet 172.27.1.0/24
RouterA LAN ip 172.27.1.1 and a dynamic ip from ISP to connect to Internet.
So the domain controller(dcA) there has a static ip 172.27.1.10 subnet mask 255.255.255.0
getaway 172.27.1.1(router) and dns 127.0.0.1
Site B
The subnet for our intranet is 172.27.0.0/24.
Watchguard is the getway at ip 172.27.0.2(trusted interface).
Watchguard has 4 external interfaces with 4 routers which all establish internet connections and is working in load balancing traffic mode.
The domain controller(dcB) there has a static ip 172.27.0.10 subnet mask 255.255.255.0
getaway 172.27.0.2(watchguard) and dns 127.0.0.1
We want to use one of these routers( routerB in our case) to make a permanent vpn connection with the router of siteA.We did that using SSL VPN protocol.
So routers A and B except from the ip that take from ISP,they also have another ip for vpn so they can communicate each other.
RouterA has the ip of 10.27.1.6 and routerB has the ip of 10.27.1.1 .
The external interface of watchguard in which the routerB is connected has these settings
192.168.0.1 255.255.255.0 getaway 192.168.0.254
So I don't want the traffic to go around watchguard but through it.And yes if watchguard is down,everything is down.
When the dcB in siteB, pings dcA it should resolve the correct ip of dcA (172.27.1.10) and traffic should be routed through watchguard->routerB->inter
When the dcA in siteA pings dcB it should resolve the correct ip of dcB (172.27.0.10) and traffic should be routed though routerA->internet vpn->routerB->watchguard->
Is it possible and how?
We want to avoid buying a second watchguard for siteA and establish the vpn connection between the 2 watchguards.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I did not see listed any external IP addresses. The 10.x.x.x addresses you listed are in the private LAN range. The Firewalls will need to know the external IP address of the other. The modems you have from your ISP are not passing through the public IP, but using a different private subnet.
If I've got that right, here's what you're describing:
SiteA (172.27.1.0/24)
* RouterA (172.27.1.1/24 - inside, ?.?.?.?/? - outside, 10.27.1.x/24 - vpn)
SiteB (172.27.0.0/24)
* WtchGrdB (172.27.0.2/24 - inside, 192.168.0.1 - outside)
* RouterB (192.168.0.254/24 - inside, ?.?.?.?/? - outside, 10.27.1.x/24 - vpn)
Am I getting warm? I don't see how RouterA and RouterB are connected - is this a private link, or (I think) Internet links?
What are the default gateways of your DCs at each site?
NAT is probably not the answer. In fact, if I understand, you want the site-to-site traffic to go *around* the WatchGuard - not through it. This is based on my understanding that the SSL VPN is established between RouterA and RouterB - and that this VPN is up even if the WatchGuard is down.
A little more info, and I think I can help...