Solved

How to configure watchguard so two sites communicate  with vpn.

Posted on 2011-09-15
5
1,340 Views
Last Modified: 2012-08-14
My company has 2 sites.We try to establish a permanent connection between two sites.
One site runs in at subnet  172.27.1.0/24
and the other site at subnet 172.27.0.0/24

The first site communicates with outside wolrd with a router (ip 172.27.1.1).
The other site has a watchguard firewall (trusted interface 172.27.0.2) and one of its external interfaces has a router(192.168.0.1 255.255.255.0 getaway 192.168.0.254)
 which has a permanent ssl vpn connection with the router on the other site.
The ssl vpn connection between 2 routers is established in subnet 10.27.1.0/24.

Is it possible the two subnets to communicate with this architecture?
I think my problem is to route all traffic through watchguard and I don't know how to do that.
Should I use  NAT or something else in policies?
My watchguard model is XTM22 (firmware 11.4.2).

At the end I want the domain controllers in each site to ping each other with no problem.

0
Comment
Question by:labricius
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36542422
I'm confused
If I've got that right, here's what you're describing:

SiteA (172.27.1.0/24)
* RouterA (172.27.1.1/24 - inside, ?.?.?.?/? - outside, 10.27.1.x/24 - vpn)

SiteB (172.27.0.0/24)
* WtchGrdB (172.27.0.2/24 - inside, 192.168.0.1 - outside)
* RouterB (192.168.0.254/24 - inside, ?.?.?.?/? - outside, 10.27.1.x/24 - vpn)

Am I getting warm?  I don't see how RouterA and RouterB are connected - is this a private link, or (I think) Internet links?

What are the default gateways of your DCs at each site?

NAT is probably not the answer.  In fact, if I understand, you want the site-to-site traffic to go *around* the WatchGuard - not through it.  This is based on my understanding that the SSL VPN is established between RouterA and RouterB - and that this VPN is up even if the WatchGuard is down.

A little more info, and I think I can help...
0
 
LVL 9

Expert Comment

by:Brian
ID: 36543235
Do you have XTM22's at each site?

Can you describe your network route in this format. Fill in the make, model and IP of each:

LAN  at Site 1 > Firewall at Site 1 > Modem at Site 1> Internet < Modem at Site 2 < Firewall at Site 2 < LAN at Site 2
0
 
LVL 1

Author Comment

by:labricius
ID: 36543249
Ok let me try to rephrase..

SIte A
subnet 172.27.1.0/24
RouterA  LAN ip 172.27.1.1 and a dynamic ip from ISP to connect to Internet.
So the domain controller(dcA) there has a static ip 172.27.1.10 subnet mask 255.255.255.0
getaway 172.27.1.1(router) and dns 127.0.0.1

Site B
The subnet for our intranet is 172.27.0.0/24.
Watchguard is the getway at ip 172.27.0.2(trusted interface).
Watchguard has 4 external interfaces with 4 routers which all establish internet connections and is working in load balancing traffic mode.
The domain controller(dcB) there has a static ip 172.27.0.10 subnet mask 255.255.255.0
getaway 172.27.0.2(watchguard) and dns 127.0.0.1

We want to use one of these routers( routerB in our case) to make a permanent vpn connection with the router of siteA.We did that using SSL VPN protocol.
So routers A and B except from the ip that take from ISP,they also have another ip for vpn so they can communicate each other.
RouterA has the ip of 10.27.1.6 and routerB has the ip of 10.27.1.1 .

The external interface of watchguard in which the routerB is connected has these settings
192.168.0.1 255.255.255.0 getaway 192.168.0.254

So I don't want the traffic to go around watchguard but through it.And yes if watchguard is down,everything is down.

When the dcB in siteB, pings dcA it should resolve the correct ip of dcA (172.27.1.10) and traffic should be routed through watchguard->routerB->internet vpn->routerA->dcA.
When the dcA in siteA pings dcB it should resolve the correct ip of dcB (172.27.0.10) and traffic should be routed though routerA->internet vpn->routerB->watchguard->dcB.

Is it possible and how?
We want to avoid buying a second watchguard for siteA and establish the vpn connection between the 2 watchguards.

   

0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 36543413
There's no reason you shouldn't be able to make this work, provided that the router-to-router VPN is up and running.  Can you ping one router's VPN interface IP from the other router?

First, leave DNS out of the mix until you've got good traffic flow.  Getting dcA to properly resolve dcB without static DNS entries (since both are using localhost as the sole DNS resolver) is a whole 'nother kettle of fish.  ;-)

Are you running any routing protocols on all this?  Let's assume not.

You'll need a static route on the WG for 172.27.1.0/24 that points to the inside interface of RouterB (which is one of four possible default routes to the Internet in your current config, if I understand your load-balancing solution correctly).

RouterB will also need this staic route for 172.27.1.0/24, but pointing to RouterA's vpn interface IP address (10.27.1.6).

RouterA will need a static route for 172.27.0.0/24 that points to RouterB's vpn interface IP address (10.27.1.1).

*I'm assuming that RouterB already knows to route traffic for 172.27.0.0/24 through the WG.*  Perhaps I should ask if you have any services *behind* the WG that are accessible from the Internet (as this would indicate my assumption about routing is correct).

Now test:  (assumes that the firewall on dcA will allow ICMP in/out from more than just the local subnet)...

Can you ping the IP of dcA from RouterB?  If so, your static routes over the VPN are working.
Can you ping the IP of dcA from the WG?  If so, your static routes from the WG to the VPN is working.
Can you ping the IP of dcA from *behind* the WG (for example, from dcB)?  If not (and I'm betting not), you'll need to allow exceptions on the WG for traffic to/from 172.27.0.0/24 <-> 172.27.1.0/24.

Let's see how far that gets you...

0
 
LVL 9

Expert Comment

by:Brian
ID: 36544320
I did not see listed any external IP addresses. The 10.x.x.x addresses you listed are in the private LAN range. The Firewalls will need to know the external IP address of the other. The modems you have from your ISP are not passing through the public IP, but using a different private subnet.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now