• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

SBS 2003 Watchguard Point To Point VPN

I setup two Watchguard Edge boxes in two locations.Site A and site B. I am able to ping LAN IP addresses from both location, but I can only browse the network from site B to site A. My setup is as follows:

Site A:
Watchgaurd FireBox x10e
LAN IP: 10.0.1.1

Site B:
SBS 2003
Watchgaurd FireBox x20e
LAN IP: 192.168.1.1
Internal NIC: 10.0.0.1
External NIC: 192.168.1.2 (File and Printer Sharing Enabled)

I think I have all the routes setup correctly, but when I try to browse \\192.168.1.2\ I get nothing.
0
datzent83
Asked:
datzent83
  • 9
  • 8
1 Solution
 
DIPRAJCommented:
request you to check the same with internal NIC.
0
 
datzent83Author Commented:
Check what exactly?
0
 
dpk_walCommented:
Is there a VPN tunnel between site A and site B.

ALso when you say:
Site B:
SBS 2003
Watchgaurd FireBox x20e
LAN IP: 192.168.1.1
Internal NIC: 10.0.0.1
External NIC: 192.168.1.2 (File and Printer Sharing Enabled)

On site how does SBS connect to x20e; am assuming that LAN IP is for x20e and internal/external NIC are for SBS 2003.
Why do you have two NICs on SBS.

Thank you.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
datzent83Author Commented:
There is a VPN tunnel between site A and site B. I can ping all IP addresses in both directions.

You are correct dpk_wal. The LAN IP (192.168.1.1) is for x20e and internal/external NIC are on the SBS box.

I used two NICs on the SBS for more security. Can the two NIC setup be causing this? Maybe I need to plot a new route on the SBS that goes form 192.168.1.1 to 10.0.0.1?
0
 
dpk_walCommented:
My understanding of your network:

                               siteA                                           siteB
10.0.1.0/24--LAN---X10e---WAN=========WAN---x20e---LAN---192.168.1.0/24---SBS---10.0.0.x
                                                          VPN

First, if SBS is doing NAT for 10.0.0.x subnet then x20e would never know that 10.0.0.x exists and there is no config needed on x20e.
If SBS is not doing NAT; then you should add a network route for 10.0.0.0/24 network with gateway as 192.168.1.2 [SBS IP] on x20e.
Further, if you wish 10.0.0.0/24 to be reachable from Site A, and SBS is not doing NAT then you should include 10.0.0.0/24 in the VPN settings. Treat 10.0.0.0/24 as local network on x20e and configure as you have for 192.168.1.0/24 network.

Thank you.
0
 
datzent83Author Commented:
How do I check if SBS is using NAT?
0
 
datzent83Author Commented:
Sorry, SBS is doing NAT.
0
 
dpk_walCommented:
Run a sniffer [like wireshark] on 192.168.1.x and see if you get packets with source as 10.0.0.x; if yes, then SBS is not doing NAT; if all packets are with source IP 192.168.1.s [SBS IP] then it is doing NAT.

There must be a way to check on SBS but as I do not know about SBS I cannot help there.

Thank you.
0
 
datzent83Author Commented:
The SBS is doing NAT. Can I still make the VPN work?
0
 
dpk_walCommented:
As SBS is doing NAT; all traffic from machines behind SBS would be using 192.168.1.2 as source IP [assumption it is doing many to one NAT].
So, any machine from 10.0.1.x would initiate connection to 192.168.1.2l and then SBS should have intelligence to further send it to internal machine. If not, only once a machine behind SBS send packet out to 10.0.1.x, only the return traffic would come back [what you already see, one way communication from siteB to siteA].

Thank you.
0
 
datzent83Author Commented:
OK... Is there a work around to make VPN work on my current setup?
0
 
dpk_walCommented:
If you can disable NAT on SBS, and add 10.0.0.x as secondary network on x20e and in VPN configuration on both x10e and x20e; then both sites can initiate traffic.

Thank you.
0
 
dpk_walCommented:
Another option; on SBS if you can configure inbound NAT; so you configure SBS that if it receives traffic on specific port/protocol on IP 192.168.1.2; then it should forward that traffic to an internal machine; then you can initiate traffic for those port/protocol from site A to site B.

As I already said I do not know how to configure SBS, so do not know if/how this can be configured.

Thank you.
0
 
datzent83Author Commented:
I think the easier alternative would be to set SBS on a one NIC setup.
0
 
dpk_walCommented:
Sure would be; that was the reason I asked in my original post: Why do you have two NICs on SBS.
0
 
datzent83Author Commented:
For more security. I will change that to one NIC and post back.
0
 
dpk_walCommented:
Are you able to get this resolved.
0
 
datzent83Author Commented:
Yes. Thank you :)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now