Solved

Watchguard Firebox and VPN Routing

Posted on 2012-03-26
5
724 Views
Last Modified: 2012-07-01
I have two offices each with a Firebox firewall running XTM. Each office has its own internet service provider/internet access. I have a vpn connection between offices that goes over the internet and links the private/trusted networks.

Let us say my Firebox ip's are setup as

Office 1
External Internet IP 105.105.105.5, External Internet Gateway 105.105.105.1
Private/Trusted network 192.168.111.0/24

Office 2
External Internet IP 205.205.205.5, External Internet Gateway 205.205.205.1
Private/Trusted network 192.168.222.0/24

VPN 192.168.111.0/24 <==> 192.168.222.0/24

I have my VPN gateway endpoints now set at 105.105.105.5 and 205.205.205.5, the public ip of the Fireboxes

Now, I have setup a point to point private connection between the two offices using two wireless access points. The Firebox only allows External interfaces to be VPN gateway endpoints.

1) How should I setup the ip's on the wireless access points and on the Firebox so that the access points can be used as  VPN gateway endpoints?

2) How can I route internet, non-vpn, traffic through the access points so they can be used as a secondary/backup internet connection if the internet service provider's line goes down at an office?

Thank you for your help
0
Comment
Question by:mmcodefive
  • 3
  • 2
5 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37771646
Enable multi WAN which would help you achieve both 1 and 2 above.

Have a look at link:
http://customers.watchguard.com/articles/Article/3033

Please implement and update.

Thank you.
0
 
LVL 6

Author Comment

by:mmcodefive
ID: 37772342
Multi-wan is if  I had two connections with internet access at each office. I have only one connection at each office that has internet. The second conneciton is point to point between each office, no internet.

If I do a multi-wan setup I have to setup a route from the point to point connection out to the internet on the firebox that is accepting the packets.

Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two. I need to know how then to route those packets out to the internet. Basically an external to external policy on firebox two that does not affect the existing VPN.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37777737
>> Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two.

Once packets reach firewall at office two; configure a policy as:
Enabled and Allowed
From 192.168.111.0/24; to Any-external, 192.168.222.0/24

Firebox at office two would do dynamic NAT automatically as it would have entry for 192.168.0.0/16.

Please implement and update.

Thank you.
0
 
LVL 6

Accepted Solution

by:
mmcodefive earned 0 total points
ID: 37844305
The solution is to use dynamic routes. I am working with Watchguard support on the issue. They have some directions on how to do this that are similar to what I want to do.

http://www.watchguard.com/help/docs/wsm/11-XTM/en-US/Content/en-US/bovpn/manual/vpn_failover_from_leased_line_overview_c.html
0
 
LVL 6

Author Closing Comment

by:mmcodefive
ID: 38142471
The solution to this setup is documented in the link above.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
URGENT- Can't login to Bizportal over VPN 2 41
New firewall implementation guidance 12 104
Ping in Fortigate 2 33
sonicwall vpn green lights on both, but no traffic 10 16
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question