Watchguard Firebox and VPN Routing
I have two offices each with a Firebox firewall running XTM. Each office has its own internet service provider/internet access. I have a vpn connection between offices that goes over the internet and links the private/trusted networks.
Let us say my Firebox ip's are setup as
Office 1
External Internet IP 105.105.105.5, External Internet Gateway 105.105.105.1
Private/Trusted network 192.168.111.0/24
Office 2
External Internet IP 205.205.205.5, External Internet Gateway 205.205.205.1
Private/Trusted network 192.168.222.0/24
VPN 192.168.111.0/24 <==> 192.168.222.0/24
I have my VPN gateway endpoints now set at 105.105.105.5 and 205.205.205.5, the public ip of the Fireboxes
Now, I have setup a point to point private connection between the two offices using two wireless access points. The Firebox only allows External interfaces to be VPN gateway endpoints.
1) How should I setup the ip's on the wireless access points and on the Firebox so that the access points can be used as VPN gateway endpoints?
2) How can I route internet, non-vpn, traffic through the access points so they can be used as a secondary/backup internet connection if the internet service provider's line goes down at an office?
Thank you for your help
Let us say my Firebox ip's are setup as
Office 1
External Internet IP 105.105.105.5, External Internet Gateway 105.105.105.1
Private/Trusted network 192.168.111.0/24
Office 2
External Internet IP 205.205.205.5, External Internet Gateway 205.205.205.1
Private/Trusted network 192.168.222.0/24
VPN 192.168.111.0/24 <==> 192.168.222.0/24
I have my VPN gateway endpoints now set at 105.105.105.5 and 205.205.205.5, the public ip of the Fireboxes
Now, I have setup a point to point private connection between the two offices using two wireless access points. The Firebox only allows External interfaces to be VPN gateway endpoints.
1) How should I setup the ip's on the wireless access points and on the Firebox so that the access points can be used as VPN gateway endpoints?
2) How can I route internet, non-vpn, traffic through the access points so they can be used as a secondary/backup internet connection if the internet service provider's line goes down at an office?
Thank you for your help
ASKER
Multi-wan is if I had two connections with internet access at each office. I have only one connection at each office that has internet. The second conneciton is point to point between each office, no internet.
If I do a multi-wan setup I have to setup a route from the point to point connection out to the internet on the firebox that is accepting the packets.
Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two. I need to know how then to route those packets out to the internet. Basically an external to external policy on firebox two that does not affect the existing VPN.
If I do a multi-wan setup I have to setup a route from the point to point connection out to the internet on the firebox that is accepting the packets.
Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two. I need to know how then to route those packets out to the internet. Basically an external to external policy on firebox two that does not affect the existing VPN.
>> Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two.
Once packets reach firewall at office two; configure a policy as:
Enabled and Allowed
From 192.168.111.0/24; to Any-external, 192.168.222.0/24
Firebox at office two would do dynamic NAT automatically as it would have entry for 192.168.0.0/16.
Please implement and update.
Thank you.
Once packets reach firewall at office two; configure a policy as:
Enabled and Allowed
From 192.168.111.0/24; to Any-external, 192.168.222.0/24
Firebox at office two would do dynamic NAT automatically as it would have entry for 192.168.0.0/16.
Please implement and update.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The solution to this setup is documented in the link above.
Have a look at link:
http://customers.watchguard.com/articles/Article/3033
Please implement and update.
Thank you.