Re: Watch Guard Firebox 1000 and VPN

From: Leythos (void_at_nowhere.com)
Date: 08/03/04


Date: Mon, 02 Aug 2004 22:56:21 GMT

In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
[snip]
> I can vpn to the router and then ping only one of the servers. I can then
> map a drive using the IP Address of that server the server askes me to login
> which works no problem.
> The subnet of our network is 255.255.255.0 and the ip addresses are
> 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet of
> 255.255.255.0. What what to set up is so that our users can vpn in from
> home to check their email and do work if they need to. However the server
> they need to get to I can not access. Does this make any sense.

Ok, so, you can ping one server, and map a share to it, but not the
other servers.

So, the question is simple - what is the difference between the network
settings on the server you can connect to and the ones you can't connect
too?

If you can't ping them by IP address (and the ANY_PPTP rule should allow
you total access if you set it up correctly), then it's got to be some
form of subnet issue.

Did you setup the Network Configuration TAB properly - meaning that your
network Trusted interface should be 10.10.10.0/24 and you need to then
go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
192.168.x.y).

In the Windows XP VPN connection I have "Security Tab", X Advanced
Settings, X Allow these Protocols, check everything except "For MS_CHAP
based...." (the last box). I also have "Require encryption, disconnect
if server declines".

Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
networks DNS server for DNS (so it would be 10.10.10.x for yours). I
also have "Use remote gateway" checked under the advanced options. Under
Advanced TAB, I do not have anything checked - no ICF and don't allow
other users to connect through this connection...

Double check everything, make sure that you've got your IP Addresses and
MASK's set properly - a 255.255.255.0 is a /24.

let me know if this works.

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)


Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)
  • Re: RDP can not logon error
    ... Tracert & Ping to dc on the same subnet as the server that is having trouble. ... No network provider accepted the given network path.. ... Starting test: CrossRefValidation ...
    (microsoft.public.windows.server.general)
  • Re: RDP can not logon error
    ... ping and tracert to the dc in that remote site (where this system ... Tracert & Ping to dc on the same subnet as the server that is having ... No network provider accepted the given network path.. ... Starting test: CrossRefValidation ...
    (microsoft.public.windows.server.general)
  • Re: VPN clients unable to connect to other resources.
    ... on the SBS 2003 server just not sure where to go for help on it. ... Next time I'm at my home PC, I'll VPN in and see what IP info I'm getting ... client PC on your LAN, you should be able to do so from a remote VPN client, ... get the network path was not found. ...
    (microsoft.public.windows.server.sbs)