Re: Watch Guard Firebox 1000 and VPN

From: Steven Drury (stevendrury_at_sympatico.ca)
Date: 08/03/04


Date: Tue, 3 Aug 2004 15:14:02 -0400


"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> [snip]
> > I can vpn to the router and then ping only one of the servers. I can
then
> > map a drive using the IP Address of that server the server askes me to
login
> > which works no problem.
> > The subnet of our network is 255.255.255.0 and the ip addresses are
> > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet
of
> > 255.255.255.0. What what to set up is so that our users can vpn in from
> > home to check their email and do work if they need to. However the
server
> > they need to get to I can not access. Does this make any sense.
>
> Ok, so, you can ping one server, and map a share to it, but not the
> other servers.
>
> So, the question is simple - what is the difference between the network
> settings on the server you can connect to and the ones you can't connect
> too?
>
> If you can't ping them by IP address (and the ANY_PPTP rule should allow
> you total access if you set it up correctly), then it's got to be some
> form of subnet issue.
>
> Did you setup the Network Configuration TAB properly - meaning that your
> network Trusted interface should be 10.10.10.0/24 and you need to then
> go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
> the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> 192.168.x.y).
>
> In the Windows XP VPN connection I have "Security Tab", X Advanced
> Settings, X Allow these Protocols, check everything except "For MS_CHAP
> based...." (the last box). I also have "Require encryption, disconnect
> if server declines".
>
> Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> also have "Use remote gateway" checked under the advanced options. Under
> Advanced TAB, I do not have anything checked - no ICF and don't allow
> other users to connect through this connection...
>
> Double check everything, make sure that you've got your IP Addresses and
> MASK's set properly - a 255.255.255.0 is a /24.
>
> let me know if this works.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Hello again,
 I have checked the network configuration and it is as follows.
  Trusted interface is 10.10.10.7/24
  There is nothing in the blocked Sites

 as for the network setting all of our servers are assigned an Ip address
which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
10.10.10.1 so all servers point to it as the Primary. I also just created a
Seondary DNS it is 10.10.10.2
 As for the AnyPPTP rule it looks like this
 Incoming Enabled and allowed
 From - PPTP_Users
 To - External
         Firebox
         Optional
         Trusted

 Outgoing Enabled and allowed
 From - External
             Firebox
             Optional
             Trusted
To - PPTP_Users

I have connected via a VPN from outside of our network and everytime I
connect I can ony ping 1 or 2 servers. I am unable to ping our main server
which has the loggins and exchange however I just mapped to our applications
server and copied files from my computer to it.

What I find really strange is that sometimes I can ping and connect to one
server but the next time I can not. I am beging to get frustrated.