Re: Watch Guard Firebox 1000 and VPN
From: Steven Drury (stevendrury_at_sympatico.ca)
Date: Tue, 3 Aug 2004 15:14:02 -0400
"Leythos" <email@example.com> wrote in message
> In article <y4zPc.11700$Jq2.firstname.lastname@example.org>,
> email@example.com says...
> > I can vpn to the router and then ping only one of the servers. I can
> > map a drive using the IP Address of that server the server askes me to
> > which works no problem.
> > The subnet of our network is 255.255.255.0 and the ip addresses are
> > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet
> > 255.255.255.0. What what to set up is so that our users can vpn in from
> > home to check their email and do work if they need to. However the
> > they need to get to I can not access. Does this make any sense.
> Ok, so, you can ping one server, and map a share to it, but not the
> other servers.
> So, the question is simple - what is the difference between the network
> settings on the server you can connect to and the ones you can't connect
> If you can't ping them by IP address (and the ANY_PPTP rule should allow
> you total access if you set it up correctly), then it's got to be some
> form of subnet issue.
> Did you setup the Network Configuration TAB properly - meaning that your
> network Trusted interface should be 10.10.10.0/24 and you need to then
> go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
> the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> In the Windows XP VPN connection I have "Security Tab", X Advanced
> Settings, X Allow these Protocols, check everything except "For MS_CHAP
> based...." (the last box). I also have "Require encryption, disconnect
> if server declines".
> Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> also have "Use remote gateway" checked under the advanced options. Under
> Advanced TAB, I do not have anything checked - no ICF and don't allow
> other users to connect through this connection...
> Double check everything, make sure that you've got your IP Addresses and
> MASK's set properly - a 255.255.255.0 is a /24.
> let me know if this works.
> (Remove 999 to reply to me)
I have checked the network configuration and it is as follows.
Trusted interface is 10.10.10.7/24
There is nothing in the blocked Sites
as for the network setting all of our servers are assigned an Ip address
which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
10.10.10.1 so all servers point to it as the Primary. I also just created a
Seondary DNS it is 10.10.10.2
As for the AnyPPTP rule it looks like this
Incoming Enabled and allowed
From - PPTP_Users
To - External
Outgoing Enabled and allowed
From - External
To - PPTP_Users
I have connected via a VPN from outside of our network and everytime I
connect I can ony ping 1 or 2 servers. I am unable to ping our main server
which has the loggins and exchange however I just mapped to our applications
server and copied files from my computer to it.
What I find really strange is that sometimes I can ping and connect to one
server but the next time I can not. I am beging to get frustrated.