Re: Watch Guard Firebox 1000 and VPN

From: Steven Drury (stevendrury_at_sympatico.ca)
Date: 08/03/04


Date: Tue, 3 Aug 2004 15:14:02 -0400


"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> [snip]
> > I can vpn to the router and then ping only one of the servers. I can
then
> > map a drive using the IP Address of that server the server askes me to
login
> > which works no problem.
> > The subnet of our network is 255.255.255.0 and the ip addresses are
> > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet
of
> > 255.255.255.0. What what to set up is so that our users can vpn in from
> > home to check their email and do work if they need to. However the
server
> > they need to get to I can not access. Does this make any sense.
>
> Ok, so, you can ping one server, and map a share to it, but not the
> other servers.
>
> So, the question is simple - what is the difference between the network
> settings on the server you can connect to and the ones you can't connect
> too?
>
> If you can't ping them by IP address (and the ANY_PPTP rule should allow
> you total access if you set it up correctly), then it's got to be some
> form of subnet issue.
>
> Did you setup the Network Configuration TAB properly - meaning that your
> network Trusted interface should be 10.10.10.0/24 and you need to then
> go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
> the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> 192.168.x.y).
>
> In the Windows XP VPN connection I have "Security Tab", X Advanced
> Settings, X Allow these Protocols, check everything except "For MS_CHAP
> based...." (the last box). I also have "Require encryption, disconnect
> if server declines".
>
> Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> also have "Use remote gateway" checked under the advanced options. Under
> Advanced TAB, I do not have anything checked - no ICF and don't allow
> other users to connect through this connection...
>
> Double check everything, make sure that you've got your IP Addresses and
> MASK's set properly - a 255.255.255.0 is a /24.
>
> let me know if this works.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Hello again,
 I have checked the network configuration and it is as follows.
  Trusted interface is 10.10.10.7/24
  There is nothing in the blocked Sites

 as for the network setting all of our servers are assigned an Ip address
which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
10.10.10.1 so all servers point to it as the Primary. I also just created a
Seondary DNS it is 10.10.10.2
 As for the AnyPPTP rule it looks like this
 Incoming Enabled and allowed
 From - PPTP_Users
 To - External
         Firebox
         Optional
         Trusted

 Outgoing Enabled and allowed
 From - External
             Firebox
             Optional
             Trusted
To - PPTP_Users

I have connected via a VPN from outside of our network and everytime I
connect I can ony ping 1 or 2 servers. I am unable to ping our main server
which has the loggins and exchange however I just mapped to our applications
server and copied files from my computer to it.

What I find really strange is that sometimes I can ping and connect to one
server but the next time I can not. I am beging to get frustrated.



Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN Connection Problems
    ... Note that we are able to successfully VPN into the office. ... to browse the network, RDP to the server or even ping the server. ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN clients unable to connect to other resources.
    ... on the SBS 2003 server just not sure where to go for help on it. ... Next time I'm at my home PC, I'll VPN in and see what IP info I'm getting ... client PC on your LAN, you should be able to do so from a remote VPN client, ... get the network path was not found. ...
    (microsoft.public.windows.server.sbs)
  • Re: RRAS as VPN Server Configuration Questions...
    ... Ethernet adapter VPN: ... Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as ... Issue in a VPN client ... ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.win2000.ras_routing)