Sign in with
Sign up | Sign in
Your question

Watch Guard Firebox 1000 and VPN

Last response: in Networking
Share
Anonymous
a b 8 Security
August 2, 2004 2:33:32 AM

Archived from groups: comp.security.firewalls (More info?)

I am trying to set up a VPN to my Win 2000 Server. I have it working
internal but I can not get my watchguard to let me in. What do I need to do
to make it work.

Thanks inadvance.
Anonymous
a b 8 Security
August 2, 2004 5:09:17 PM

Archived from groups: comp.security.firewalls (More info?)

In article <ZJhPc.11248$Vm1.144205@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> I am trying to set up a VPN to my Win 2000 Server. I have it working
> internal but I can not get my watchguard to let me in. What do I need to do
> to make it work.

There are several methods and we need more information:

1) Are you trying to VPN into the network and have total access to all
network resources?

2) Are you trying to remote-desktop into the server only?

If you setup a PPTP user in the WatchGuard, you can PPTP into the
firewall itself, and if you create a rule, you can access the entire
network once you authenticate with the VPN. Windows remote access is not
needed at this point - once you get a IP you are the same as being in
the local network.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 2, 2004 5:09:18 PM

Archived from groups: comp.security.firewalls (More info?)

We are trying to VPN into the network and have total access to all network
resources. I would like to terminal service into the server if possible but
the VPN is the most important part at this time.

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7807534a27f26d98a821@news-server.columbus.rr.com...
> In article <ZJhPc.11248$Vm1.144205@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > I am trying to set up a VPN to my Win 2000 Server. I have it working
> > internal but I can not get my watchguard to let me in. What do I need
to do
> > to make it work.
>
> There are several methods and we need more information:
>
> 1) Are you trying to VPN into the network and have total access to all
> network resources?
>
> 2) Are you trying to remote-desktop into the server only?
>
> If you setup a PPTP user in the WatchGuard, you can PPTP into the
> firewall itself, and if you create a rule, you can access the entire
> network once you authenticate with the VPN. Windows remote access is not
> needed at this point - once you get a IP you are the same as being in
> the local network.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Related resources
Anonymous
a b 8 Security
August 2, 2004 5:50:21 PM

Archived from groups: comp.security.firewalls (More info?)

In article <ForPc.10$%M2.320@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> We are trying to VPN into the network and have total access to all network
> resources. I would like to terminal service into the server if possible but
> the VPN is the most important part at this time.

The simple method would be to create PPTP users for the Firewall itself,
open the Policy Manager, click on Network, Remote User, PPTP, and then
add a couple fixed IP addresses and enable remote users.

Now click on Setup, Authentication Servers, Firebox Users tab, add a
couple users and put them in the PPTP_Users group.

One last thing - and this is not the approved method, but will get you
up and running - go back and secure this later: Add an ANY rule, call it
ANY_PPTP and make Incoming Enabled and Allowed, add PPTP_Users to From
and External, Firebox, Optional, Trusted to the TO box, click OUTGOING
tab, and do the same thing in reverse (PPTP_Users goes in the TO box
this time, same for the From box).

Now, save this - you can't check this from inside your network, you have
to PPTP from outside the network.

Create a Windows XP (or anything that supports PPTP) connection to the
public IP of the Firewall and authenticate with the firewall. This will
give you an IP in the network, you need to configure the PPTP to use the
DNS server INSIDE your trusted network if you want to use name
resolution.

Hope this helps. Please bottom post.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 2, 2004 5:50:22 PM

Archived from groups: comp.security.firewalls (More info?)

Thanks, I have greated a done everything you have said. I am able to
connect from an outside source and when I connect I am able to ping the
Router but not any of the computers on the network. Did I forget something.

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b78120de4b5f3c98a825@news-server.columbus.rr.com...
> In article <ForPc.10$%M2.320@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > We are trying to VPN into the network and have total access to all
network
> > resources. I would like to terminal service into the server if possible
but
> > the VPN is the most important part at this time.
>
> The simple method would be to create PPTP users for the Firewall itself,
> open the Policy Manager, click on Network, Remote User, PPTP, and then
> add a couple fixed IP addresses and enable remote users.
>
> Now click on Setup, Authentication Servers, Firebox Users tab, add a
> couple users and put them in the PPTP_Users group.
>
> One last thing - and this is not the approved method, but will get you
> up and running - go back and secure this later: Add an ANY rule, call it
> ANY_PPTP and make Incoming Enabled and Allowed, add PPTP_Users to From
> and External, Firebox, Optional, Trusted to the TO box, click OUTGOING
> tab, and do the same thing in reverse (PPTP_Users goes in the TO box
> this time, same for the From box).
>
> Now, save this - you can't check this from inside your network, you have
> to PPTP from outside the network.
>
> Create a Windows XP (or anything that supports PPTP) connection to the
> public IP of the Firewall and authenticate with the firewall. This will
> give you an IP in the network, you need to configure the PPTP to use the
> DNS server INSIDE your trusted network if you want to use name
> resolution.
>
> Hope this helps. Please bottom post.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Anonymous
a b 8 Security
August 2, 2004 7:15:23 PM

Archived from groups: comp.security.firewalls (More info?)

In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> Thanks, I have greated a done everything you have said. I am able to
> connect from an outside source and when I connect I am able to ping the
> Router but not any of the computers on the network. Did I forget something.

Did you create the ANY rule like I mentioned - you need to ADD an ANY
service (all ports/types) that lets the PPTP_Users group access the
network. Just making the connection via PPTP without the rule means you
can only access the firewall, nothing else.

Please bottom post next time.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 2, 2004 7:15:24 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com...
> In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > Thanks, I have greated a done everything you have said. I am able to
> > connect from an outside source and when I connect I am able to ping the
> > Router but not any of the computers on the network. Did I forget
something.
>
> Did you create the ANY rule like I mentioned - you need to ADD an ANY
> service (all ports/types) that lets the PPTP_Users group access the
> network. Just making the connection via PPTP without the rule means you
> can only access the firewall, nothing else.
>
> Please bottom post next time.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Yes I did create a rule just like you said. I am able to login and then
ping the router. I enabled ping everything and I still could not ping any
other devices. I am able to ping the Ip address from any computer on the
internal network however.
On my properties of the Any PPtp rule it has Port with nothing under it and
protocol with Any on it, Client Port is empty as well. I can not add Any to
the Port section.
Anonymous
a b 8 Security
August 2, 2004 7:22:50 PM

Archived from groups: comp.security.firewalls (More info?)

In article <MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com>,
void@nowhere.com says...
> In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > Thanks, I have greated a done everything you have said. I am able to
> > connect from an outside source and when I connect I am able to ping the
> > Router but not any of the computers on the network. Did I forget something.
>
> Did you create the ANY rule like I mentioned - you need to ADD an ANY
> service (all ports/types) that lets the PPTP_Users group access the
> network. Just making the connection via PPTP without the rule means you
> can only access the firewall, nothing else.
>
> Please bottom post next time.

One more thing - if you didn't assign a DNS entry of an internal DNS
server (in your trusted network) to the Networking DNS options of the
PPTP connection, then you can only ping by IP, not by name. Without the
DNS entry you can't use UNC paths/names.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 2, 2004 8:02:33 PM

Archived from groups: comp.security.firewalls (More info?)

On Mon, 2 Aug 2004 10:23:52 -0400, "Steven Drury"
<stevendrury@sympatico.ca> wrote:

>Thanks, I have greated a done everything you have said. I am able to
>connect from an outside source and when I connect I am able to ping the
>Router but not any of the computers on the network. Did I forget something.

Ping might be blocked on the watchguard.
Anonymous
a b 8 Security
August 2, 2004 9:13:55 PM

Archived from groups: comp.security.firewalls (More info?)

In article <FdtPc.7972$Jq2.390520@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com...
> > In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> > stevendrury@sympatico.ca says...
> > > Thanks, I have greated a done everything you have said. I am able to
> > > connect from an outside source and when I connect I am able to ping the
> > > Router but not any of the computers on the network. Did I forget
> something.
> >
> > Did you create the ANY rule like I mentioned - you need to ADD an ANY
> > service (all ports/types) that lets the PPTP_Users group access the
> > network. Just making the connection via PPTP without the rule means you
> > can only access the firewall, nothing else.
> >
> > Please bottom post next time.
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> Yes I did create a rule just like you said. I am able to login and then
> ping the router. I enabled ping everything and I still could not ping any
> other devices. I am able to ping the Ip address from any computer on the
> internal network however.
> On my properties of the Any PPtp rule it has Port with nothing under it and
> protocol with Any on it, Client Port is empty as well. I can not add Any to
> the Port section.

The ANY service already has the proper ports/services in the rule, you
don't need to add anything to it to make it work.

So, the question is this - from an external public connection, you PPTP
into the Firebox, the firebox provides you an IP (meaning that you did
set a number of IP up in the REMOTE USER SETUP / PPTP tab? Try setting
"Enable drop from 128bit to 40 bit".

One last thing, if you are not using the "Strong Software Encryption"
version, then you can't do a VPN/PPTP into the firewall.

If this doesn't work you are going to have to call them.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 2, 2004 9:13:56 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7840a9d665905998a82c@news-server.columbus.rr.com...
> In article <FdtPc.7972$Jq2.390520@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > "Leythos" <void@nowhere.com> wrote in message
> > news:MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com...
> > > In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> > > stevendrury@sympatico.ca says...
> > > > Thanks, I have greated a done everything you have said. I am able
to
> > > > connect from an outside source and when I connect I am able to ping
the
> > > > Router but not any of the computers on the network. Did I forget
> > something.
> > >
> > > Did you create the ANY rule like I mentioned - you need to ADD an ANY
> > > service (all ports/types) that lets the PPTP_Users group access the
> > > network. Just making the connection via PPTP without the rule means
you
> > > can only access the firewall, nothing else.
> > >
> > > Please bottom post next time.
> > >
> > > --
> > > --
> > > spamfree999@rrohio.com
> > > (Remove 999 to reply to me)
> >
> > Yes I did create a rule just like you said. I am able to login and then
> > ping the router. I enabled ping everything and I still could not ping
any
> > other devices. I am able to ping the Ip address from any computer on
the
> > internal network however.
> > On my properties of the Any PPtp rule it has Port with nothing under it
and
> > protocol with Any on it, Client Port is empty as well. I can not add Any
to
> > the Port section.
>
> The ANY service already has the proper ports/services in the rule, you
> don't need to add anything to it to make it work.
>
> So, the question is this - from an external public connection, you PPTP
> into the Firebox, the firebox provides you an IP (meaning that you did
> set a number of IP up in the REMOTE USER SETUP / PPTP tab? Try setting
> "Enable drop from 128bit to 40 bit".
>
> One last thing, if you are not using the "Strong Software Encryption"
> version, then you can't do a VPN/PPTP into the firewall.
>
> If this doesn't work you are going to have to call them.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Now this is interesting. I have just connected to one of my servers through
the vpn however I am unable to connect to the main server. Is it possible
that I have to set up something on the server? I have 4 servers here and
can only connect to the one that has the Watchguard program on it. I am so
confused as to why I can connect to it.
Anonymous
a b 8 Security
August 3, 2004 1:18:43 AM

Archived from groups: comp.security.firewalls (More info?)

In article <wXvPc.18$%M2.411@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> Now this is interesting. I have just connected to one of my servers through
> the vpn however I am unable to connect to the main server. Is it possible
> that I have to set up something on the server? I have 4 servers here and
> can only connect to the one that has the Watchguard program on it. I am so
> confused as to why I can connect to it.

Define "connect to it"?

What is the subnet of the Trusted network at your 4-servers location?

What is the subnet of the place where you are at trying to test the VPN?

If you are using 192.168.1.0/24 for both networks, or any other subnet
that is the same on both ends, you will have nothing but troubles - they
must be different, and you should not make either one of them the
default for typical devices already on the market: As an example, many
routers use 192.168.1.0/24 and 192.168.0.0/24 for their subnets, put the
Firewall Trusted zone at 192.168.16.0/24 so that you can easily segment
the network if needed, do the DMZ at 192.168.32.0/24 - this means that
people using the default address space on those home user routers can
access your network properly.

The firewall does not connect to a server, it's a stand-alone unit. The
only connection is from the Firewall HTTP Proxy service to the
WebBlocker database service running on a server (if you installed it),
all other connections are from the management software on a
server/workstation to the firewall.

Mark

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 3, 2004 1:18:44 AM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b787b26e4ea82ac98a830@news-server.columbus.rr.com...
> In article <wXvPc.18$%M2.411@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > Now this is interesting. I have just connected to one of my servers
through
> > the vpn however I am unable to connect to the main server. Is it
possible
> > that I have to set up something on the server? I have 4 servers here
and
> > can only connect to the one that has the Watchguard program on it. I am
so
> > confused as to why I can connect to it.
>
> Define "connect to it"?
>
> What is the subnet of the Trusted network at your 4-servers location?
>
> What is the subnet of the place where you are at trying to test the VPN?
>
> If you are using 192.168.1.0/24 for both networks, or any other subnet
> that is the same on both ends, you will have nothing but troubles - they
> must be different, and you should not make either one of them the
> default for typical devices already on the market: As an example, many
> routers use 192.168.1.0/24 and 192.168.0.0/24 for their subnets, put the
> Firewall Trusted zone at 192.168.16.0/24 so that you can easily segment
> the network if needed, do the DMZ at 192.168.32.0/24 - this means that
> people using the default address space on those home user routers can
> access your network properly.
>
> The firewall does not connect to a server, it's a stand-alone unit. The
> only connection is from the Firewall HTTP Proxy service to the
> WebBlocker database service running on a server (if you installed it),
> all other connections are from the management software on a
> server/workstation to the firewall.
>
> Mark
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
I can vpn to the router and then ping only one of the servers. I can then
map a drive using the IP Address of that server the server askes me to login
which works no problem.
The subnet of our network is 255.255.255.0 and the ip addresses are
10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet of
255.255.255.0. What what to set up is so that our users can vpn in from
home to check their email and do work if they need to. However the server
they need to get to I can not access. Does this make any sense.
Anonymous
a b 8 Security
August 3, 2004 2:56:21 AM

Archived from groups: comp.security.firewalls (More info?)

In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
[snip]
> I can vpn to the router and then ping only one of the servers. I can then
> map a drive using the IP Address of that server the server askes me to login
> which works no problem.
> The subnet of our network is 255.255.255.0 and the ip addresses are
> 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet of
> 255.255.255.0. What what to set up is so that our users can vpn in from
> home to check their email and do work if they need to. However the server
> they need to get to I can not access. Does this make any sense.

Ok, so, you can ping one server, and map a share to it, but not the
other servers.

So, the question is simple - what is the difference between the network
settings on the server you can connect to and the ones you can't connect
too?

If you can't ping them by IP address (and the ANY_PPTP rule should allow
you total access if you set it up correctly), then it's got to be some
form of subnet issue.

Did you setup the Network Configuration TAB properly - meaning that your
network Trusted interface should be 10.10.10.0/24 and you need to then
go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
192.168.x.y).

In the Windows XP VPN connection I have "Security Tab", X Advanced
Settings, X Allow these Protocols, check everything except "For MS_CHAP
based...." (the last box). I also have "Require encryption, disconnect
if server declines".

Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
networks DNS server for DNS (so it would be 10.10.10.x for yours). I
also have "Use remote gateway" checked under the advanced options. Under
Advanced TAB, I do not have anything checked - no ICF and don't allow
other users to connect through this connection...

Double check everything, make sure that you've got your IP Addresses and
MASK's set properly - a 255.255.255.0 is a /24.

let me know if this works.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 3, 2004 2:56:22 AM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> [snip]
> > I can vpn to the router and then ping only one of the servers. I can
then
> > map a drive using the IP Address of that server the server askes me to
login
> > which works no problem.
> > The subnet of our network is 255.255.255.0 and the ip addresses are
> > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet
of
> > 255.255.255.0. What what to set up is so that our users can vpn in from
> > home to check their email and do work if they need to. However the
server
> > they need to get to I can not access. Does this make any sense.
>
> Ok, so, you can ping one server, and map a share to it, but not the
> other servers.
>
> So, the question is simple - what is the difference between the network
> settings on the server you can connect to and the ones you can't connect
> too?
>
> If you can't ping them by IP address (and the ANY_PPTP rule should allow
> you total access if you set it up correctly), then it's got to be some
> form of subnet issue.
>
> Did you setup the Network Configuration TAB properly - meaning that your
> network Trusted interface should be 10.10.10.0/24 and you need to then
> go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
> the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> 192.168.x.y).
>
> In the Windows XP VPN connection I have "Security Tab", X Advanced
> Settings, X Allow these Protocols, check everything except "For MS_CHAP
> based...." (the last box). I also have "Require encryption, disconnect
> if server declines".
>
> Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> also have "Use remote gateway" checked under the advanced options. Under
> Advanced TAB, I do not have anything checked - no ICF and don't allow
> other users to connect through this connection...
>
> Double check everything, make sure that you've got your IP Addresses and
> MASK's set properly - a 255.255.255.0 is a /24.
>
> let me know if this works.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Ok I will try that tomorrow and advise you if it works. Thanks again for
all your help.
Anonymous
a b 8 Security
August 3, 2004 5:08:23 AM

Archived from groups: comp.security.firewalls (More info?)

In article <aTzPc.11736$Jq2.505360@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> Ok I will try that tomorrow and advise you if it works. Thanks again for
> all your help.

Not a problem, that's what we're here for.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 3, 2004 7:14:02 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> [snip]
> > I can vpn to the router and then ping only one of the servers. I can
then
> > map a drive using the IP Address of that server the server askes me to
login
> > which works no problem.
> > The subnet of our network is 255.255.255.0 and the ip addresses are
> > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet
of
> > 255.255.255.0. What what to set up is so that our users can vpn in from
> > home to check their email and do work if they need to. However the
server
> > they need to get to I can not access. Does this make any sense.
>
> Ok, so, you can ping one server, and map a share to it, but not the
> other servers.
>
> So, the question is simple - what is the difference between the network
> settings on the server you can connect to and the ones you can't connect
> too?
>
> If you can't ping them by IP address (and the ANY_PPTP rule should allow
> you total access if you set it up correctly), then it's got to be some
> form of subnet issue.
>
> Did you setup the Network Configuration TAB properly - meaning that your
> network Trusted interface should be 10.10.10.0/24 and you need to then
> go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
> the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> 192.168.x.y).
>
> In the Windows XP VPN connection I have "Security Tab", X Advanced
> Settings, X Allow these Protocols, check everything except "For MS_CHAP
> based...." (the last box). I also have "Require encryption, disconnect
> if server declines".
>
> Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> also have "Use remote gateway" checked under the advanced options. Under
> Advanced TAB, I do not have anything checked - no ICF and don't allow
> other users to connect through this connection...
>
> Double check everything, make sure that you've got your IP Addresses and
> MASK's set properly - a 255.255.255.0 is a /24.
>
> let me know if this works.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Hello again,
I have checked the network configuration and it is as follows.
Trusted interface is 10.10.10.7/24
There is nothing in the blocked Sites

as for the network setting all of our servers are assigned an Ip address
which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
10.10.10.1 so all servers point to it as the Primary. I also just created a
Seondary DNS it is 10.10.10.2
As for the AnyPPTP rule it looks like this
Incoming Enabled and allowed
From - PPTP_Users
To - External
Firebox
Optional
Trusted

Outgoing Enabled and allowed
From - External
Firebox
Optional
Trusted
To - PPTP_Users

I have connected via a VPN from outside of our network and everytime I
connect I can ony ping 1 or 2 servers. I am unable to ping our main server
which has the loggins and exchange however I just mapped to our applications
server and copied files from my computer to it.

What I find really strange is that sometimes I can ping and connect to one
server but the next time I can not. I am beging to get frustrated.
Anonymous
a b 8 Security
August 3, 2004 11:30:36 PM

Archived from groups: comp.security.firewalls (More info?)

In article <nuRPc.17990$Jq2.789085@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> > In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> > stevendrury@sympatico.ca says...
> > [snip]
> > > I can vpn to the router and then ping only one of the servers. I can
> then
> > > map a drive using the IP Address of that server the server askes me to
> login
> > > which works no problem.
> > > The subnet of our network is 255.255.255.0 and the ip addresses are
> > > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet
> of
> > > 255.255.255.0. What what to set up is so that our users can vpn in from
> > > home to check their email and do work if they need to. However the
> server
> > > they need to get to I can not access. Does this make any sense.
> >
> > Ok, so, you can ping one server, and map a share to it, but not the
> > other servers.
> >
> > So, the question is simple - what is the difference between the network
> > settings on the server you can connect to and the ones you can't connect
> > too?
> >
> > If you can't ping them by IP address (and the ANY_PPTP rule should allow
> > you total access if you set it up correctly), then it's got to be some
> > form of subnet issue.
> >
> > Did you setup the Network Configuration TAB properly - meaning that your
> > network Trusted interface should be 10.10.10.0/24 and you need to then
> > go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> > Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
> > the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> > 192.168.x.y).
> >
> > In the Windows XP VPN connection I have "Security Tab", X Advanced
> > Settings, X Allow these Protocols, check everything except "For MS_CHAP
> > based...." (the last box). I also have "Require encryption, disconnect
> > if server declines".
> >
> > Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> > TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> > networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> > also have "Use remote gateway" checked under the advanced options. Under
> > Advanced TAB, I do not have anything checked - no ICF and don't allow
> > other users to connect through this connection...
> >
> > Double check everything, make sure that you've got your IP Addresses and
> > MASK's set properly - a 255.255.255.0 is a /24.
> >
> > let me know if this works.
> >
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
> Hello again,
> I have checked the network configuration and it is as follows.
> Trusted interface is 10.10.10.7/24
> There is nothing in the blocked Sites
>
> as for the network setting all of our servers are assigned an Ip address
> which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
> 10.10.10.1 so all servers point to it as the Primary. I also just created a
> Seondary DNS it is 10.10.10.2
> As for the AnyPPTP rule it looks like this
> Incoming Enabled and allowed
> From - PPTP_Users
> To - External
> Firebox
> Optional
> Trusted
>
> Outgoing Enabled and allowed
> From - External
> Firebox
> Optional
> Trusted
> To - PPTP_Users
>
> I have connected via a VPN from outside of our network and everytime I
> connect I can ony ping 1 or 2 servers. I am unable to ping our main server
> which has the loggins and exchange however I just mapped to our applications
> server and copied files from my computer to it.
>
> What I find really strange is that sometimes I can ping and connect to one
> server but the next time I can not. I am beging to get frustrated.

You need to look at the real-time logs, but I suspect that the problem
is not with the firebox. What version of the Firmware are you running?

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 3, 2004 11:30:37 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b79b3e4bee26198a845@news-server.columbus.rr.com...
> In article <nuRPc.17990$Jq2.789085@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > "Leythos" <void@nowhere.com> wrote in message
> > news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> > > In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> > > stevendrury@sympatico.ca says...
> > > [snip]
> > > > I can vpn to the router and then ping only one of the servers. I
can
> > then
> > > > map a drive using the IP Address of that server the server askes me
to
> > login
> > > > which works no problem.
> > > > The subnet of our network is 255.255.255.0 and the ip addresses are
> > > > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a
subnet
> > of
> > > > 255.255.255.0. What what to set up is so that our users can vpn in
from
> > > > home to check their email and do work if they need to. However the
> > server
> > > > they need to get to I can not access. Does this make any sense.
> > >
> > > Ok, so, you can ping one server, and map a share to it, but not the
> > > other servers.
> > >
> > > So, the question is simple - what is the difference between the
network
> > > settings on the server you can connect to and the ones you can't
connect
> > > too?
> > >
> > > If you can't ping them by IP address (and the ANY_PPTP rule should
allow
> > > you total access if you set it up correctly), then it's got to be some
> > > form of subnet issue.
> > >
> > > Did you setup the Network Configuration TAB properly - meaning that
your
> > > network Trusted interface should be 10.10.10.0/24 and you need to then
> > > go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> > > Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8
and
> > > the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> > > 192.168.x.y).
> > >
> > > In the Windows XP VPN connection I have "Security Tab", X Advanced
> > > Settings, X Allow these Protocols, check everything except "For
MS_CHAP
> > > based...." (the last box). I also have "Require encryption, disconnect
> > > if server declines".
> > >
> > > Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> > > TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> > > networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> > > also have "Use remote gateway" checked under the advanced options.
Under
> > > Advanced TAB, I do not have anything checked - no ICF and don't allow
> > > other users to connect through this connection...
> > >
> > > Double check everything, make sure that you've got your IP Addresses
and
> > > MASK's set properly - a 255.255.255.0 is a /24.
> > >
> > > let me know if this works.
> > >
> > >
> > > --
> > > --
> > > spamfree999@rrohio.com
> > > (Remove 999 to reply to me)
> > Hello again,
> > I have checked the network configuration and it is as follows.
> > Trusted interface is 10.10.10.7/24
> > There is nothing in the blocked Sites
> >
> > as for the network setting all of our servers are assigned an Ip
address
> > which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
> > 10.10.10.1 so all servers point to it as the Primary. I also just
created a
> > Seondary DNS it is 10.10.10.2
> > As for the AnyPPTP rule it looks like this
> > Incoming Enabled and allowed
> > From - PPTP_Users
> > To - External
> > Firebox
> > Optional
> > Trusted
> >
> > Outgoing Enabled and allowed
> > From - External
> > Firebox
> > Optional
> > Trusted
> > To - PPTP_Users
> >
> > I have connected via a VPN from outside of our network and everytime I
> > connect I can ony ping 1 or 2 servers. I am unable to ping our main
server
> > which has the loggins and exchange however I just mapped to our
applications
> > server and copied files from my computer to it.
> >
> > What I find really strange is that sometimes I can ping and connect to
one
> > server but the next time I can not. I am beging to get frustrated.
>
> You need to look at the real-time logs, but I suspect that the problem
> is not with the firebox. What version of the Firmware are you running?
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

The firmware version that I am using looks like it is 6.0.B1140 Thats what
it says under help and watchguard version
Anonymous
a b 8 Security
August 4, 2004 12:38:12 AM

Archived from groups: comp.security.firewalls (More info?)

In article <l4SPc.18069$Jq2.798148@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b79b3e4bee26198a845@news-server.columbus.rr.com...
> > In article <nuRPc.17990$Jq2.789085@news20.bellglobal.com>,
> > stevendrury@sympatico.ca says...
> > > "Leythos" <void@nowhere.com> wrote in message
> > > news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> > > > In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> > > > stevendrury@sympatico.ca says...
> > > > [snip]
> > > > > I can vpn to the router and then ping only one of the servers. I
> can
> > > then
> > > > > map a drive using the IP Address of that server the server askes me
> to
> > > login
> > > > > which works no problem.
> > > > > The subnet of our network is 255.255.255.0 and the ip addresses are
> > > > > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a
> subnet
> > > of
> > > > > 255.255.255.0. What what to set up is so that our users can vpn in
> from
> > > > > home to check their email and do work if they need to. However the
> > > server
> > > > > they need to get to I can not access. Does this make any sense.
> > > >
> > > > Ok, so, you can ping one server, and map a share to it, but not the
> > > > other servers.
> > > >
> > > > So, the question is simple - what is the difference between the
> network
> > > > settings on the server you can connect to and the ones you can't
> connect
> > > > too?
> > > >
> > > > If you can't ping them by IP address (and the ANY_PPTP rule should
> allow
> > > > you total access if you set it up correctly), then it's got to be some
> > > > form of subnet issue.
> > > >
> > > > Did you setup the Network Configuration TAB properly - meaning that
> your
> > > > network Trusted interface should be 10.10.10.0/24 and you need to then
> > > > go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
> > > > Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8
> and
> > > > the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> > > > 192.168.x.y).
> > > >
> > > > In the Windows XP VPN connection I have "Security Tab", X Advanced
> > > > Settings, X Allow these Protocols, check everything except "For
> MS_CHAP
> > > > based...." (the last box). I also have "Require encryption, disconnect
> > > > if server declines".
> > > >
> > > > Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
> > > > TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
> > > > networks DNS server for DNS (so it would be 10.10.10.x for yours). I
> > > > also have "Use remote gateway" checked under the advanced options.
> Under
> > > > Advanced TAB, I do not have anything checked - no ICF and don't allow
> > > > other users to connect through this connection...
> > > >
> > > > Double check everything, make sure that you've got your IP Addresses
> and
> > > > MASK's set properly - a 255.255.255.0 is a /24.
> > > >
> > > > let me know if this works.
> > > >
> > > >
> > > > --
> > > > --
> > > > spamfree999@rrohio.com
> > > > (Remove 999 to reply to me)
> > > Hello again,
> > > I have checked the network configuration and it is as follows.
> > > Trusted interface is 10.10.10.7/24
> > > There is nothing in the blocked Sites
> > >
> > > as for the network setting all of our servers are assigned an Ip
> address
> > > which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
> > > 10.10.10.1 so all servers point to it as the Primary. I also just
> created a
> > > Seondary DNS it is 10.10.10.2
> > > As for the AnyPPTP rule it looks like this
> > > Incoming Enabled and allowed
> > > From - PPTP_Users
> > > To - External
> > > Firebox
> > > Optional
> > > Trusted
> > >
> > > Outgoing Enabled and allowed
> > > From - External
> > > Firebox
> > > Optional
> > > Trusted
> > > To - PPTP_Users
> > >
> > > I have connected via a VPN from outside of our network and everytime I
> > > connect I can ony ping 1 or 2 servers. I am unable to ping our main
> server
> > > which has the loggins and exchange however I just mapped to our
> applications
> > > server and copied files from my computer to it.
> > >
> > > What I find really strange is that sometimes I can ping and connect to
> one
> > > server but the next time I can not. I am beging to get frustrated.
> >
> > You need to look at the real-time logs, but I suspect that the problem
> > is not with the firebox. What version of the Firmware are you running?
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> The firmware version that I am using looks like it is 6.0.B1140 Thats what
> it says under help and watchguard version

There were several problems with the 6.0 series. You need to download
the 7.1 series from their website. This may fix several problems for
you. If you don't have a maintenance agreement with them (renewable
every year) you won't be able to get the files.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 4, 2004 12:38:13 AM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b79c3b5ec71fbf798a846@news-server.columbus.rr.com...
> In article <l4SPc.18069$Jq2.798148@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > "Leythos" <void@nowhere.com> wrote in message
> > news:MPG.1b79b3e4bee26198a845@news-server.columbus.rr.com...
> > > In article <nuRPc.17990$Jq2.789085@news20.bellglobal.com>,
> > > stevendrury@sympatico.ca says...
> > > > "Leythos" <void@nowhere.com> wrote in message
> > > > news:MPG.1b7892a2ad2fa5b098a832@news-server.columbus.rr.com...
> > > > > In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
> > > > > stevendrury@sympatico.ca says...
> > > > > [snip]
> > > > > > I can vpn to the router and then ping only one of the servers.
I
> > can
> > > > then
> > > > > > map a drive using the IP Address of that server the server askes
me
> > to
> > > > login
> > > > > > which works no problem.
> > > > > > The subnet of our network is 255.255.255.0 and the ip addresses
are
> > > > > > 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a
> > subnet
> > > > of
> > > > > > 255.255.255.0. What what to set up is so that our users can vpn
in
> > from
> > > > > > home to check their email and do work if they need to. However
the
> > > > server
> > > > > > they need to get to I can not access. Does this make any sense.
> > > > >
> > > > > Ok, so, you can ping one server, and map a share to it, but not
the
> > > > > other servers.
> > > > >
> > > > > So, the question is simple - what is the difference between the
> > network
> > > > > settings on the server you can connect to and the ones you can't
> > connect
> > > > > too?
> > > > >
> > > > > If you can't ping them by IP address (and the ANY_PPTP rule should
> > allow
> > > > > you total access if you set it up correctly), then it's got to be
some
> > > > > form of subnet issue.
> > > > >
> > > > > Did you setup the Network Configuration TAB properly - meaning
that
> > your
> > > > > network Trusted interface should be 10.10.10.0/24 and you need to
then
> > > > > go into the BLOCKED SITES settings (in 7.1 you find this under
Setup,
> > > > > Intrusion Prevention, and the Blocked Sites - remove the
10.0.0.0/8
> > and
> > > > > the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
> > > > > 192.168.x.y).
> > > > >
> > > > > In the Windows XP VPN connection I have "Security Tab", X Advanced
> > > > > Settings, X Allow these Protocols, check everything except "For
> > MS_CHAP
> > > > > based...." (the last box). I also have "Require encryption,
disconnect
> > > > > if server declines".
> > > > >
> > > > > Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and
under
> > > > > TCP/IP I have DHCP for IP, but I use a fixed IP address of the
trusted
> > > > > networks DNS server for DNS (so it would be 10.10.10.x for yours).
I
> > > > > also have "Use remote gateway" checked under the advanced options.
> > Under
> > > > > Advanced TAB, I do not have anything checked - no ICF and don't
allow
> > > > > other users to connect through this connection...
> > > > >
> > > > > Double check everything, make sure that you've got your IP
Addresses
> > and
> > > > > MASK's set properly - a 255.255.255.0 is a /24.
> > > > >
> > > > > let me know if this works.
> > > > >
> > > > >
> > > > > --
> > > > > --
> > > > > spamfree999@rrohio.com
> > > > > (Remove 999 to reply to me)
> > > > Hello again,
> > > > I have checked the network configuration and it is as follows.
> > > > Trusted interface is 10.10.10.7/24
> > > > There is nothing in the blocked Sites
> > > >
> > > > as for the network setting all of our servers are assigned an Ip
> > address
> > > > which is 10.10.10.x with a subnet of 255.255.255.0 the DNS server is
> > > > 10.10.10.1 so all servers point to it as the Primary. I also just
> > created a
> > > > Seondary DNS it is 10.10.10.2
> > > > As for the AnyPPTP rule it looks like this
> > > > Incoming Enabled and allowed
> > > > From - PPTP_Users
> > > > To - External
> > > > Firebox
> > > > Optional
> > > > Trusted
> > > >
> > > > Outgoing Enabled and allowed
> > > > From - External
> > > > Firebox
> > > > Optional
> > > > Trusted
> > > > To - PPTP_Users
> > > >
> > > > I have connected via a VPN from outside of our network and everytime
I
> > > > connect I can ony ping 1 or 2 servers. I am unable to ping our main
> > server
> > > > which has the loggins and exchange however I just mapped to our
> > applications
> > > > server and copied files from my computer to it.
> > > >
> > > > What I find really strange is that sometimes I can ping and connect
to
> > one
> > > > server but the next time I can not. I am beging to get frustrated.
> > >
> > > You need to look at the real-time logs, but I suspect that the problem
> > > is not with the firebox. What version of the Firmware are you running?
> > >
> > > --
> > > --
> > > spamfree999@rrohio.com
> > > (Remove 999 to reply to me)
> >
> > The firmware version that I am using looks like it is 6.0.B1140 Thats
what
> > it says under help and watchguard version
>
> There were several problems with the 6.0 series. You need to download
> the 7.1 series from their website. This may fix several problems for
> you. If you don't have a maintenance agreement with them (renewable
> every year) you won't be able to get the files.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Thanks will look into that You have been agreat help thanks alot.

Steven
!