|
Posted by Leythos on March 29, 2007, 9:22 am
If you were Registered and logged in, you could reply and use other advanced thread options
> On Mar 20, 6:28 pm, Matt.Jo...@globaltravelgroup.com wrote:
>> Hi
>>
>> Heres the issue
>>
>> Windows 2003 Server (Small Business Server)
>> Ethernet: 10.10.10.200
>> Subnet: 255.255.255.0
>> Default Gateway: 10.10.10.250
>>
>> DNS: 10.10.10.200
>>
>> Watchguard Firebox 2
>> System Manager 7.0
>> Trusted Interface: 10.10.10.250
>> External Interface: 81.5.135.20
>> Optional Interface: Not Configured
>>
>> What we are trying to do is create a VPN connection to the Windows
>> 2003 server from a remote VPN client. To create this we have done the
>> following.
>>
>> New Policy
>>
>> Inbound - Any
>> Outbound - Any
>>
>> NAT: 81.5.135.20 - 10.10.10.200
>>
>> When i complete this the remote VPN client stays on the verifying
>> username and password process.
>>
>> When connecting up a spare firewall that we have Watchguard SOHO 6 we
>> are able to receive pptp traffic but when using the Watchguard
>> Firebox
>> 2 this doesnt work.
>>
>> Looking at the traffic monitor i can see that the firewall is
>> reporting a GRE error.
>>
>> To resolve this issue i used the PPTP rule that is already available
>> in the list of policies that are able to be created. When doing this
>> i
>> have noticed that the NAT option is disabled. To sort this we have
>> tried to create a 1 - 1 NAT using another IP address out of your IP
>> range.
>>
>> Any ideas would be great
>
> I've seen this with a Firebox X Edge. The rule is there for PPTP
> forwarding through to the 2003 RRAS server but it just doesn't work.
> The client disconnects immediately and the Watchguard logs report
> packets on 1723 being dropped. After extensive searching on the web
> this seems to be a random problem that crops up with certain
> combinations of NAT devices. In my case I am going through an ISA 2004
> on my side, then through the Watchguard Firebox X Edge on the other
> and this double-NAT combination doesn't work.
>
> I can successfully pass PPTP through my ISA + many other devices
> (including other Watchguards), and if I PPTP through JUST the
> Watchguard (bypassing my ISA), that also works.
>
> In all my research on this it seems the only solution is to change the
> NAT device at either your end or the other end...
Why would anyone want to PPTP to the server when the firebox 2 acts as a
VPN (pptp or ipsec) endpoint and provides all that is needed without
having to expose the server itself. I never setup the servers as VPN
endpoints, only the firewall, which lets US control who reaches the server
and what ports they can use to reach the server.
Even the Firebox II device has PPTP pre-defined rules that can be added,
and yes, some cheap NAT routers don't properly pass GRE.
--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)
| 
XML site map