Configure Server 2003 VPN through Firebox X500 3

[mikeataos]

We have server 2003 and a Watchguard Firebox X500 firewall. We can't get remote client connections to the server. It always freezes on the verifying user name and password and then displays an error 721 message.It appears to be getting through the firewall? Any help is greatly appreciated.

 

[coladmin]

what type of connections are you trying to make? VPN etc

also what type of client are you using to connect

 

[mikeataos]

We are trying to connect VPN using PPTP and MS-Chap V2. I'm using an XP Pro client trying to connect remotely.

 

[coladmin]

do you have pptp opened up on the firewall. also you may want to ensure that you have entries for the server(S) in the host files

 

[mikeataos]

We've tried everything we can think of. We used the preconfigured filter for PPTP. It opens tcp 1723 and ip 47. The problem here is that the nat button is greyed out so you can't point the external address to the internal address. So we made a custom filter to address the nat issue. Even with both of those services, we could not get through. I've called Watchgurd support, but they want us to use MUVPN. We don't want to install that client. We just want the firewall to pass VPN traffic through and let our server take care of authentication and encryption.

 

[coladmin]

how do you have youir NAT configured on the firebox?

typically you would need to set up the firebox as follows

create a 1-1 entry for your server
nat base external IP
real base internatl IP address

in the PPTP rule

enter in both the real and and NAT ip address into the incoming and ourgoing rules

 

[mikeataos]

how do you have youir NAT configured on the firebox?

Generally our configuration is dynamic. We use static nat for certain services (point the external ip address to the internal ip address).

create a 1-1 entry for your server
nat base external IP
real base internatl IP address


If you are referring to the Remote Access Server, that is where we are having the problem. The PPTP filter has the tcp 1723 port and ip protocol 47 port open, but it won't allow you to configure an entry to point the public external ip address to the private internal ip address of the server.


in the PPTP rule

enter in both the real and and NAT ip address into the incoming and ourgoing rules

I'm not sure what you mean here. Are you referring to the service on the firebox?

 

[coladmin]

in order for the PPTP to work properly you will need to create a static nat entry for the Remote Access server.

for example if your external IP is 10.1.1.2
and your internal ip is 192.168.1.2

then you would need to create an static nat entry for

10.1.1.2 to 192.168.2.1

and then point the PPTP client to connect to the 10.1.1.2 address


the second part of this is you need to configure the PPTP rule to allow traffic to both the internal and enteral IP address of the Remote access server

On the incoming tab of pptp you need to configure the rule to be incoming from any ....incoming to 10.1.1.2 and 192.168.2.1

on the outgoing tab you need to configure the rule to allow traffic to allor outogin traffic from the internal ip or in this case 192.168.2.1

 

[mikeataos]

Are the services on the firewall cumulative? If so, I think we've got this covered.

On the preconfigured PPTP filter, the ports are (1723, 47)are opened.

In the custom filter, I have our external public address (your example 10.1.1.2) pointed to our internal private address (your example 192.168.2.1)

The client uses the (10.1.1.2) address to try and connect.

In the PPTP rule on the firewall, we are allowing ANY traffic in from ANY on the incoming. On the outgoing we are allowing ANY to ANY.

 

[coladmin]

you will still need to make a static nat entry for the Remote access server. or the firewall wil not pass traffic to this host

 

[mikeataos]

I thought I did that. In my last thread where I configured the custom filter, the internal public ip address is the nic on our remote access server. Is there another nat I'm supposed to do?

 

[coladmin]

I think I see the problem. the custom filter will only nat traffic for that rule only so the firebox will not combine both rules in this instance. if you were doing simple packet filtering then it wold look at both rules

so here is what I would do

set up a 1-1 static nart for the server in under setup--nat-advanced-1-1 nat

then after you have configured this rule add both the NAT and external IP in the incoming TO of the PPTP rule.

set the rule to log all incoming and outgoing traffic

then try to make the connection with the VPN client and wmonitor the traffic monitor to see if there are any additional ports being used and if the traffic is even making it thru the firewall.

 

[mikeataos]

then after you have configured this rule add both the NAT and external IP in the incoming TO of the PPTP rule.

This is where I have the problem. When I click on the incoming tab of the PPTP rule and then click on add under the TO box, the NAT button is greyed out. It won't allow me to nat the external address to the internal address. I set up the 1-1 nat under setup as you suggested. The PPTP rule is active and the ports are open. It won't connect.I'm pretty sure it has something to do with that NAT button. I've created a Terminal Server rule and the NAT button was available so I could nat the external address to an internal address. Why is the NAT button greyed for the PPTP rule? It's a preconfigured filter for the Watchguard box.

 

[coladmin]

I am not sure why the NAT button is greyed out but if you have added a static nat entry under setup etc then you do not need to use the NAT functionality in the rule. alls you need to do put the external IP and the internal IP in the incoming to box of the PPTP rule. so you will have incoming to both addresses listed. this should allow you to pass traffic to your VPN server.

if you still are having an issue take a look at the FAQ section and post your question on the WG forum on their site. this should be a straight forward setup so there may be somethine else going on here

 

[mikeataos]

Coladmin,

I got it. You pointed me in the right direction. I had to also add a dynamic NAT exception (next tab to 1-to-1 NAT Setup). I also had to remove the external address from the aliases box. I'm not sure when, why or how I put it there. Watchguards support was awful. They were not remotely close to resolving this for us. You would think they would know exactly how to configure this. Also, on two separate days I left my name and a call back number for them to contact me about this case # and they never called back. I won't be recommending or buying anymore Watchguard products. Anyway, thanks for your patience and help. It was greatly appreciated.

 

[coladmin]

great. I had forgotten all about the dynamic nat excpetion.

I am suprised that they did not know how to do this as it is very standard.

good luck in the future

 

[vineet007]

In the policy manager > remote users>> all the three options are checked>> if not , please check all and then save and try.

 

[getTechTonics]

Hello coladmin & mikeataos,
I have a very like setup I am trying to get working too. I've tried getting things set to the way you have described them in the posts listed above, but with no luck. Could you please put all of that advice above together incase I am missing something. We are trying to conect via vpn from the external address of 216.171.212.227 to the server 192.168.10.4 and are still unable to get a connection. on a side note, if we ping the external IP from a remote computer we get a reply, but once we remove the address from the aliases box we can no longer ping.

Thanks in advance!

 

[coladmin]

create a 1-1 NAT entry for your server
nat base external IP 216.xxx
real base internal IP address 192.xxx
add a dynamic nat exception in the next tab over
for 192.xxx-216.xxx

now you will need to add the folling into the VPN rule

in the incoming to enter in both the 192.xx and the 216.xx ip address

 

[getTechTonics]

coladmin,
Thanks for the quick reply. I will be working at that location today and will use your suggestions. I will keep you posted. Thanks again.

-gTT