X500 - PPTP VPN

[SkreeM]

Hi All,

I'm trying to set a x500 up to do either one of the following

1) pass PPTP traffic through to a win 2003 RRAS server
or
2) authenticate incoming PPTP connections with the 2003 active directory and manage the VPN tunnells its self.

I'm having a nightmare with either, on passthru i cant get it to allow me to use incoming nat to the server. on self negotiated it just doesnt answer.

Can anyone give me a guide on how to do it, or even a link to some decent info that will help.

Cheers

Skr

 

[pankajchawla]

If you want to pass the PPTP traffic you need to do 1-1 NAT and for that you need any free public ip on external interface and then you can pass incoming traffic to PPTP Server inside.

If you want to authenticate using 2003 server then you may have to use RADIUS auth with pptp on firebox.

If you need config helps please post the firebox model +version number.

 

[pankajchawla]

post the fb model and software version running.

 

[SkreeM]

It is an X500

WatchGuard, Copyright (C) 1996-2004 WGTI
Firebox Release: sparks
Driver version: 7.3.B1849
Daemon version: 7.3.B1849
Sys_B Version: 7.1.B1405

is the info from the status page in firebox manager.

 

[saenz22]

I have just set one up that used AD. I can give you some answers if you tell me how you have configured it so far.

 

[SkreeM]

Right, Having looked at 1-to-1 nat, i'm now really confused.

Ideally I do want it to use the RRAS server as I better understand the management etc.

The firebox is configured as follows

External Interface on xxx.xxx.xxx.210 /29
G/W address is xxx.xxx.xxx.214

Internal Interface 10.0.10.250 /8

Incoming Services

Filtered SMTP From: Any To: XXX.XXX.XXX.210->10.0.10.10
FTP From: Any To: XXX.XXX.XXX.210->10.0.10.10
RDP(3389) From: Any To: XXX.XXX.XXX.210->10.0.10.10
Auth From: Any To: Firebox

The RRAS Server is running on the same internal server 10.0.10.10.

The external IP for the existing incoming services etc cannot change as it is registered with internet DNS
and such like. I would like the VPN to come in on the same address. I am not bothered if the address that the outgoing clients show up from changes, the hosts xxx.xxx.xxx.211 and xxx.xxx.xxx.212 are available.

I'm getting really annoyed with this firebox and want to kill the salesman who sold it without checking i knew how to install it.

Please somebody help What do i need to do. It will need to be quite step by step as the only firebox i've ever done is this one and i guess its working by luck rather than judgement.

 

[SkreeM]

AhHa, I Have it solved, Thanks to pankajchawla. I found another one of your posts on this subject and have managed to work it out. Many thanks

SkreeM

 

[drvcrash]

I have a question. I looking at purchasing a new 500 series and want to know if you can just use MS ptpp to it to vpn or do you have to use the ipsec client. I have a couple of the v series and you couldnt use pptp with them and it made them a pain to setup for vendors to vpn in.

 

[Maugwa]

drvcrash,
Yes you can use MS PPTP to vpn in using x500. I currently have my rig set this way. Just create the authincated user and add the pptp and ipsec to the access rights. Pretty easy to do.