Archived from groups: comp.security.firewalls (More info?)

I am trying to set up a VPN to my Win 2000 Server. I have it working
internal but I can not get my watchguard to let me in. What do I need to do
to make it work.

Thanks inadvance.

Archived from groups: comp.security.firewalls (More info?)

In article <ZJhPc.11248$Vm1.144205@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> I am trying to set up a VPN to my Win 2000 Server. I have it working
> internal but I can not get my watchguard to let me in. What do I need to do
> to make it work.

There are several methods and we need more information:

1) Are you trying to VPN into the network and have total access to all
network resources?

2) Are you trying to remote-desktop into the server only?

If you setup a PPTP user in the WatchGuard, you can PPTP into the
firewall itself, and if you create a rule, you can access the entire
network once you authenticate with the VPN. Windows remote access is not
needed at this point - once you get a IP you are the same as being in
the local network.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

We are trying to VPN into the network and have total access to all network
resources. I would like to terminal service into the server if possible but
the VPN is the most important part at this time.

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7807534a27f26d98a821@news-server.columbus.rr.com...
> In article <ZJhPc.11248$Vm1.144205@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > I am trying to set up a VPN to my Win 2000 Server. I have it working
> > internal but I can not get my watchguard to let me in. What do I need
to do
> > to make it work.
>
> There are several methods and we need more information:
>
> 1) Are you trying to VPN into the network and have total access to all
> network resources?
>
> 2) Are you trying to remote-desktop into the server only?
>
> If you setup a PPTP user in the WatchGuard, you can PPTP into the
> firewall itself, and if you create a rule, you can access the entire
> network once you authenticate with the VPN. Windows remote access is not
> needed at this point - once you get a IP you are the same as being in
> the local network.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

In article <ForPc.10$%M2.320@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> We are trying to VPN into the network and have total access to all network
> resources. I would like to terminal service into the server if possible but
> the VPN is the most important part at this time.

The simple method would be to create PPTP users for the Firewall itself,
open the Policy Manager, click on Network, Remote User, PPTP, and then
add a couple fixed IP addresses and enable remote users.

Now click on Setup, Authentication Servers, Firebox Users tab, add a
couple users and put them in the PPTP_Users group.

One last thing - and this is not the approved method, but will get you
up and running - go back and secure this later: Add an ANY rule, call it
ANY_PPTP and make Incoming Enabled and Allowed, add PPTP_Users to From
and External, Firebox, Optional, Trusted to the TO box, click OUTGOING
tab, and do the same thing in reverse (PPTP_Users goes in the TO box
this time, same for the From box).

Now, save this - you can't check this from inside your network, you have
to PPTP from outside the network.

Create a Windows XP (or anything that supports PPTP) connection to the
public IP of the Firewall and authenticate with the firewall. This will
give you an IP in the network, you need to configure the PPTP to use the
DNS server INSIDE your trusted network if you want to use name
resolution.

Hope this helps. Please bottom post.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

Thanks, I have greated a done everything you have said. I am able to
connect from an outside source and when I connect I am able to ping the
Router but not any of the computers on the network. Did I forget something.

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b78120de4b5f3c98a825@news-server.columbus.rr.com...
> In article <ForPc.10$%M2.320@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > We are trying to VPN into the network and have total access to all
network
> > resources. I would like to terminal service into the server if possible
but
> > the VPN is the most important part at this time.
>
> The simple method would be to create PPTP users for the Firewall itself,
> open the Policy Manager, click on Network, Remote User, PPTP, and then
> add a couple fixed IP addresses and enable remote users.
>
> Now click on Setup, Authentication Servers, Firebox Users tab, add a
> couple users and put them in the PPTP_Users group.
>
> One last thing - and this is not the approved method, but will get you
> up and running - go back and secure this later: Add an ANY rule, call it
> ANY_PPTP and make Incoming Enabled and Allowed, add PPTP_Users to From
> and External, Firebox, Optional, Trusted to the TO box, click OUTGOING
> tab, and do the same thing in reverse (PPTP_Users goes in the TO box
> this time, same for the From box).
>
> Now, save this - you can't check this from inside your network, you have
> to PPTP from outside the network.
>
> Create a Windows XP (or anything that supports PPTP) connection to the
> public IP of the Firewall and authenticate with the firewall. This will
> give you an IP in the network, you need to configure the PPTP to use the
> DNS server INSIDE your trusted network if you want to use name
> resolution.
>
> Hope this helps. Please bottom post.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

On Mon, 2 Aug 2004 10:23:52 -0400, "Steven Drury"
<stevendrury@sympatico.ca> wrote:

>Thanks, I have greated a done everything you have said. I am able to
>connect from an outside source and when I connect I am able to ping the
>Router but not any of the computers on the network. Did I forget something.

Ping might be blocked on the watchguard.

Archived from groups: comp.security.firewalls (More info?)

In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> Thanks, I have greated a done everything you have said. I am able to
> connect from an outside source and when I connect I am able to ping the
> Router but not any of the computers on the network. Did I forget something.

Did you create the ANY rule like I mentioned - you need to ADD an ANY
service (all ports/types) that lets the PPTP_Users group access the
network. Just making the connection via PPTP without the rule means you
can only access the firewall, nothing else.

Please bottom post next time.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

In article <MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com>,
void@nowhere.com says...
> In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > Thanks, I have greated a done everything you have said. I am able to
> > connect from an outside source and when I connect I am able to ping the
> > Router but not any of the computers on the network. Did I forget something.
>
> Did you create the ANY rule like I mentioned - you need to ADD an ANY
> service (all ports/types) that lets the PPTP_Users group access the
> network. Just making the connection via PPTP without the rule means you
> can only access the firewall, nothing else.
>
> Please bottom post next time.

One more thing - if you didn't assign a DNS entry of an internal DNS
server (in your trusted network) to the Networking DNS options of the
PPTP connection, then you can only ping by IP, not by name. Without the
DNS entry you can't use UNC paths/names.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com...
> In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > Thanks, I have greated a done everything you have said. I am able to
> > connect from an outside source and when I connect I am able to ping the
> > Router but not any of the computers on the network. Did I forget
something.
>
> Did you create the ANY rule like I mentioned - you need to ADD an ANY
> service (all ports/types) that lets the PPTP_Users group access the
> network. Just making the connection via PPTP without the rule means you
> can only access the firewall, nothing else.
>
> Please bottom post next time.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Yes I did create a rule just like you said. I am able to login and then
ping the router. I enabled ping everything and I still could not ping any
other devices. I am able to ping the Ip address from any computer on the
internal network however.
On my properties of the Any PPtp rule it has Port with nothing under it and
protocol with Any on it, Client Port is empty as well. I can not add Any to
the Port section.

Archived from groups: comp.security.firewalls (More info?)

In article <FdtPc.7972$Jq2.390520@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com...
> > In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> > stevendrury@sympatico.ca says...
> > > Thanks, I have greated a done everything you have said. I am able to
> > > connect from an outside source and when I connect I am able to ping the
> > > Router but not any of the computers on the network. Did I forget
> something.
> >
> > Did you create the ANY rule like I mentioned - you need to ADD an ANY
> > service (all ports/types) that lets the PPTP_Users group access the
> > network. Just making the connection via PPTP without the rule means you
> > can only access the firewall, nothing else.
> >
> > Please bottom post next time.
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> Yes I did create a rule just like you said. I am able to login and then
> ping the router. I enabled ping everything and I still could not ping any
> other devices. I am able to ping the Ip address from any computer on the
> internal network however.
> On my properties of the Any PPtp rule it has Port with nothing under it and
> protocol with Any on it, Client Port is empty as well. I can not add Any to
> the Port section.

The ANY service already has the proper ports/services in the rule, you
don't need to add anything to it to make it work.

So, the question is this - from an external public connection, you PPTP
into the Firebox, the firebox provides you an IP (meaning that you did
set a number of IP up in the REMOTE USER SETUP / PPTP tab? Try setting
"Enable drop from 128bit to 40 bit".

One last thing, if you are not using the "Strong Software Encryption"
version, then you can't do a VPN/PPTP into the firewall.

If this doesn't work you are going to have to call them.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b7840a9d665905998a82c@news-server.columbus.rr.com...
> In article <FdtPc.7972$Jq2.390520@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > "Leythos" <void@nowhere.com> wrote in message
> > news:MPG.1b7824e5ba2412da98a829@news-server.columbus.rr.com...
> > > In article <l8sPc.11$%M2.163@news20.bellglobal.com>,
> > > stevendrury@sympatico.ca says...
> > > > Thanks, I have greated a done everything you have said. I am able
to
> > > > connect from an outside source and when I connect I am able to ping
the
> > > > Router but not any of the computers on the network. Did I forget
> > something.
> > >
> > > Did you create the ANY rule like I mentioned - you need to ADD an ANY
> > > service (all ports/types) that lets the PPTP_Users group access the
> > > network. Just making the connection via PPTP without the rule means
you
> > > can only access the firewall, nothing else.
> > >
> > > Please bottom post next time.
> > >
> > > --
> > > --
> > > spamfree999@rrohio.com
> > > (Remove 999 to reply to me)
> >
> > Yes I did create a rule just like you said. I am able to login and then
> > ping the router. I enabled ping everything and I still could not ping
any
> > other devices. I am able to ping the Ip address from any computer on
the
> > internal network however.
> > On my properties of the Any PPtp rule it has Port with nothing under it
and
> > protocol with Any on it, Client Port is empty as well. I can not add Any
to
> > the Port section.
>
> The ANY service already has the proper ports/services in the rule, you
> don't need to add anything to it to make it work.
>
> So, the question is this - from an external public connection, you PPTP
> into the Firebox, the firebox provides you an IP (meaning that you did
> set a number of IP up in the REMOTE USER SETUP / PPTP tab? Try setting
> "Enable drop from 128bit to 40 bit".
>
> One last thing, if you are not using the "Strong Software Encryption"
> version, then you can't do a VPN/PPTP into the firewall.
>
> If this doesn't work you are going to have to call them.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Now this is interesting. I have just connected to one of my servers through
the vpn however I am unable to connect to the main server. Is it possible
that I have to set up something on the server? I have 4 servers here and
can only connect to the one that has the Watchguard program on it. I am so
confused as to why I can connect to it.

Archived from groups: comp.security.firewalls (More info?)

In article <wXvPc.18$%M2.411@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
> Now this is interesting. I have just connected to one of my servers through
> the vpn however I am unable to connect to the main server. Is it possible
> that I have to set up something on the server? I have 4 servers here and
> can only connect to the one that has the Watchguard program on it. I am so
> confused as to why I can connect to it.

Define "connect to it"?

What is the subnet of the Trusted network at your 4-servers location?

What is the subnet of the place where you are at trying to test the VPN?

If you are using 192.168.1.0/24 for both networks, or any other subnet
that is the same on both ends, you will have nothing but troubles - they
must be different, and you should not make either one of them the
default for typical devices already on the market: As an example, many
routers use 192.168.1.0/24 and 192.168.0.0/24 for their subnets, put the
Firewall Trusted zone at 192.168.16.0/24 so that you can easily segment
the network if needed, do the DMZ at 192.168.32.0/24 - this means that
people using the default address space on those home user routers can
access your network properly.

The firewall does not connect to a server, it's a stand-alone unit. The
only connection is from the Firewall HTTP Proxy service to the
WebBlocker database service running on a server (if you installed it),
all other connections are from the management software on a
server/workstation to the firewall.

Mark

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b787b26e4ea82ac98a830@news-server.columbus.rr.com...
> In article <wXvPc.18$%M2.411@news20.bellglobal.com>,
> stevendrury@sympatico.ca says...
> > Now this is interesting. I have just connected to one of my servers
through
> > the vpn however I am unable to connect to the main server. Is it
possible
> > that I have to set up something on the server? I have 4 servers here
and
> > can only connect to the one that has the Watchguard program on it. I am
so
> > confused as to why I can connect to it.
>
> Define "connect to it"?
>
> What is the subnet of the Trusted network at your 4-servers location?
>
> What is the subnet of the place where you are at trying to test the VPN?
>
> If you are using 192.168.1.0/24 for both networks, or any other subnet
> that is the same on both ends, you will have nothing but troubles - they
> must be different, and you should not make either one of them the
> default for typical devices already on the market: As an example, many
> routers use 192.168.1.0/24 and 192.168.0.0/24 for their subnets, put the
> Firewall Trusted zone at 192.168.16.0/24 so that you can easily segment
> the network if needed, do the DMZ at 192.168.32.0/24 - this means that
> people using the default address space on those home user routers can
> access your network properly.
>
> The firewall does not connect to a server, it's a stand-alone unit. The
> only connection is from the Firewall HTTP Proxy service to the
> WebBlocker database service running on a server (if you installed it),
> all other connections are from the management software on a
> server/workstation to the firewall.
>
> Mark
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
I can vpn to the router and then ping only one of the servers. I can then
map a drive using the IP Address of that server the server askes me to login
which works no problem.
The subnet of our network is 255.255.255.0 and the ip addresses are
10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet of
255.255.255.0. What what to set up is so that our users can vpn in from
home to check their email and do work if they need to. However the server
they need to get to I can not access. Does this make any sense.

Archived from groups: comp.security.firewalls (More info?)

In article <y4zPc.11700$Jq2.485521@news20.bellglobal.com>,
stevendrury@sympatico.ca says...
[snip]
> I can vpn to the router and then ping only one of the servers. I can then
> map a drive using the IP Address of that server the server askes me to login
> which works no problem.
> The subnet of our network is 255.255.255.0 and the ip addresses are
> 10.10.10.0. The network I am using to vpn is 192.168.0.0 with a subnet of
> 255.255.255.0. What what to set up is so that our users can vpn in from
> home to check their email and do work if they need to. However the server
> they need to get to I can not access. Does this make any sense.

Ok, so, you can ping one server, and map a share to it, but not the
other servers.

So, the question is simple - what is the difference between the network
settings on the server you can connect to and the ones you can't connect
too?

If you can't ping them by IP address (and the ANY_PPTP rule should allow
you total access if you set it up correctly), then it's got to be some
form of subnet issue.

Did you setup the Network Configuration TAB properly - meaning that your
network Trusted interface should be 10.10.10.0/24 and you need to then
go into the BLOCKED SITES settings (in 7.1 you find this under Setup,
Intrusion Prevention, and the Blocked Sites - remove the 10.0.0.0/8 and
the 192.168.0.0/16 values (or whatever they are for 10.x.y.x and
192.168.x.y).

In the Windows XP VPN connection I have "Security Tab", X Advanced
Settings, X Allow these Protocols, check everything except "For MS_CHAP
based...." (the last box). I also have "Require encryption, disconnect
if server declines".

Under the Networking Tab I have TYPE OF VPN set to PPTP VPN, and under
TCP/IP I have DHCP for IP, but I use a fixed IP address of the trusted
networks DNS server for DNS (so it would be 10.10.10.x for yours). I
also have "Use remote gateway" checked under the advanced options. Under
Advanced TAB, I do not have anything checked - no ICF and don't allow
other users to connect through this connection...

Double check everything, make sure that you've got your IP Addresses and
MASK's set properly - a 255.255.255.0 is a /24.

let me know if this works.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)