Announcement

Collapse
No announcement yet.

Problem routing to VPN site, ISA server/Watchguard Firebox

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem routing to VPN site, ISA server/Watchguard Firebox

    Ok here is whats going on, our internal network runs on a 10.8.0.0/255.248.0.0 network. We use ISA server as our firewall to the outside and is such our gateway. We also have a remote site running on 192.168.100.0/24 network and is connected by two Watchguard fireboxes. The Watchguard exists on the internal network and has an external IP. From my attachment you can see our connection comes off the router and to a switch that splits into my Fireboxe and then another connection to the ISA server.

    The problem comes in when I try to ping, or access anything on my remote network. I've added a static route on my ISA server/gateway saying to access the 192.168.100.0/24 network then use the Firebox as a gateway. Of course if I switch my machine over to static address and use the firebox as my gateway I can ping and access machines in the remote location. I've also added a static route on each of the fireboxes telling it how to access each other's networks. Is there something I'm missing here? It seems to me that possibly the firebox should be in front of the ISA server but I inherited this network and need to somehow make it work without moving too much around.

    Thanks for your ideas/help!
    Attached Files

  • #2
    Re: Problem routing to VPN site, ISA server/Watchguard Firebox

    I found your drawing quite confusing.
    Can you redraw it without the unnecessary crap like switches etc and add the important ip addresses only?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Problem routing to VPN site, ISA server/Watchguard Firebox

      Here is a very crude picture as I don't have Visio or anything else. I hope this makes things more simple to see. The remote netwrk is not shown, it is 192.168.100.0/24
      Attached Files

      Comment


      • #4
        Re: Problem routing to VPN site, ISA server/Watchguard Firebox

        That's way better
        But now I don't see your problem. You have one internal network and 2 parallel Firewalls (don't know why but ok)
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Problem routing to VPN site, ISA server/Watchguard Firebox

          Yeah, I'm not sure why they did it this way, but it is what it is and I inherited it. It was actually 3 parallel firewalls until I came on board. So no idea why I can't get to my remote network?

          Comment


          • #6
            Re: Problem routing to VPN site, ISA server/Watchguard Firebox

            Ok from the beginning:
            Site-to-Site VPN is terminated on the Firebox right?
            You created a Static route to the Remote site on the ISA server with the Firebox as a gateway, right?

            Personally I would remove on of the boxes to make it less complex but ok.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Problem routing to VPN site, ISA server/Watchguard Firebox

              The Site-to-site VPN is terminated by the fireboxes. One firebox at my location and another firebox at the remote location. My internal network is 10.8.0.0/13. Remote location is 192.168.100.0/24. I can ping the remote location when I set a static address on my machine and use my local firebox as the gateway. When I leave it at DHCP tracert shows it trying to use my ISA server obviously as the gateway to get out.

              On the ISA/RRAS server i created a static route that says : Network: 192.169.100/13 use gateway 10.8.1.10 (local firebox).

              I would remove the local firebox if its possible to do site to site VPN with microsoft on one end and the watchguard on the other.

              Comment


              • #8
                Re: Problem routing to VPN site, ISA server/Watchguard Firebox

                Two questions:

                1. What is the internal interface (LAN) of the ISA server? You have different addresses in the pictures.

                2. Why do you have the ISA route to the remote network as 192.169.100/13 instead of 192.168.100.0/24?

                Comment


                • #9
                  Re: Problem routing to VPN site, ISA server/Watchguard Firebox

                  ISA can terminate VPN however it doesn't support AES (yet)
                  Also don't use RRAS to create static routes but use the CLI with route add.

                  ISA uses RRAS extensively and you should let ISA in control of it.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Problem routing to VPN site, ISA server/Watchguard Firebox

                    1. The LAN interface IP of ISA server is 10.8.2.3/13
                    2. Ignore the 192.168.100/13 that was a mistype on my part

                    So I should remove the static route from RRAS and do:

                    route add 192.168.100.0 MASK 255.255.255.0 10.8.1.10 METRIC 10.

                    I checked the settings for the current VPN, it shows Authentication algorithm: SHA1-HMAC, Encryption Algorithm: DES-CBC

                    Comment


                    • #11
                      Re: Problem routing to VPN site, ISA server/Watchguard Firebox

                      Route add works much better at the first place because if you start configuring RRAS when ISA is controlling it, you might get a lot of trouble
                      If I may suggest, when you are going to build NLB please do not use the NLB manager either but configure it from the ISA console

                      For VPN you can use DES and 3DES on the ISA server.
                      Sadly enough no AES yet but with TMG they will (thanks god, finally!!!)
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Problem routing to VPN site, ISA server/Watchguard Firebox

                        Not sure if I should create a new thread or just update this one. I've actually created the VPN tunnel between my ISA server and Watchguard firebox. The problem I'm having now is while the tunnel is active, I can't get any traffic across.

                        Comment


                        • #13
                          Re: Problem routing to VPN site, ISA server/Watchguard Firebox

                          Have you created the appropriated access rules?
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: Problem routing to VPN site, ISA server/Watchguard Firebox

                            I've created an access rule that allows all out going traffic from my internal network to the remote network I created. I've also created a network rule that lists traffic from my internal network to the remote network as a route. Am I missing anything else I should need?

                            Comment

                            Working...
                            X