HELP!!! - Firewalls

This is a discussion on HELP!!! - Firewalls ; I have a WatchGuard III 700 firewall. I have a Microsoft 2003 SBS server with RRAS configured for VPN connections. I am having difficulties connecting a XP VPN client to the 2003 server. I can see in the firewall log ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: HELP!!!

  1. HELP!!!

    I have a WatchGuard III 700 firewall. I have a Microsoft 2003 SBS
    server with RRAS configured for VPN connections. I am having
    difficulties connecting a XP VPN client to the 2003 server. I can see
    in the firewall log file that port 1723 is being passed through to the
    2003 server but it is denying GRE (47). Below is an excerpt from the
    log file:

    12/14/06 15:12 firewalld[129]: deny in eth0:1 57 gre 20 115 X.X.X.X
    X.X.X.X (default).

    Each time i tried to establish a VPN connection i receive an error 721
    connection could not be established.

    I'm not quite sure where I need to allow the GRE (47) in the services
    arean of the WatchGuard. Ihave port 47 allowed in the firewall rule for
    VPN. I did read you need to setup port 47 an "IP" protocol but when I
    do this it doesn't allow me to enter a NAT for the 2003 server.

    Any insight would be greatly appreciated

    THANKS!!!


  2. Re: HELP!!!

    In article <1166132004.561076.59120@80g2000cwy.googlegroups.co m>,
    silicongangsta@gmail.com says...
    > I have a WatchGuard III 700 firewall. I have a Microsoft 2003 SBS
    > server with RRAS configured for VPN connections. I am having
    > difficulties connecting a XP VPN client to the 2003 server. I can see
    > in the firewall log file that port 1723 is being passed through to the
    > 2003 server but it is denying GRE (47). Below is an excerpt from the
    > log file:
    >
    > 12/14/06 15:12 firewalld[129]: deny in eth0:1 57 gre 20 115 X.X.X.X
    > X.X.X.X (default).
    >
    > Each time i tried to establish a VPN connection i receive an error 721
    > connection could not be established.
    >
    > I'm not quite sure where I need to allow the GRE (47) in the services
    > arean of the WatchGuard. Ihave port 47 allowed in the firewall rule for
    > VPN. I did read you need to setup port 47 an "IP" protocol but when I
    > do this it doesn't allow me to enter a NAT for the 2003 server.
    >
    > Any insight would be greatly appreciated


    Why not add the PPTP rule to the firewall so that you can properly pass
    PPTP inbound?

    Open the Policy Manager, click Edit, Add service, expand Packet Filters,
    double click PPTP, give it a name of PPTP_Inbound, and add it. Now, you
    have to setup the rule, INCOMING From ANY, to (NAT the Server IP),
    outgoing (set as you want).

    Now, consider that the 700 will act as a VPN End-Point, you should
    really be having your remotes VPN to the Firewall, then create access
    rules for each user/group as to what ports and what IP's they can hit.
    We never map PPTP past the firewall.

    This will work if you use the proper services for rules.

    Do you have a static IP on the WAN?

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  3. Re: HELP!!!

    Da Computer Guy wrote:
    > I have a WatchGuard III 700 firewall. I have a Microsoft 2003 SBS
    > server with RRAS configured for VPN connections. I am having
    > difficulties connecting a XP VPN client to the 2003 server. I can see
    > in the firewall log file that port 1723 is being passed through to the
    > 2003 server but it is denying GRE (47). Below is an excerpt from the
    > log file:
    >
    > 12/14/06 15:12 firewalld[129]: deny in eth0:1 57 gre 20 115 X.X.X.X
    > X.X.X.X (default).
    >
    > Each time i tried to establish a VPN connection i receive an error 721
    > connection could not be established.
    >
    > I'm not quite sure where I need to allow the GRE (47) in the services
    > arean of the WatchGuard. Ihave port 47 allowed in the firewall rule for
    > VPN. I did read you need to setup port 47 an "IP" protocol but when I
    > do this it doesn't allow me to enter a NAT for the 2003 server.


    You need to allow GRE on your firewall, which is IP *protocol* 47 (just
    like TCP is IP protocol 6 and UDP is IP protocol 17, see [1] for more
    information), not *port* 47. I'm not familiar with Watchguard, though,
    so I can't tell you where/how exactly to do that.

    [1] http://www.iana.org/assignments/protocol-numbers

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  4. Re: HELP!!!

    In article <4ufrbbF16jtj6U1@mid.individual.net>, usenet-2006
    @planetcobalt.net says...
    > Da Computer Guy wrote:
    > > I have a WatchGuard III 700 firewall. I have a Microsoft 2003 SBS
    > > server with RRAS configured for VPN connections. I am having
    > > difficulties connecting a XP VPN client to the 2003 server. I can see
    > > in the firewall log file that port 1723 is being passed through to the
    > > 2003 server but it is denying GRE (47). Below is an excerpt from the
    > > log file:
    > >
    > > 12/14/06 15:12 firewalld[129]: deny in eth0:1 57 gre 20 115 X.X.X.X
    > > X.X.X.X (default).
    > >
    > > Each time i tried to establish a VPN connection i receive an error 721
    > > connection could not be established.
    > >
    > > I'm not quite sure where I need to allow the GRE (47) in the services
    > > arean of the WatchGuard. Ihave port 47 allowed in the firewall rule for
    > > VPN. I did read you need to setup port 47 an "IP" protocol but when I
    > > do this it doesn't allow me to enter a NAT for the 2003 server.

    >
    > You need to allow GRE on your firewall, which is IP *protocol* 47 (just
    > like TCP is IP protocol 6 and UDP is IP protocol 17, see [1] for more
    > information), not *port* 47. I'm not familiar with Watchguard, though,
    > so I can't tell you where/how exactly to do that.
    >
    > [1] http://www.iana.org/assignments/protocol-numbers


    I have about 60 WG firewalls in service - there is a PPTP rule that can
    be added, instead of just doing ports, the rule autoconfigured the ports
    (including GRE) when added to the firewall rules. I posted the details
    about this for the OP yesterday.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  5. Re: HELP!!!

    Leythos,
    Thanks for the help, I followed your instructions about adding the
    pptp_inbound. It does not give me a option for NAT in the properties of
    the service. How do I add a NAT statment to the service if it does not
    offer me the option? I have dynamic NAT enable and entries for the
    server I am trying to connect to. I am newbie to the watchguard and
    maybe I am just missing a step.

    THANKS!!

    Leythos wrote:
    > In article <1166132004.561076.59120@80g2000cwy.googlegroups.co m>,
    > silicongangsta@gmail.com says...
    > > I have a WatchGuard III 700 firewall. I have a Microsoft 2003 SBS
    > > server with RRAS configured for VPN connections. I am having
    > > difficulties connecting a XP VPN client to the 2003 server. I can see
    > > in the firewall log file that port 1723 is being passed through to the
    > > 2003 server but it is denying GRE (47). Below is an excerpt from the
    > > log file:
    > >
    > > 12/14/06 15:12 firewalld[129]: deny in eth0:1 57 gre 20 115 X.X.X.X
    > > X.X.X.X (default).
    > >
    > > Each time i tried to establish a VPN connection i receive an error 721
    > > connection could not be established.
    > >
    > > I'm not quite sure where I need to allow the GRE (47) in the services
    > > arean of the WatchGuard. Ihave port 47 allowed in the firewall rule for
    > > VPN. I did read you need to setup port 47 an "IP" protocol but when I
    > > do this it doesn't allow me to enter a NAT for the 2003 server.
    > >
    > > Any insight would be greatly appreciated

    >
    > Why not add the PPTP rule to the firewall so that you can properly pass
    > PPTP inbound?
    >
    > Open the Policy Manager, click Edit, Add service, expand Packet Filters,
    > double click PPTP, give it a name of PPTP_Inbound, and add it. Now, you
    > have to setup the rule, INCOMING From ANY, to (NAT the Server IP),
    > outgoing (set as you want).
    >
    > Now, consider that the 700 will act as a VPN End-Point, you should
    > really be having your remotes VPN to the Firewall, then create access
    > rules for each user/group as to what ports and what IP's they can hit.
    > We never map PPTP past the firewall.
    >
    > This will work if you use the proper services for rules.
    >
    > Do you have a static IP on the WAN?
    >
    > --
    >
    > spam999free@rrohio.com
    > remove 999 in order to email me



+ Reply to Thread