BOVPN thru Watchguard Firebox T80 to Palo Alto

I have set up VPN's on the WG several times, but I have not had to deal with one as in depth as this vendor at a client site is asking me to do.

Medical Practice is using a new EMR that will need to go through a BOVPN to access the system.

The IT Dept at the EMR company has asked me to setup:
Workstations/PCs 1-to-Many from local subnet to any IP within the subnet they provided me.
Printers 1-to-1 NAT from local subnet to a IP within their subnet
Host Files on PCs that points to 2 websites and to an IP

I was able to get the Gateway and the Tunnel built, but am having issues with some of the configuration.

  • we have 2 printers that we set 1-to-1 NAT to an IP address on their subnet. But! It seems that only one of those subnets is active, the other is not. I thought it could had been a port issue, but I am thinking it could be something else now.

There are 8 different servers that each local IP for the printers would have to point to- IT dept did not really give me a valid reason. I can get 1 of the printers to become active in the tunnel that NAT to one of their subnet IPs, but can't get the other printer to become active.

I have even gone as far as only adding a couple of the servers with 1 printer and 2 printers with the same result. I am not sure what the issue is due to the settings basically being the same other than the local IP address and the remote subnet.

When speaking with the IT department, he said that all his settings are correct. I feel that I have everything right, but maybe not.

This a lot different than I am use to and I don't even know why they want it setup like this, but it is a pretty big EMR system.

Would anyone have any idea or have some troubleshooting tips???

The support for the firebox just expired a couple of weeks ago and I am waiting on the client to pay for the subscription so that I can get WG Support to look at this as well. I just do not get in there that much to really figure out how to troubleshoot it.

I've spent days and weeks on this project and I want it to be done!

I will be more than happy to share the setup with anyone that is willing to help out with this.


  • Options

    The Vendor provided me with the Peer IP, Phase 1 and Phase 2 Settings and all the network-object IPs.

  • Options

    I am also going to have to do this same setup with another location that is using an ISP provided firewall- Meraki. So I am hoping that it is not a nightmare!

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    It sounds like you have most of this set up - I'd suggest opening a support case so that someone from our support team can take a look at your logs and assist.

    It sounds like they may be using a route based VPN (BOVPN Virtual Interface) vice a policy based VPN (standard BOVPN tunnel pairs) if you can only get one to come up a at a time. Getting a full description from the distant end on what they have set up will likely be helpful

    -James Carson
    WatchGuard Customer Support

Sign In to comment.