Mobile VPN with SSL users cannot access local resources
I have an out of service M300 firewall that I am trying to repurpose for a basic vpn box for a small business. The mobile SSL vpn authenticates using firebox DB user and I am able to access the firewall but I cannot access any other local resources even by IP address. I have added Any to the From and to in the sslvpn policy to just see if that would work and still doesn't. I can ping the firewall but not any other devices on the network. I have allowed access to all trusted, optional and custom networks. I set the virtual ip pool to 192.168.6.0/24 I feel like it is a routing issue. looking at the status on the client the first route is 192.168.0.0 gw=192.168.6.1 mask 255.255.255.0. I have another working mobile vpn at a different client and the first route on that client pc is 0.0.0.0 gw=192.168.117.1 mask =128.0.0.0 but I don't know how to change this. This is not working
This one does work at a different location.
Comments
For the record, what XTM version is on this Firebox?
Does this Firebox have a Feature Key installed on it? If not, you need one for may things to work, including SSLVPN.
What do you see in Traffic Monitor when this user tries to log on?
Is the user a member of the SSLVPN user group?
Version 12.5.11 No it does not have a feature key, but I talked to watchguard support and they said a feature key is not required for sslvpn, only if you are using MFA like authpoint do you need a feature key. yes user is a member of the sslvpn group
I doubt that SSLVPN will work without a Feature Key.
And, last I knew, without a Feature Key, only 1 internal IP addr will be able to access the Internet.
You need to open a support case with Customer Care to get this firewall assigned to you and to get a Feature Key.
Include a photo of the firewall serial number on your support case.
another thing, I can ping the server from the firewall itself, just not with mobile ssl vpn client pc.
What do you see in Traffic Monitor when any access from a SSLVPN client is tried?
You can turn on Logging on the "Allow SSLVPN-Users" policy to see packet allowed by this policy in Traffic Monitor.
When I ping the server it shows allow via trusted allowed and Allow SSLVPN-users-00 but I get request timed out, when I try to rdp it says allow as well but never connects.
Check the firewall logs on the server.
Does the server prevent access from the SSLVPN subnet?
Does the server require the RDP connection to be from a Domain authenticated user?
Also windows firewall is shut off on server and no other firewall software is on the server
No, any local user on that server, but I don't even get to login on rdp, just times out
You can do packet captures on:
1) the server - many use the free tool WireShark
2) on the firewall , using TCP dump
Run Diagnostic Tasks to Learn More About Log Messages
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
with the Advanced options, you can specify to see all packets for specific IP addr etc.
Running wireshark on the server it looks like the pings are coming through but I get timouts on the client pc.
traceroute goes to server ok, Ran a tcp dump from firewall to trusted internal interface don't really know what it is saying, just a bunch of arp requests. I mean it looks like it is getting there but can't access shared network drive to it. I don't know how to check this question although it does seem like some kind of routing problem, Does the server prevent access from the SSLVPN subnet?
when i try to map a drive I get this from wireshark on the server and a network error on the vpn client 192.168.6.2 Server is 192.168.1.150
"timouts on the client pc" meaning the SSLVPN client?
Any interesting firewall or similar software on the SSSLVPN client PC which may be dropping packets ?
It looks to me that he pings are being returned from the firewall to the SSLVPN client PC - so that makes the client PC the possible problem cause.
How are you trying to do the drive mapping?
By IP addr or by short name (no domain name suffix) or by FQDN?
If by short name, have you added your domain name in the SSLVPN setup -> Advanced tab -> Domain name field?
You can test a SSLVPN connection from behind the firewall.
Try this from a PC connected to Trusted, and see what happens.
We still need to identify why you are seeing this issue.
Make sure your NAT for the SSLVPN is properly setup for whatever resource you need to access behind the firewall! Go to the network menu then NAT. Add or modify your SSLVPN IP range to internal IP range resource you want to reach.You can also just setup your SSLVPN IP range to ANY which will allow your VPN client to access all resources behind the firewall and also go out to the internet through that tunnel.