Firebox with Cisco VPN on Port 5

Hi,

I'm setting up a VPN connection on my Firebox to a Cisco network. Here's my current configuration:

Firebox:
WAN connection on Port 1 (IP: xxx.xxx.xxx.225)
LAN connection on Port 2 (Subnet: 192.168.0.0/29)
Cisco VPN:
Port: 5 (IP: xxx.xxx.xxx.50)
Gateway: xxx.xxx.xxx.49
WAN: xxx.xxx.xxx.234
I've added static routes on the Firebox to reach the Cisco network (e.g., xxx.xxx.0.0/17) using the Cisco gateway (xxx.xxx.xxx.49). When I trace the route using the Firebox diagnostics, it appears correct. However, when I try to access the Cisco network from a Windows machine behind the Firebox, it still uses the default WAN connection and ignores the VPN route.

Here's my route on the Firebox:

xxx.xxx.0.0/17, xxx.xxx.xxx.49, 1,
Question:

Why is Windows not using the VPN route defined on the Firebox? Is there any additional configuration required on the Windows machine for it to utilize the VPN route?

As Example:

Comments

  • The traceroute from the firewall may use the interface associated with the destination test.

    You can force the test from the firewall to use a specific interface using the advanced options for the traceroute argument.
    Example:
    1.2.3.4 -i eth0

    Assuming that the packet from the Cisco VPN client is trying to get to the dest subnet in the Network Route in the firewall config, I would expect this to work.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    It would depend on what windows is pointing at for default gateway/default route. If it's pointing at something other than the firewall (or if the users are connected to a VPN, for example) that might change.

    You can see what the current routes are in windows by typing 'route print' on the windows command line.

    -James Carson
    WatchGuard Customer Support

  • Hello,

    thank you for the responses.

    @bruce_briggs, I don't quite understand. When I test with the firewall diagnostics, Traceroute uses the correct network port (eth5) when tracing to one of the networks behind the VPN. However, when I test it in Windows to the same network, it always uses the Default Network of the Firebox (eth0)

    @james.carson, my gateway in the Windows system is the firewall, which is also confirmed when I do a route print; 0.0.0.0 points to the Firebox.

    That's why I wonder why Windows isn't properly using the routes.

    Best regards,

    Ulrich

  • I am referring to the source interface of the traceroute packet.
    You want it to be from the same source interface as it is from the Windows PC, which appears to be eth1 (port 2).

  • Now i understood sorry.

    I did this on the firewalls traceroute:
    xxx.xxx.xxx.141 -i eth1

    traceroute to xxx.xxx.xxx.141 (xxx.xxx.xxx.141), 30 hops max, 40 byte packets
    1 xxx.xxx.xxx.49 1 ms 1 ms 3 ms
    2 xx.xx.xx.xxx 268 ms 321 ms 321 ms

    Seems that it uses the correct Route also if i test this with eth0 eth2

  • And a traceroute from the Windows PC doesn't go via the same hops ?

  • No the traceroute in windows uses the default eth0 WAN

    xxx.xxx.xxx.141

    1 1 ms <1 ms <1 ms 192.168.10.1
    2 2 ms 3 ms 3 ms ip-xxx-xxx-xxx-225.um08.pools.vodafone-ip.de [xxx.xxx.xxx.225]

    And i'm a little bit perplexed what the error could be or what i could set in the firebox

  • No ideas.
    If you have a support contract on this firewall, consider opening up a support case on this.

  • I wrote a Ticket, but no answer i thought it could be a Simple Problem.

    What i forgot even if i tracert to my Gateway on eth5 xxx.xxx.xxx.49
    windows/firebox tries eth0 defualt gateway.

    If i trace tu xxx.xxx.xxx.50 one of the Network IP's on eth5 windows uses the correct Route:

    Routenverfolgung zu xxx.xxx.xxx.50 über maximal 30 Hops

    1 1 ms <1 ms 1 ms xxx.xxx.xxx.50

    Maybe i have an error on the Network Settings somewhere?

  • edited March 12

    See below

  • If you traceroute to .49 from the Windows PC, it will go via its default gateway…

  • You can do a packet capture on your firewall, which may show something to help.
    See TCP Dump, below

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html

  • edited March 13

    .

  • A traceroute to 172.18.2.249 should end at 172.18.2.249.
    No idea why this is being routed out to the Internet unless the Cisco VPN box is doing this somehow.

    Look at the routing table info on your firewall - FSM Status Reports or Web UI -> System Status -> Routes
    maybe something there?

    Here is what I would expect to see for a trace to a firewall interface IP addr (10.0.3.1) and to a device on that interface (10.0.3.9) from a Windows PC on a different firewall interface (10.0.1.2).

    tracert 10.0.3.1
    Tracing route to 10.0.3.1 over a maximum of 30 hops
    1 15 ms 6 ms 7 ms 10.0.3.1

    tracert 10.0.3.10
    Tracing route to 10.0.3.9 over a maximum of 30 hops
    1 8 ms 7 ms 7 ms Bruce_T20w [10.0.1.1]
    2 15 ms 22 ms 1880 ms 10.0.3.9

  • Any Network -> Route entries?

  • I deleted "everything", rebootet and made the setup again. Now it seems to work.

    Thank you for your help :smile:

Sign In to comment.