Firebox with Cisco VPN on Port 5


I'm setting up a VPN connection on my Firebox to a Cisco network. Here's my current configuration:

WAN connection on Port 1 (IP: xxx.xxx.xxx.225)
LAN connection on Port 2 (Subnet:
Cisco VPN:
Port: 5 (IP: xxx.xxx.xxx.50)
Gateway: xxx.xxx.xxx.49
WAN: xxx.xxx.xxx.234
I've added static routes on the Firebox to reach the Cisco network (e.g., xxx.xxx.0.0/17) using the Cisco gateway (xxx.xxx.xxx.49). When I trace the route using the Firebox diagnostics, it appears correct. However, when I try to access the Cisco network from a Windows machine behind the Firebox, it still uses the default WAN connection and ignores the VPN route.

Here's my route on the Firebox:

xxx.xxx.0.0/17, xxx.xxx.xxx.49, 1,

Why is Windows not using the VPN route defined on the Firebox? Is there any additional configuration required on the Windows machine for it to utilize the VPN route?

As Example:


  • Options

    The traceroute from the firewall may use the interface associated with the destination test.

    You can force the test from the firewall to use a specific interface using the advanced options for the traceroute argument.
    Example: -i eth0

    Assuming that the packet from the Cisco VPN client is trying to get to the dest subnet in the Network Route in the firewall config, I would expect this to work.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    It would depend on what windows is pointing at for default gateway/default route. If it's pointing at something other than the firewall (or if the users are connected to a VPN, for example) that might change.

    You can see what the current routes are in windows by typing 'route print' on the windows command line.

    -James Carson
    WatchGuard Customer Support

  • Options


    thank you for the responses.

    @bruce_briggs, I don't quite understand. When I test with the firewall diagnostics, Traceroute uses the correct network port (eth5) when tracing to one of the networks behind the VPN. However, when I test it in Windows to the same network, it always uses the Default Network of the Firebox (eth0)

    @james.carson, my gateway in the Windows system is the firewall, which is also confirmed when I do a route print; points to the Firebox.

    That's why I wonder why Windows isn't properly using the routes.

    Best regards,


  • Options

    I am referring to the source interface of the traceroute packet.
    You want it to be from the same source interface as it is from the Windows PC, which appears to be eth1 (port 2).

  • Options

    Now i understood sorry.

    I did this on the firewalls traceroute:
    xxx.xxx.xxx.141 -i eth1

    traceroute to xxx.xxx.xxx.141 (xxx.xxx.xxx.141), 30 hops max, 40 byte packets
    1 xxx.xxx.xxx.49 1 ms 1 ms 3 ms
    2 xx.xx.xx.xxx 268 ms 321 ms 321 ms

    Seems that it uses the correct Route also if i test this with eth0 eth2

  • Options

    And a traceroute from the Windows PC doesn't go via the same hops ?

  • Options

    No the traceroute in windows uses the default eth0 WAN


    1 1 ms <1 ms <1 ms
    2 2 ms 3 ms 3 ms ip-xxx-xxx-xxx-225.um08.pools.vodafone-ip.de [xxx.xxx.xxx.225]

    And i'm a little bit perplexed what the error could be or what i could set in the firebox

  • Options

    No ideas.
    If you have a support contract on this firewall, consider opening up a support case on this.

  • Options

    I wrote a Ticket, but no answer i thought it could be a Simple Problem.

    What i forgot even if i tracert to my Gateway on eth5 xxx.xxx.xxx.49
    windows/firebox tries eth0 defualt gateway.

    If i trace tu xxx.xxx.xxx.50 one of the Network IP's on eth5 windows uses the correct Route:

    Routenverfolgung zu xxx.xxx.xxx.50 über maximal 30 Hops

    1 1 ms <1 ms 1 ms xxx.xxx.xxx.50

    Maybe i have an error on the Network Settings somewhere?

  • Options
    edited March 12

    See below

  • Options

    If you traceroute to .49 from the Windows PC, it will go via its default gateway…

  • Options

    You can do a packet capture on your firewall, which may show something to help.
    See TCP Dump, below


  • Options
    edited March 13


  • Options

    A traceroute to should end at
    No idea why this is being routed out to the Internet unless the Cisco VPN box is doing this somehow.

    Look at the routing table info on your firewall - FSM Status Reports or Web UI -> System Status -> Routes
    maybe something there?

    Here is what I would expect to see for a trace to a firewall interface IP addr ( and to a device on that interface ( from a Windows PC on a different firewall interface (

    Tracing route to over a maximum of 30 hops
    1 15 ms 6 ms 7 ms

    Tracing route to over a maximum of 30 hops
    1 8 ms 7 ms 7 ms Bruce_T20w []
    2 15 ms 22 ms 1880 ms

  • Options

    Any Network -> Route entries?

  • Options

    I deleted "everything", rebootet and made the setup again. Now it seems to work.

    Thank you for your help :smile:

Sign In to comment.