Options

Site to Site VPN

Hi all

I have setup a site to site VPN between firebox and AWS and everything is working. However when trying to ping resources on AWS from Firebox I not able to access anything. Is there anything that needs to be enabled to allow the firebox to route traffic down the tunnel.

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Blade

    I'd suggest checking to see if you have logging enabled for your BOVPN policy. If you do -- do you see green allow logs for your pings going to AWS?

    If you're seeing allows, the issue is very likely on the AWS side - you may need to set up an allow policy in AWS.

    -James Carson
    WatchGuard Customer Support

  • Options
    I am able to ping from any device on the LAN side of the firebox. Just not the from the firebox it self.
  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    There may be a different policy replying to pings, or ping is not allowed in the firewall ruleset via the ping policy.

    I'd suggest opening a support case so that one of our technicians can look at your policy set, and help track down that traffic with you. You can open a support case via the support center link at the top right of the page. (Support cases do require you have an active support contract for your firewall.)

    -James Carson
    WatchGuard Customer Support

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If you're using the ping tool on the firebox itself, it may also help to specify where the ping is coming from.

    For example, my internal network is 10.0.1.1/24 , with the firebox being 10.0.1.1 and I want to ping 172.16.200.20

    Check the advanced options checkbox in diagnostic tasks, and specify
    -I 10.0.1.1 172.16.200.20
    (the first letter after the dash is an uppercase i )

    Doing this ensures that traffic is sourced from where you want it to be -- the firebox will often source pings to networks it does not own from the first external interface IP it owns if you do not specify.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.