prod editing - help please
The problem is that monday I have to do some changes to a watchguard directly in prod, and I don't know really well how to use the webinterface, but I have to.
the scenario is:
site 1 lan -> watchguard with 2 wan -> site 1 isp MPLS ipsec to site 2 isp MPLS - firewall (that i don't have to care about) - 1 private ip site 2 to reach
I have to set up that only 1 private ip of site 1 lan can reach the specified private ip of site 2
I have also this data:
private ip of site 1
10.10.10.201
natted source ip before enter in tunnel ( this tunnel should be the ip sec, so this nat i think should carry about the isp, am i wrong ? )
10.13.10.132
real destination ip address site 2
10.50.20.0/24
ip address to reach in site 2
10.50.20.66 port 5656
So, I have to specify that only 10.10.10.201 can reach 10.50.20.66 port 5656 using the wan 2 of the watchguard of site 1
How can I do ? what are the exactly step and procedure ? Please help me 
best regards
Comments
Sounds like you need to set up a Branch Office VPN (BOVPN).
On the Gateway, you specify your local WAN to use and the other end WAN interface.
On the Tunnel setting you specify the local & remote IP addrs/subnets for the tunnel.
You can also specify a 1-to-1 NAT setting on the Tunnel setup.
If you have an Outgoing policy in your config, then outgoing access on port 5656 will already be allowed.
If not, add a custom packet filter policy for TCP port 5656.
The online docs are searchable.
start here:
Manual Branch Office VPN Tunnels
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/other/chapters/manualbovpntunnels.html
There are some BOVPN setup examples for both WSM Policy Manager and for the Web UI, here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/support/configuration_examples.html
thanks for the reply, but no i don't have to set up the vpn cause the ipsec is carried about the isp with the mpls.
i have only to specify an outgoing policy.
If i am right, all the traffic not allowed is block, so it's enough I specify a custom packet filter policy for 5656 from the ip I would like.
is this correct ?
thanks
best regards
Correct, all the traffic not allowed is blocked, however, IF you have an Outgoing policy in your config, then outgoing access on port 5656 will already be allowed out of the firewall, to anywhere.
Use SD-WAN on the 5656 policy.
Explain "natted source ip" and 10.13.10.132.
Is 10.13.10.132 the WAN2 external IP addr ?
thanks for the reply ... that's the problem also
I have a sheet with this data from the customer, but no idea, I suppose it is the ip address of the mpls ipsec .. but not sure.
any idea ?
really thanks for the time
You need to find out what it means.
We can't help any more without that info.
You can see your WAN interface IP addrs in the Web UI -> Dashboard -> Interfaces
yep i know it thanks.. and obviusly the wan2 has a public ip address that is not in the sheet i reported
wan2 public ip address let's say 2.2.2.3
hi all, i have another question about this topic..
if from diagnostic of firewall .. i ping a private ip of site b
schema:
watchguard firewall
wan2
isp mpls
wan of site b
lan
the reply of that ping is allowed to get back to the firebox ?
really thanks
One would expect so, assuming that something is not blocking the initial ping, or that there is not a routing issue.
Try using tracert instead of ping.
yep i did it, but also with the correct route setup it stuck on the wan ip address so i suppose it is an isp problem
Does a tracert work from behind the firewall?
Since you have 2 WANs, on you tracert from the firewall, you need to make sure that the tracert is going out the correct WAN interface. You can do that by using the Advanced Options and specifying the interface to use in the Arguments field
Run Network Diagnostic Tasks in Fireware Web UI
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/fireware_webui_diagnostics_network.html
under network->route i setup a rule that say all traffic with destination netmask 1.1.1.1/1 has the gateway setup with the ip of wan 2... and works i think, but the trace stuck at the ip of the wan2..should go on the otherside but it doesnt
Time to contact your ISP.
Seems that something upstream is dropping these packets.
thank you man
I will keep u update
i do not why but to set the route i have to set
destination subnet: the one i want
gateway (not the ip of the wan) the router ip of the wan interface
i assume that this routing has done by the watchguard
strange
maybe i am totally wrong
If you have a support contract on your firewall, you can open a support case with WatchGuard, and get help from a WG rep.
You can open a case via the SUPPORT CENTER link at the top.
r u saying this cause it's a strange behavior ?
ok i was totally wrong
thank you anyway