Take Public IP address of VPN

I have a Firebox M200 running 12.5 Build 599856 and have Mobile VPN setup with SSL.
The connection to the VPN works fine, except that the connection does not take the Public IP address of the site that it is connecting to, it keeps the originating Public IP. Can anyone tell me how I can configure this on the Firebox?

Comments

  • " the connection does not take the Public IP address of the site that it is connecting to"
    Does this mean the public IP addr of the firewall for connections to Internet sites ?
    If so, are you sure that you are accessing the Internet via the SSLVPN connection?
    Make sure that you have selected "Force all client traffic through tunnel" on your SSLVPN setup in XTM.

  • Sorry, yes it's not taking the Public IP address of the Firewall.
    I'm not sure if it's definitely accessing the Internet via the SSLVPN.
    I did try that option (force all traffic), but when I connected to the VPN I then had no Internet access. I could only access the files within my network

  • You must select "Force all client traffic through tunnel" to meet your goal.
    Do you have a policy which allows SSLVPN-Users access to the Internet, such as HTTP & HTTPS & DNS access ?

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_internet-access_c.html

  • OK. From looking at the rules on the Firewall policy, there is one for the SSLVPN-Users to Any on any Port.
    Regardless, I added a rule from SSLVPN-Users to Any on port 80, 443 and 53 and tested again and then enabled "Force all client..." but still the same issue, no Internet access

  • What do you see in Traffic Monitor related to the SSLVPN connection IP addr ?

  • If you are unable to get this working, open a support incident to get WG help on it.

  • Do you use Radius?

  • When you say "no Internet access", do you mean that you cannot browse web pages, or that you cannot even ping a site by IP address? While watching FSM Traffic Monitor, ping 8.8.8.8, then ping www.google.com. Does either one work through the SSLVPN? If ping by IP works and ping by name does not, it's a DNS issue. If neither works, you should see why in FSM Traffic Monitor.

    I use the SSLVPN, set to Routed VPN Traffic, and Force all client.... I have the SSLVPN-Users group on my DNS, HTTP, HTTPS proxies and any filters I want it to get. Everything works normally.

    Gregg Hill

  • @Bruce_Briggs said:
    What do you see in Traffic Monitor related to the SSLVPN connection IP addr ?

    From looking at the log, I was getting proxydeny on DNS query type SRV, DNS OpCode match and DNS oversized question. I've adjusted the proxy actions for both SRV and OpCode match, but can't see anywhere to adjust the oversize

  • @Mada said:
    Do you use Radius?

    I'm using AD for the authentication of VPN users

  • @Greggmh123 said:
    When you say "no Internet access", do you mean that you cannot browse web pages, or that you cannot even ping a site by IP address? While watching FSM Traffic Monitor, ping 8.8.8.8, then ping www.google.com. Does either one work through the SSLVPN? If ping by IP works and ping by name does not, it's a DNS issue. If neither works, you should see why in FSM Traffic Monitor.

    I use the SSLVPN, set to Routed VPN Traffic, and Force all client.... I have the SSLVPN-Users group on my DNS, HTTP, HTTPS proxies and any filters I want it to get. Everything works normally.

    When the VPN connects with "Force all clients" option enabled, I cannot ping 8.8.8.8 or resolve any DNS. If I look in log manager and filter by the IP address that's given to the client, I was getting proxydeny on DNS query type SRV, DNS OpCode match and DNS oversized question. I've adjusted the proxy actions for both SRV and OpCode match, but can't see anywhere to adjust the oversize. Should I be searching for any other terms?

  • Change from using a DNS proxy to a DNS packet filter for SSLVPN-Users.

  • Also, make sure that you have a Dynamic NAT entry which includes your SSLVPN subnet.
    The default config has 3 entries - for the 3 full ranges of the private subnets.
    You can turn on Logging on desired policies to see Allow log entries for packets allowed by those policies. This can be helpful for debugging connection issues.

Sign In to comment.