Hello,
I recently, created a SSL VPN via Watchguard VPN wizard. I can successfully connect to VPN using AD credentials but I cannot ping or RDP to any servers/workstations in the connected network.
Do I need to create another policy to access this? If so, could you please give an example?
Thank you
No. A policy is created on its own when you set it up.
Check the IP of the connected vpn client (likely in 192.168.113.0/24) in traffic monitor and see what’s up.
Is the vpn user trying to connect to a local resources, or something over a point to point VPN as well?
Did you set the network of the servers/workstations to the allowed network addresses list?
On the VPN client, check the status once connected. It will show your ip, which routes are being sent to you etc. This obviously dictates your routing.
You can specify the VPN access to all or some networks inside the ssl setup, but also through the policies.
You can also use tracert etc to check if your company LAN range is actually sent through the VPN gateway or through your WAN (that means your routing table)
Also make sure the subnet for the office network and the end user are not the same (ex 192.168.1.0). I know SSL provides 192.168.113.0 but still the routing tables can be convoluted if they are the same subnet. We have seen it before when taking over a new network.
When you ping/rdp you need to watch traffic monitor and verify:
-Was it allowed?
If so, great, it made it past the firewall and something else is to blame.
-Was it blocked?
Do you have a policy in place to allow the traffic?
-Did you not see the traffic at all?
Is logging turned on, on the policies which is matching the traffic?
Tell us those answers
Plus1 to the above response, although mine always default to the 192.168.113.0/24 subnet unless I edit it.
Also: If you have other Deny policies higher in the order than the AllowSSLVPNUSERS policy, those may block the traffic so evaluate those. Then, make sure your VPN client installed the virtual network interface. Your remote client should have an interface showing in the 192.168.113 subnet when connected, not just your home network. Lastly make sure the devices you’re trying to ping don’t have a client firewall blocking your attempts. Cover all those and you’ll have it narrowed down a lot.
Is this created in the Firewall Policy in Watchguard console?
I just ran a tracert. And it connects to Firebox and Switch, after that requested time out
yeah, they are not. I tested with other various subnets too, no luck
Hes mentioned in a comment that he sees the traffic on the firewall. If the client subnet was the same as the corp subnet, then traffic would stay layer 2 and never make it to the local gateway, much less the Firebox.
-Was it allowed? If so, great, it made it past the firewall and something else is to blame.
It passes through firewall and switch, then requested timeout.
-Was it blocked? Do you have a policy in place to allow the traffic?
Nope, I have added a policy in Allow SSLVPN as follows;
From - Any
To - Any
Port - Any
-Did you not see the traffic at all? Is logging turned on, on the policies which is matching the traffic?
My bad, I got complicated with my other VPN which is created via Routing and Remote Access in Windows server.
There is no traffic at all. But when my VPN client is connected, the client shows there is traffic. How do I filter only SSL VPN traffic in Traffic Monitor in Firewall Web gui?
Whoops. Meant 113… fixed
Thanks, I did check the Traffic monitor, all I can see is connected and I can see the user login and logoff logs. Nothing much
I can also see the user connected and an IP 192.168.113.2
User also gets the ip address on his PC when connectd to VPN, 192.168.113.2
I am trying to connect to local resources in a network. Right now I can connect to VPN via AD credentials but cannot ping or RDP to any device.
I also checked for any policy denies in firewall, couldn’t find any and also there are no blocks from local firewall
On the general tab of the SSLVPN config you can:
I pasted in some screenshots but they did not come through. Added imgur links
No, in the Web GUI in the general settings of mobile vpn with ssl. I think by default access to all Trusted, Optional an Custom networks is enabled. So it should work out of the box. But maybe you have selected “specify allowed resources” and that could be the problem.
How can I filter the traffic monitor in Firewall Web ui console?
Good, sounds like you’re almost there. Make sure that AllowSSLVPNUSERS policy is set to log successful packets. Then you should see the traffic. Also you might increase SSLVPN logging to Debug level, but not sure this will be necessary.
I tried both, still no luck in RDP or pinging to any server or workstation
I have set to to ‘Force all Traffic Through Tunnel’
