My friend has a Firebox T20-W and after much consternation, we were able to connect to his work network through a VPN. We thought we were golden, but now the problem is we can’t connect to his network drives.
We can connect to and login to the Firebox UI from home, so we’re definitely on his work network.
When we are at his office, the network drives open up just fine, but as soon as we connect to his network through a VPN outside of his network, there is no longer access.
He has only 1 network at his office (10.0.1.0). The VPN is using a virtual network pool of 10.0.2.0. We did try connecting the VPN using a virtual pool 10.0.1.0, but a) that still didn’t make the network drives work and b) made it so we could no longer connect to the Firebox UI. I assume this is because the VPN pool and the private network are trying to use the same default gateway causing a conflict there?
Anyhow, I as you may have guessed have no idea what I’m doing. I guess I thought that once we were connected through the VPN everything would just sort of…work. Anyone have any thoughts as to why we aren’t able to access the network drives?
You do not mention the subnet mask. How strong are you on routing fundamentals? At first glance, I would recommend you start with routing. Two overlapping subnets can not route to each other.
Please provide additional information. Also, chance the pool subnet to something easy to differentiate such as 192.168.x.x/24
Thanks all for your insights! Here are some updates/answers:
I am using the SSLVPN and connecting through the Watchguard Mobile VPN with SSL client. The SSL VPN firewall policy is in place. I’ve been changing things one at a time to see if I can get access to the shared drives/other computers on the network. I currently have allowed all SSLVPN user groups, all users and the VPN network to any network.
I even created a new policy allowing all traffic from the VPN network to the office network. Still no go.
I changed the VPN pool to 194.168.1.0 which is completely different from both my IP range where I am now and the range at the office. I’m just using class C subnets for everything…which now that I’m thinking about it could be a problem since the office network is 10.0.1.0. I don’t actually remember configuring that though, I like that was all just default after I reset the firebox. I’m hesitant to change that subnet range to A right now, just because there are people currently on the network and working and I fear that could knock everyone off.
Another interesting thing is that I am connected to the VPN on a desktop with one user account, and I have a separate connection on a laptop with a different user account. The desktop can ping the laptop, but the laptop can’t ping the desktop. The laptop is also where I have the network drives mapped. Though the desktop is also not able to see any of the devices on the 10.0.1.0 network.
Make sure in the VPN config you have Allow to all Trusted (assuming it’s trusted) enabled. I had one client where it didn’t work and I had to list the subnet with resources explicitly, you can try that (never assume things always work the way you expect).
The other thing is make sure there are no conflicting subnets.
If work is 10.0.0.0/24 and your home network is 10.0.0.0/24, your computer is likely to have routing issues that may appear in different ways.
Also use the traffic monitor on the watch guard. It is honestly the single best one I’ve run into on a firewall. Have your friend enable logging on anything VPN related and monitor the traffic monitor as you connect and try to do stuff, confirm nothing is being blocked.