Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1045 Views 9 Replies Latest reply: Mar 20, 2013 5:48 PM by grinder RSS
grinder Apprentice 102 posts since
Feb 8, 2013
Currently Being Moderated

Mar 20, 2013 12:49 PM

Cannot Use Admin Console Over VPN?

I am trying to use the MFE Admin Console to manage our firewall (Still in testing) from outside the office.  I am connected to our internal network via VPN to our RRAS server.  I can ping the firewall inside IP just fine but cannot connect to it using the Admin console on port 9003.  When I am in the office I can do it just fine.  Is this somehow not allowed over a VPN connection?

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    1. Mar 20, 2013 1:40 PM (in response to grinder)
    Re: Cannot Use Admin Console Over VPN?

    No I've never encountered an issue using the Admin Console via a VPN. I have a site-to-site IPSec tunnel from home which works, and when I'm mobile I able to use our SSL-VPN connection and this too doesn't present me with any issues.

     

    We also have VPN connections with some of our customer Firewalls and this is is explicitly to allow us to access the Admin Console on the internal side, rather than making it availble on the external side.

     

    -Phil.

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    4. Mar 20, 2013 2:16 PM (in response to grinder)
    Re: Cannot Use Admin Console Over VPN?

    If your VPN connection places you on the internal network with an IP address from the same subnet you would get from using a LAN PC/Laptop, you shouldn't need to create any additional rules on the Firewall - the existing Admin Console rule should work in just the same way.

     

    As far as your other rule is concerned, Admin Console rules are generally (in my own experience, at least) created with the source and destination zones the same (as per your default Admin Console rule on the internal side). So, if this other VPN  terminates your connection in a zone called VPN, then both source and destination zones in the rule should be set to VPN - you would then use the IP address linked to that zone to establish your connection.

     

    I still believe the RRAS connection should work, based on what you are saying, and it you are able to RDP to a machine on the LAN using this connection, I'd then suggest using it to establish an SSH command line connection and then run a tcpdump on interface 1-1 (the internal NIC) for port 9003. Then try to establish and Admin Console connection and see if any traffic arrives. If there is none, something (what, I don't know) in the make-up of this connection is either preventing access to the Firewall's internal IP address, or blocking port 9003.

     

    Of course, if you can establish an RDP connection why not install a copy of the Admin Console on this host and when you are out of the office you can access the Firewall in this manner. It's a bit of a long-winded option, but will save you from trying to diagnose your RRAS VPN.

     

    -Phil

  • packetmonkey Newcomer 22 posts since
    Mar 1, 2013
    Currently Being Moderated
    7. Mar 20, 2013 3:35 PM (in response to grinder)
    Re: Cannot Use Admin Console Over VPN?

    That does make sense ... kinda.

     

    The alternative is to make sure that you have properly tweaked routing table (static routes) on the firewall so it knows to use the vpn tunnel correctly to communicate between the firewall and client (I guess they are seperated via vpn tunnel and possible on different IP subnets). By adding an alias to the firewall I guess you have effectivly made them on the same broadcast domain so routing no longer becomes an issue.

     

    Glad it worked as understading your enviroment was making my head hurt! Really need diagram for these kind of things.

     

    All the best.

  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    8. Mar 20, 2013 4:21 PM (in response to packetmonkey)
    Re: Cannot Use Admin Console Over VPN?

    Hi all,

     

    Just  a hint

     

    configure the required firewall rules to permit virtual private network (VPN) network traffic through the firewall to the RRAS server.


    Post Timings: 6.00 AM to 3.00PM PDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points