9 Replies Latest reply: Mar 20, 2013 5:48 PM by grinder RSS

    Cannot Use Admin Console Over VPN?


      I am trying to use the MFE Admin Console to manage our firewall (Still in testing) from outside the office.  I am connected to our internal network via VPN to our RRAS server.  I can ping the firewall inside IP just fine but cannot connect to it using the Admin console on port 9003.  When I am in the office I can do it just fine.  Is this somehow not allowed over a VPN connection?

        • 1. Re: Cannot Use Admin Console Over VPN?

          No I've never encountered an issue using the Admin Console via a VPN. I have a site-to-site IPSec tunnel from home which works, and when I'm mobile I able to use our SSL-VPN connection and this too doesn't present me with any issues.


          We also have VPN connections with some of our customer Firewalls and this is is explicitly to allow us to access the Admin Console on the internal side, rather than making it availble on the external side.



          • 2. Re: Cannot Use Admin Console Over VPN?

            I have no idea why it won't work using the RRAS VPN connection.  It places me on the same internal subnet the firewall internal interface is on.  So I tried connecting via the VPN I setup on the firewall coming through the external interface.  I added a rule to allow the admin console.  It connects but won't authenticate me, it gives me an error.


            The rule I added is as follows:


            Application: Admin Console

            Source Zone: VPN

            Source Endpoint: ANY

            Dest. Zone: LAN

            Dest. Endpoint: ANYre

            NAT: NONE

            Redirect: <Firewall>(IP)

            Redirect Port: 9002

            Authenticator: Password


            I copied the default rule that was added for the LAN when I setup the firewall.  Maybe I need to change something here?


            Here is the error I get:

            • 3. Re: Cannot Use Admin Console Over VPN?

              This came up in the audit while trying to access it. I removed sensitive info as idicated by data between {}.  For some reason it is saying the VPN IP is coming from the external zone even though the VPN configuration is set to land on the VPN zone I have defined. It is also showing by this that the internal firewall ip as being in the destination zone external.  Kinda strange.


              2013-03-20 12:08:47 -0700 f_login_sidewinder a_aclquery t_attack p_major

              pid: 17374 logid: 0 cmd: 'login_sidewinder'

              hostname: {FIREWALL} category: policy_violation

              event: ACL deny attackip: {VPN_IP} attackzone: external

              application: all srcip: {VPN_IP} srcport: 31565 srczone: external

              protocol: 6 dstip: {FW_INT_IP} dstport: 9003 dstzone: external

              rule_name: Deny All cache_hit: 0 reason: Traffic denied by policy.


              Message was edited by: grinder on 3/20/13 2:16:17 PM CDT
              • 4. Re: Cannot Use Admin Console Over VPN?

                If your VPN connection places you on the internal network with an IP address from the same subnet you would get from using a LAN PC/Laptop, you shouldn't need to create any additional rules on the Firewall - the existing Admin Console rule should work in just the same way.


                As far as your other rule is concerned, Admin Console rules are generally (in my own experience, at least) created with the source and destination zones the same (as per your default Admin Console rule on the internal side). So, if this other VPN  terminates your connection in a zone called VPN, then both source and destination zones in the rule should be set to VPN - you would then use the IP address linked to that zone to establish your connection.


                I still believe the RRAS connection should work, based on what you are saying, and it you are able to RDP to a machine on the LAN using this connection, I'd then suggest using it to establish an SSH command line connection and then run a tcpdump on interface 1-1 (the internal NIC) for port 9003. Then try to establish and Admin Console connection and see if any traffic arrives. If there is none, something (what, I don't know) in the make-up of this connection is either preventing access to the Firewall's internal IP address, or blocking port 9003.


                Of course, if you can establish an RDP connection why not install a copy of the Admin Console on this host and when you are out of the office you can access the Firewall in this manner. It's a bit of a long-winded option, but will save you from trying to diagnose your RRAS VPN.



                • 5. Re: Cannot Use Admin Console Over VPN?

                  I am able to RDP into our servers and I do have Admin Console running on one of them.  I am not going to spend too much time with the RRAS stuff because it will be going away, replaced by the VPN capability of the firewall.


                  For my VPN configuration I created a Zone strictly for it named VPN.  In the configuration of the VPN connection it terminates all VPN users onto this zone.  I am using a client address pool that assigns IP addresses that are on a different subnet than anything else.  Do I need to add this subnet to the internal interface as an alias IP?  So for instance if my VPN client address pool is do I need to add the IP of to the internal interface alias IP?  The client address pool is allowed to access the LAN subnet and I am able to ping devices on this subnet and access them just fine.


                  I wrote the rule to go from VPN Zone to the LAN zone because that is where the Internal Interface IP for the firewall resides.  If I try it any other way it cannot contact the firewall at all and just times out.  If you see my post above about the audit when I try to login in, it has to do with the zone the authentication is coming from is wrong.  i do not want to enable admin console or SSH on the external zone.

                  • 6. Re: Cannot Use Admin Console Over VPN?

                    So I added the .1 address of my client address pool as an alias IP to my LAN interface and it works.  So if the client address pool is  you add the IP of as an alias IP to the interface.

                    • 7. Re: Cannot Use Admin Console Over VPN?

                      That does make sense ... kinda.


                      The alternative is to make sure that you have properly tweaked routing table (static routes) on the firewall so it knows to use the vpn tunnel correctly to communicate between the firewall and client (I guess they are seperated via vpn tunnel and possible on different IP subnets). By adding an alias to the firewall I guess you have effectivly made them on the same broadcast domain so routing no longer becomes an issue.


                      Glad it worked as understading your enviroment was making my head hurt! Really need diagram for these kind of things.


                      All the best.

                      • 8. Re: Cannot Use Admin Console Over VPN?

                        Hi all,


                        Just  a hint


                        configure the required firewall rules to permit virtual private network (VPN) network traffic through the firewall to the RRAS server.

                        • 9. Re: Cannot Use Admin Console Over VPN?

                          How would you setup the static routes for the VPN?