I have attempted my first XG configuration to put an AT&T VPN gateway (IPsec, I believe) with an extensive set of required management rules into a DMZ.
XG DMZ interface is 10.255.168.1, VPN gateway WAN interface is 10.255.168.2
First off I am unable to ping the XG interface from the VPN gateway; the VPN gateway believes that it has no internet connectivity and won't go online.
I am not sure how to log the traffic to diagnose if things are configured correctly and if so to troubleshoot the rules that I have written. Any guidance one can offer would be appreciated.
Port Protocol Direction Address Application NetGate Code version
ESP(50) in/out Any (Tunnel IPSEC All
Server IPs)
9 UDP,TCP out 12.67.1.68 Bandwidth tests (CoS) (US)
32.114.25.44 � � (AP)
32.112.48.164 � � (EMEA)
At least one time server address should be permitted, preferably multiple addresses for redundancy.
13 TCP in/out 208.66.175.36 STP (Simple Time Protocol) 1.5+
207.200.81.113
206.246.118.250
198.60.73.8
192.43.244.18
173.14.47.149
132.163.4.103
132.163.4.102
132.163.4.101
131.107.13.100
129.6.15.29
129.6.15.28
128.138.188.172
128.138.140.44
69.25.96.13
68.216.79.113
64.236.96.53
64.147.116.229
64.125.78.85
64.113.32.5
64.90.182.55
ICMP type20 out 129.37.4.131 Proactive Monitoring (US and AP)
129.37.4.71 � � (US)
165.172.132.76 Proactive Monitoring (Canada)
32.112.12.83 Proactive Monitoring (EMEA)
32.112.12.51 � �
ICMP type21 in 129.37.4.131 Proactive Monitoring (US and AP)
129.37.4.71 � �
165.172.132.76 Proactive Monitoring (Canada) All
32.112.12.83 Proactive Monitoring (EMEA)
32.112.12.51 � �
20 TCP in 165.87.194.246 FTP Data for Code Updates All
165.87.194.243
21 TCP out 165.87.194.246 FTP for Code Updates All
165.87.194.243
22 TCP in 129.37.4.0/24 SSH Remote Management All
53 UDP out ISP and AT&T DNS WAN connectivity test/dns_ping 1.6+
443 TCP in 129.37.4.0/24 HTTPS Remote Management All
** Customer specific or 3rd party support subnets may need to be added **
500 UDP in/out Any (tunnel IPSec ISAKMP negotiaion All
Server IPs)
4500 UDP in/out Tunnel server IP NAT-T (when ESP protocol 50 is blocked � added in v5.2.600)
5080 TCP out 204.146.172.225 RIG/SVCMGR - Auth. All
204.146.166.105 "
204.146.172.226 "
204.146.219.1 "
204.146.172.230 �
204.146.166.107 �
(Or see Global RIG List)
5081 UDP in/out 204.146.172.225 RIG Query Pre-1.4
204.146.166.105 "
204.146.172.226 "
204.146.219.1 "
204.146.172.230 �
204.146.166.107 �
(Or see Global RIG List)
8080 TCP in 129.37.4.0/24 Secure Support Interface v1.5 through v5.3
9920 TCP in/out 144.160.245.70 Remote Access Repository All
129.37.0.113
32.97.118.242 (removed from service)
This thread was automatically locked due to age.
