Firewall/NAT

Hi,

I have the following problem:

I can login with Cisco VPN client to my company, yet when Outlook wants to connect to the companies exchange server it cannot connect in the config below. When I cut out M0n0wall there is no problem.

there are 3 nic's WRL (Wireless), WAN and LAN

Wireless router -> WRL Interfaces (M0N0WALL) -> Company

WRL is the subnet with only 1 firewall rule that states that the WRL subnet can go anywhere but my LAN. This is to prevent anyone that succeeds to hack my wireless router is behind enemy lines and can go to my LAN

(Yes I can ping the companies exchange server and yes it uses the VPN connection and yes when I use a browser it uses the VPN connection, so there are no gateway problems)

Thnx 4 any help

Don't post the same message more than once. I deleted your other two posts identical to this.

Do you see any blocks in your firewall logs related to this connection?

Dear cmb,

First thanks for your repley and of course you are right in removing those 2 identical questions. I just did not know where to place is, because it was VPN related, but not VPN M0n0wall related, as I use the Cisco client to setup the VPN to the company.

I tried that one (looking into the log) but as far as I can see there are none related and as far as I can see there should be none, because the firewall states that the WRL subnet can go anywhere but the LAN. The connection to the exchange server is through the VPN connection which was setup correct and creates a second ip. BTW the VPN connection is a 10.100.2.x subnet as the WRL subnet is a 192.168.7.x. subnet. And I can tracert and ping the the exchange server with ip 10.88.3.20.

Thnx 4 any help.

After checking my logs (WRL subnet = vr0) this seems to be the problem it has some similarity what Manual K states in http://m0n0.ch/wall/list/showmsg.php?id=253/51
Yet his solution doesn't seem to work.
 
Any help in this is still appreciated thx.

vr0 @400:1 b 192.168.3.20 -> 2xx.1x0.2xx.14x PR udp len 20 (80) (frag 755:60@1480) K-S K-F IN bad
vr0 @400:1 p 192.168.3.20,500 -> 2xx.1x0.2xx.14x,500 PR udp len 20 908 K-S K-F IN
vr0 @400:1 p 192.168.3.20,1044 -> 192.168.3.1,53 PR udp len 20 66 K-S K-F IN
vr0 @400:1 p 192.168.3.20,1300 -> 10.100.3.11,53 PR udp len 20 64 K-S K-F IN
vr0 @400:1 p 192.168.3.20,123 -> 10.100.3.10,123 PR udp len 20 96 K-S K-F IN
vr0 @400:1 p 192.168.3.20,1301 -> 192.168.3.1,53 PR udp len 20 81 K-S K-F IN
vr0 @400:1 p 192.168.3.20,1300 -> 10.100.3.10,53 PR udp len 20 64 K-S K-F IN
vr0 @400:1 p 192.168.3.20,1297 -> 10.100.3.10,80 PR tcp len 20 48 -S K-S K-F IN

Edit your default LAN rule and check allow fragments. Looks like that'll fix it.

Thnx I tried allowing defragmented packets, yet the "IN bad" logs remains, after the VPN is succesfully setup. Needless to say that there is still no connection with the exchange server.
 
-> 2xx.1x0.2xx.14x PR udp len 20 (96) (frag 277:76@1464) K-S K-F IN bad

As Manual K. states in his latest update 1.3b10 (03/01/2008)

    * allow fragmented ESP and NAT-T encapsulated IPsec packets when using the integrated IPsec support (should solve MTU issues)

This has solved it, Thnx.