johnm07
asked on
Sonicwall VPN issue
So far I have a good VPN tunnel between to sonicwall appliances.
My configurations:
Main office –
Sonicwall WAN IP xxx.xxx.xxx.xxx
Sonicwall LAN IP is 192.168.100.1
LAN IP range is 192 168.100.1- 199 subnet 255.255.255.0
(Removed the 192.168.100.200-254 range from DHCP for remote VPN users)
Network has a local DHCP server, DNS server for Active Directory as well as WINS server
VPN tunnel ends at the LAN
Remote Office -
Sonicwall WAN IP xxx.xxx.xxx.xxx
Sonciwall LAN IP is 192.168.100.200
LAN IP range is 192.168.100.201- 205 Subnet 255.255.255.0
Sonicwall is acting as this sites DHCP server and also assigns the sites WAN DNS address as well as the Main offices LAN DNS address.
VPN tunnel ends at the LAN
Although I have a good VPN tunnel (green light between appliances) I’m not able to ping or otherwise communicate between computer systems on each end of the VPN link. I’m guessing that I need a different subnet per LAN but before trying all kinds of crazy things I thought I should ask . So if you can lend a hand in pointing out my screw up I would greatly appreciate it.
Thanks
John
My configurations:
Main office –
Sonicwall WAN IP xxx.xxx.xxx.xxx
Sonicwall LAN IP is 192.168.100.1
LAN IP range is 192 168.100.1- 199 subnet 255.255.255.0
(Removed the 192.168.100.200-254 range from DHCP for remote VPN users)
Network has a local DHCP server, DNS server for Active Directory as well as WINS server
VPN tunnel ends at the LAN
Remote Office -
Sonicwall WAN IP xxx.xxx.xxx.xxx
Sonciwall LAN IP is 192.168.100.200
LAN IP range is 192.168.100.201- 205 Subnet 255.255.255.0
Sonicwall is acting as this sites DHCP server and also assigns the sites WAN DNS address as well as the Main offices LAN DNS address.
VPN tunnel ends at the LAN
Although I have a good VPN tunnel (green light between appliances) I’m not able to ping or otherwise communicate between computer systems on each end of the VPN link. I’m guessing that I need a different subnet per LAN but before trying all kinds of crazy things I thought I should ask . So if you can lend a hand in pointing out my screw up I would greatly appreciate it.
Thanks
John
did you dis-/enable ICMP in Sonicwall's firewall settings?
ASKER
AZweb,
Thanks for sharing your ideas.
I followed the white papers during setup but they dont detail IP or routing details and unfortutitly I have yet to find a good Sonicwall artical addressing Network browsing across a VPN on systems newer then NT. I would like to see some info on using Active Directory across a VPN. My understaning is that Netbios traffic is not sent across the VPN tunnel so I'm hopping my internal DNS server can help out in inthsi area. I would perfer NOT to use host files as they require costant updates.
As far as my Main Office DHCP server, DHCP is handeled by a Windows server not the sonicwall. The remote office does not contian any servers so I'm using the Sonicawall for DHCP in that office.
_John
Thanks for sharing your ideas.
I followed the white papers during setup but they dont detail IP or routing details and unfortutitly I have yet to find a good Sonicwall artical addressing Network browsing across a VPN on systems newer then NT. I would like to see some info on using Active Directory across a VPN. My understaning is that Netbios traffic is not sent across the VPN tunnel so I'm hopping my internal DNS server can help out in inthsi area. I would perfer NOT to use host files as they require costant updates.
As far as my Main Office DHCP server, DHCP is handeled by a Windows server not the sonicwall. The remote office does not contian any servers so I'm using the Sonicawall for DHCP in that office.
_John
ASKER
ahoffmann,
I didnt didnt disable of enable ICMP in Sonicwalls fiewall settings. From what I just read on ICMP on the Sonicwall site it sounds like ICMP is natively blocked by sonicwall firewall. Do I need to change these settings for the VPN link, set a rule?
Can you elaborate on the the ICMP importance for computers to communicate across the VPN tunel?
I didnt didnt disable of enable ICMP in Sonicwalls fiewall settings. From what I just read on ICMP on the Sonicwall site it sounds like ICMP is natively blocked by sonicwall firewall. Do I need to change these settings for the VPN link, set a rule?
Can you elaborate on the the ICMP importance for computers to communicate across the VPN tunel?
> Do I need to change these settings ..
yes if you want to use ping
in practice ICMP is nod needed (except for trouble shoting;-)
yes if you want to use ping
in practice ICMP is nod needed (except for trouble shoting;-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Marc,
I'm liking the sound of you answer.
Since I last posted this is where I'm at-
Main office sonicwall VPN IP 192.168.100.1 VPN tunnel ends on LAN
Remote office sonicwall VPN IP 192.168.1.100 / clients assigned Main office DNS / VPN tunnel ends on OPT port
Remote LAN IP is 10.10.10.1
VPN is now working great. From Remote VPN I can see everything on the Main office LAN.
Couple of things I still need to do and maybe you can point me in the right direction-
1. I can only admin the remote sonicwall when I plug into one of its LAN ports. I really need to admin from its OPT port or across the WAN. When I try the OPT port or over the internet to its routable IP it just doesnt come up. (Even with https)
2. I would like for the remote office computers to show iup and be reachable on the Mian office LAN. Maybe a static DNS entry for each remote office computer would solve this?
Thanks
-John
I'm liking the sound of you answer.
Since I last posted this is where I'm at-
Main office sonicwall VPN IP 192.168.100.1 VPN tunnel ends on LAN
Remote office sonicwall VPN IP 192.168.1.100 / clients assigned Main office DNS / VPN tunnel ends on OPT port
Remote LAN IP is 10.10.10.1
VPN is now working great. From Remote VPN I can see everything on the Main office LAN.
Couple of things I still need to do and maybe you can point me in the right direction-
1. I can only admin the remote sonicwall when I plug into one of its LAN ports. I really need to admin from its OPT port or across the WAN. When I try the OPT port or over the internet to its routable IP it just doesnt come up. (Even with https)
2. I would like for the remote office computers to show iup and be reachable on the Mian office LAN. Maybe a static DNS entry for each remote office computer would solve this?
Thanks
-John
John, your requirements are easily doable:
1. Because you've set each end of the VPN to terminate on the LAN, you can access the admin interface (of the remote sonicwall) by simply entering the LAN IP address of the remote sonicwall into your browser (trust me, it'll work!). Just leave the OPT port out of the equation, it'll make a simple config more complex. If you are in your main office (192.168.100.x) just enter 10.10.10.1 and you'll see your admin screen.
2. If you are running either a WINS or a DNS server (like with MS Active Directory), just make sure that the computers in the REMOTE office have the IP address of the WINS/DNS server (or both) in the MAIN office set. You can alse enable broadcasts across the VPN link, I'd just be careful because too much broadcast/resolution traffic can kill your WAN link. A static DNS entry on each remote computer would work too, just it isn't scalable and can become a big pain it the @$$ once you need to start renaming PC's in the main office - I'd stay away from this.
I'll check back on this thread in a bit...let me know how things work out.
-Marc
1. Because you've set each end of the VPN to terminate on the LAN, you can access the admin interface (of the remote sonicwall) by simply entering the LAN IP address of the remote sonicwall into your browser (trust me, it'll work!). Just leave the OPT port out of the equation, it'll make a simple config more complex. If you are in your main office (192.168.100.x) just enter 10.10.10.1 and you'll see your admin screen.
2. If you are running either a WINS or a DNS server (like with MS Active Directory), just make sure that the computers in the REMOTE office have the IP address of the WINS/DNS server (or both) in the MAIN office set. You can alse enable broadcasts across the VPN link, I'd just be careful because too much broadcast/resolution traffic can kill your WAN link. A static DNS entry on each remote computer would work too, just it isn't scalable and can become a big pain it the @$$ once you need to start renaming PC's in the main office - I'd stay away from this.
I'll check back on this thread in a bit...let me know how things work out.
-Marc
Oops, just reread your last post.
Unless you absolutely need to filter between the two sites, I'd recommend terminating each end of the VPN on the LAN. This way you don't need to create FW rules for each service/port you want open (like browsing files!).
Unless you absolutely need to filter between the two sites, I'd recommend terminating each end of the VPN on the LAN. This way you don't need to create FW rules for each service/port you want open (like browsing files!).
ASKER
Marc,
Unfortunitly I have to setup the remote offices using the OPT port and LAN port and seperate their IP ranges. These sites require systems on the OPT port to have access to the Main Office LAN and their own local LAN. Systems on the Remote office LAN can only access eachother and the Internet.
With all that said, I'll need to access the remote sonicwall via either the OPT port or the Internet. I'm not in the office now but I'll try accessing the Admin consol over its 10. address OPT port but I think I've already tried this when I was trying to get it going yesterday.
I have the basics configured but I need to move to the nitty gritty rules of who has access where and what can be sent over what ports. From what you said in your last post it looks like I need to dig into the FW rules for my configuration. I'm guessing the FW rules will allow me to acces the Admin over the OPT port. I'll cross my fingers and try all this out on Monday.
I'll update you on as soon as I have some results.
-John
Unfortunitly I have to setup the remote offices using the OPT port and LAN port and seperate their IP ranges. These sites require systems on the OPT port to have access to the Main Office LAN and their own local LAN. Systems on the Remote office LAN can only access eachother and the Internet.
With all that said, I'll need to access the remote sonicwall via either the OPT port or the Internet. I'm not in the office now but I'll try accessing the Admin consol over its 10. address OPT port but I think I've already tried this when I was trying to get it going yesterday.
I have the basics configured but I need to move to the nitty gritty rules of who has access where and what can be sent over what ports. From what you said in your last post it looks like I need to dig into the FW rules for my configuration. I'm guessing the FW rules will allow me to acces the Admin over the OPT port. I'll cross my fingers and try all this out on Monday.
I'll update you on as soon as I have some results.
-John
John, you are correct. You need to go into the FW config and allow access to the management interface from the OPT port...you will then be able to remotely admin the remote sonicwall by simply browsing to the IP address of the OPT port.
I am a new Sonicwall user but if you have a DHCP server at your main office why do you have an IP range of 1-199 on the unit at the main office? The IP's will be handled by the server and not the Sonicwall.
I am just getting started on setting up my VPN connections so I am not much help there yet.
Good luck...