Sonicwall is connected to two seperate LANs, but DHCP will only assign IP addresses from one of those LANs to VPN clients

Posted on 2006-04-26
Last Modified: 2013-11-16
I have a Sonicwall 3060 connected to two seperate LANs (each LAN being a different company).  These two companies are sharing the Sonicwall and the T1 internet connection.  Company 1 is connected to the X0 interface, Company 2 is connected to the X2 interface, and the internet is on the X1 interface.  These two companies and their users must be isolated from each other as Company 2 is a health care company and governed by HIPAA privacy rules.

The problem is when users connect to their respective LANs via the VPN client, they are only getting assigned an IP address from Company 1.  First I tried using the Sonicwall as a DHCP server, then using a Windows DHCP server on each LAN.  I got the same results both ways.

How can I set it up so that users from Company 1 will get an IP address for their LAN (192.168.1.x) and users from Company 2 will get one from their IP range (192.168.2.x) when they connect using the Global VPN Client?

Question by:mtkaiser
    LVL 42

    Accepted Solution

    since you have only 1 internet connection, how does the sonicwall know which company to forward an incoming connection to?  you only have 1 external IP.  a remote user will use that external IP when they specify where they are connecting to... but i don't see how you will specify which company that incoming connection belongs to.
    i believe you need 2 static IP addresses.  your sonicwall will then know which incoming connection belongs to which company (one static IP per company).  you will have to configure a global VPN client for each static IP.

    Author Comment

    There are two different groups of VPN clients (Company 1 Group and Company 2 Group).  Each group is only allowed to connect to their own LANs.  That rule is working, however, when people from Company 2 connect to their LAN, they are being assigned an IP address from the Company 1 LAN.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    The point zephyr is making is that there has to be a'distinguisher' between the two vpn groups on the outside; not just on the inside. When a vpn call comes in from the outside, the Sonic needs to know at that point which group the user belongs to so it can take the appropriate action. In your case, it is assign an address from the correct dhcp pool.

    Cisco VPN concentrators for example have a group setting where you can put source ip addresses/users etc into so that it can assign the correct addresses as required. I believe that Sonic can do the same but by using differet external IP's.

    For example, if you had two external IP addresses assigned to the external interface of your Sonic, you can take one set of actions for that group and different set of actions for company 2 as they will have called the VPN on the second IP address.

    Another alternative would be to have a second Internet connection & firewall so each would be kept seperate.

    Only other solution I can think of is something like Cisco's Access Control Server (ACS) where you put the users into groups that the external device can check as connections are made so as to know, in advance, the decisions it needs to make such as which DHCP server and the like.

    Sorry it likely does not serve your needs but that is the way it works.

    LVL 51

    Expert Comment

    by:Keith Alabaster
    O well, your welcome anyway.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now