?
Solved

Can't access Sonicwall VPN server from behind router

Posted on 2006-07-09
11
Medium Priority
?
1,282 Views
Last Modified: 2012-08-13
From home I can access sonicwall directly from DSL modem.  If I try to access from behind router, I get connected message, but can not access any services.  Also, my sonicwall virtual adapter has an ip of 0.0.0.0

I have Speedstream 5100 DSL Modem to newer Linksys router with latest firmware.  
I disabled all firewals in both router & on PC.  
Modem is 192.168.0.1,  Router & PC on 192.168.15.X subnet
PC's at work on 192.168.1.x subnet
Modem has been tried in both gateway & ppoe mode.  
PC on Windows 2000 professional.
0
Comment
Question by:drtony2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17069980
-The Linksys at your remote site should have the appropriate service enabled, This depends on the type or tunnel you have established. I assume it is IPSec, so on the Linksys there should be an option to "enable IPSec pass-through", or if using another protocol enable PPTP, or L2TP pass-through.
-Also what is the WAN IP of the Linksys? Is it a public IP or a private IP such as
192.168.0.1  to 192.168.255.254
10.0.0.1  to  10.255.255.254
172.16.0.1  to 17.31.255.254
If a private IP you would normally put the Modem in bridge mode but that is not an option with the 5100. Let us know and we can see if we can deal with it if it is a problem. The Linksys needs to have a public WAN IP.
0
 

Author Comment

by:drtony2
ID: 17070105
Linksys Model WRT55A+G - public ip - 69.x.x.x
It has a VPN passthrough panel to enable 3 protocols, 1 of which is IPSEC - all 3 are enabled.
This particular modem did give me an option to put it in bridge mode (perhaps firmware upgrade)  and it is set to bridge mode.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17070120
The Speedstream 5100 can be put in bridge mode? or another unit. In any case if it has a 69.x.x.x IP, that is not the problem.
It may be that the Sonicwall does not support NAT-T (remote end behind a router/NAT device). which model Sonicwall? Perhaps there is something in the documentation.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:drtony2
ID: 17070581
The 5100 itself is in bridge mode.  The linksys has the 69.x.x.x ip passed through to it.  
Its a Sonicwall TZ170. I dont have access to the sonicwall server or doc.  
I do know another employee was able to use it behind a router who has a cable modem (v. DSL). Though I could get changes to be made to the sonicwall if there are some settings that can be modified.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17072700
Interesting, looked at the web site and those 5100's are radically different than the ones I have seen here. Any way configuration sounds fine.

Have a look at the following question. Seems to be similar problem and the accepted answer tells you how to deal with NAT-T
http://www.experts-exchange.com/Security/Firewalls/Q_20929807.html
See if it is any help.
...and another:
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21466307.html

An outline from the SonicWall client manual:
[  http://www.sonicwallfirewalls.com/support/pdfs/technotes/SonicWALL_GSC_GVC_FAQ_Final.pdf  ]
"Can I shut off NAT-T?
Yes – you can set NAT Traversal to ‘Automatic’, ‘Forced On’, or ‘Disabled’ on the GVC. This is on a per-connection
basis, and is controlled via the ‘Peers’ tab for each connection profile (simply select the peer from the list and click
on the ‘Edit…’ button to access the settings). By default, all connection profiles are set to ‘Automatic’, which means
that if the SonicWALL is also set to use NAT-T, it will be negotiated during the connection process. This is
controlled by the ‘Advanced’ VPN settings on the SonicWALL device.
So, what exactly is NAT-T and why would I want to use it?
Unfortunately, IKE/IPSec VPN connections cannot successfully negotiate if any device between the two endpoints
performs network address translation (NAT) on the session, since IKE/IPSec notes the original endpoint source IP
addresses as part of the setup. This is a common problem for software-based VPN clients that operate behind
remote Firewall/NAT devices that are not set for ‘IPSec Passthru’, or simply are not capable of it. In order to get
around this problem, NAT-T encapsulates the traffic into UDP packets. This also helps with environments where
any device between the two endpoints is set to block IPSec packets. NAT-T is on by default in the GVC and on all
SonicWALL devices, and its use is strongly recommended."
--Rob
0
 

Author Comment

by:drtony2
ID: 17076731
Thanks the info is written pretty clearly, but the question is that youre saying you should use NAT-T and it is set by default on both the sonicwall server & the GVC, so that it should already be working?  Was there something to change or try on either end?  My GVC is set to automatic.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 17076779
I was wondering on the client on Peers tab, do you have the option to enable NAT-T. If so try enabling it. One of those posts suggests disabling it, so if one doesn't work, try the other.
0
 

Author Comment

by:drtony2
ID: 17077826
I didnt think this one was going to be solvable, but you got it - disabling NAT-T on the GVC worked, with all the firewalls enabled as well.  Everything read said the opposite to use NAT-T?  

Before I close out the question, is there any rationale / justification that they would have turned off NAT-T on the Server end, or should it have been left enabled as it defaulted?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17078176
I must apologize I don't fully understand NAT-T. I too would have thought it needed to be enabled when the client is behind a router. It does however usually have to be set the same on both ends of the tunnel. If disabled on the VPN server it would normally need to be disabled on the client end. It seems to be needed less often as more and more devices/routers support VPN pass-through, such as most Linksys units now do.
Glad to hear it is working for you now. Must have been getting frustrating.
0
 

Author Comment

by:drtony2
ID: 17078443
Thanks, great straight forward solution to a difficult problem, and good step for anyone to try having difficulty accessing VPN behind a router.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17078452
Thanks drtony2.
Unfortunately NAT-T is not a configurable option on many VPN clients. However, works here.
Cheers,
--Rob
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question