[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Can't access Sonicwall VPN server from behind router

Posted on 2006-07-09
Medium Priority
Last Modified: 2012-08-13
From home I can access sonicwall directly from DSL modem.  If I try to access from behind router, I get connected message, but can not access any services.  Also, my sonicwall virtual adapter has an ip of

I have Speedstream 5100 DSL Modem to newer Linksys router with latest firmware.  
I disabled all firewals in both router & on PC.  
Modem is,  Router & PC on 192.168.15.X subnet
PC's at work on 192.168.1.x subnet
Modem has been tried in both gateway & ppoe mode.  
PC on Windows 2000 professional.
Question by:drtony2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 77

Expert Comment

by:Rob Williams
ID: 17069980
-The Linksys at your remote site should have the appropriate service enabled, This depends on the type or tunnel you have established. I assume it is IPSec, so on the Linksys there should be an option to "enable IPSec pass-through", or if using another protocol enable PPTP, or L2TP pass-through.
-Also what is the WAN IP of the Linksys? Is it a public IP or a private IP such as  to  to  to
If a private IP you would normally put the Modem in bridge mode but that is not an option with the 5100. Let us know and we can see if we can deal with it if it is a problem. The Linksys needs to have a public WAN IP.

Author Comment

ID: 17070105
Linksys Model WRT55A+G - public ip - 69.x.x.x
It has a VPN passthrough panel to enable 3 protocols, 1 of which is IPSEC - all 3 are enabled.
This particular modem did give me an option to put it in bridge mode (perhaps firmware upgrade)  and it is set to bridge mode.

LVL 77

Expert Comment

by:Rob Williams
ID: 17070120
The Speedstream 5100 can be put in bridge mode? or another unit. In any case if it has a 69.x.x.x IP, that is not the problem.
It may be that the Sonicwall does not support NAT-T (remote end behind a router/NAT device). which model Sonicwall? Perhaps there is something in the documentation.
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Author Comment

ID: 17070581
The 5100 itself is in bridge mode.  The linksys has the 69.x.x.x ip passed through to it.  
Its a Sonicwall TZ170. I dont have access to the sonicwall server or doc.  
I do know another employee was able to use it behind a router who has a cable modem (v. DSL). Though I could get changes to be made to the sonicwall if there are some settings that can be modified.

LVL 77

Expert Comment

by:Rob Williams
ID: 17072700
Interesting, looked at the web site and those 5100's are radically different than the ones I have seen here. Any way configuration sounds fine.

Have a look at the following question. Seems to be similar problem and the accepted answer tells you how to deal with NAT-T
See if it is any help.
...and another:

An outline from the SonicWall client manual:
[  http://www.sonicwallfirewalls.com/support/pdfs/technotes/SonicWALL_GSC_GVC_FAQ_Final.pdf  ]
"Can I shut off NAT-T?
Yes – you can set NAT Traversal to ‘Automatic’, ‘Forced On’, or ‘Disabled’ on the GVC. This is on a per-connection
basis, and is controlled via the ‘Peers’ tab for each connection profile (simply select the peer from the list and click
on the ‘Edit…’ button to access the settings). By default, all connection profiles are set to ‘Automatic’, which means
that if the SonicWALL is also set to use NAT-T, it will be negotiated during the connection process. This is
controlled by the ‘Advanced’ VPN settings on the SonicWALL device.
So, what exactly is NAT-T and why would I want to use it?
Unfortunately, IKE/IPSec VPN connections cannot successfully negotiate if any device between the two endpoints
performs network address translation (NAT) on the session, since IKE/IPSec notes the original endpoint source IP
addresses as part of the setup. This is a common problem for software-based VPN clients that operate behind
remote Firewall/NAT devices that are not set for ‘IPSec Passthru’, or simply are not capable of it. In order to get
around this problem, NAT-T encapsulates the traffic into UDP packets. This also helps with environments where
any device between the two endpoints is set to block IPSec packets. NAT-T is on by default in the GVC and on all
SonicWALL devices, and its use is strongly recommended."

Author Comment

ID: 17076731
Thanks the info is written pretty clearly, but the question is that youre saying you should use NAT-T and it is set by default on both the sonicwall server & the GVC, so that it should already be working?  Was there something to change or try on either end?  My GVC is set to automatic.
LVL 77

Accepted Solution

Rob Williams earned 2000 total points
ID: 17076779
I was wondering on the client on Peers tab, do you have the option to enable NAT-T. If so try enabling it. One of those posts suggests disabling it, so if one doesn't work, try the other.

Author Comment

ID: 17077826
I didnt think this one was going to be solvable, but you got it - disabling NAT-T on the GVC worked, with all the firewalls enabled as well.  Everything read said the opposite to use NAT-T?  

Before I close out the question, is there any rationale / justification that they would have turned off NAT-T on the Server end, or should it have been left enabled as it defaulted?
LVL 77

Expert Comment

by:Rob Williams
ID: 17078176
I must apologize I don't fully understand NAT-T. I too would have thought it needed to be enabled when the client is behind a router. It does however usually have to be set the same on both ends of the tunnel. If disabled on the VPN server it would normally need to be disabled on the client end. It seems to be needed less often as more and more devices/routers support VPN pass-through, such as most Linksys units now do.
Glad to hear it is working for you now. Must have been getting frustrating.

Author Comment

ID: 17078443
Thanks, great straight forward solution to a difficult problem, and good step for anyone to try having difficulty accessing VPN behind a router.
LVL 77

Expert Comment

by:Rob Williams
ID: 17078452
Thanks drtony2.
Unfortunately NAT-T is not a configurable option on many VPN clients. However, works here.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question