Solved

Can't access Sonicwall VPN server from behind router

Posted on 2006-07-09
11
1,269 Views
Last Modified: 2012-08-13
From home I can access sonicwall directly from DSL modem.  If I try to access from behind router, I get connected message, but can not access any services.  Also, my sonicwall virtual adapter has an ip of 0.0.0.0

I have Speedstream 5100 DSL Modem to newer Linksys router with latest firmware.  
I disabled all firewals in both router & on PC.  
Modem is 192.168.0.1,  Router & PC on 192.168.15.X subnet
PC's at work on 192.168.1.x subnet
Modem has been tried in both gateway & ppoe mode.  
PC on Windows 2000 professional.
0
Comment
Question by:drtony2
  • 6
  • 5
11 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17069980
-The Linksys at your remote site should have the appropriate service enabled, This depends on the type or tunnel you have established. I assume it is IPSec, so on the Linksys there should be an option to "enable IPSec pass-through", or if using another protocol enable PPTP, or L2TP pass-through.
-Also what is the WAN IP of the Linksys? Is it a public IP or a private IP such as
192.168.0.1  to 192.168.255.254
10.0.0.1  to  10.255.255.254
172.16.0.1  to 17.31.255.254
If a private IP you would normally put the Modem in bridge mode but that is not an option with the 5100. Let us know and we can see if we can deal with it if it is a problem. The Linksys needs to have a public WAN IP.
0
 

Author Comment

by:drtony2
ID: 17070105
Linksys Model WRT55A+G - public ip - 69.x.x.x
It has a VPN passthrough panel to enable 3 protocols, 1 of which is IPSEC - all 3 are enabled.
This particular modem did give me an option to put it in bridge mode (perhaps firmware upgrade)  and it is set to bridge mode.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17070120
The Speedstream 5100 can be put in bridge mode? or another unit. In any case if it has a 69.x.x.x IP, that is not the problem.
It may be that the Sonicwall does not support NAT-T (remote end behind a router/NAT device). which model Sonicwall? Perhaps there is something in the documentation.
0
 

Author Comment

by:drtony2
ID: 17070581
The 5100 itself is in bridge mode.  The linksys has the 69.x.x.x ip passed through to it.  
Its a Sonicwall TZ170. I dont have access to the sonicwall server or doc.  
I do know another employee was able to use it behind a router who has a cable modem (v. DSL). Though I could get changes to be made to the sonicwall if there are some settings that can be modified.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17072700
Interesting, looked at the web site and those 5100's are radically different than the ones I have seen here. Any way configuration sounds fine.

Have a look at the following question. Seems to be similar problem and the accepted answer tells you how to deal with NAT-T
http://www.experts-exchange.com/Security/Firewalls/Q_20929807.html
See if it is any help.
...and another:
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21466307.html

An outline from the SonicWall client manual:
[  http://www.sonicwallfirewalls.com/support/pdfs/technotes/SonicWALL_GSC_GVC_FAQ_Final.pdf  ]
"Can I shut off NAT-T?
Yes – you can set NAT Traversal to ‘Automatic’, ‘Forced On’, or ‘Disabled’ on the GVC. This is on a per-connection
basis, and is controlled via the ‘Peers’ tab for each connection profile (simply select the peer from the list and click
on the ‘Edit…’ button to access the settings). By default, all connection profiles are set to ‘Automatic’, which means
that if the SonicWALL is also set to use NAT-T, it will be negotiated during the connection process. This is
controlled by the ‘Advanced’ VPN settings on the SonicWALL device.
So, what exactly is NAT-T and why would I want to use it?
Unfortunately, IKE/IPSec VPN connections cannot successfully negotiate if any device between the two endpoints
performs network address translation (NAT) on the session, since IKE/IPSec notes the original endpoint source IP
addresses as part of the setup. This is a common problem for software-based VPN clients that operate behind
remote Firewall/NAT devices that are not set for ‘IPSec Passthru’, or simply are not capable of it. In order to get
around this problem, NAT-T encapsulates the traffic into UDP packets. This also helps with environments where
any device between the two endpoints is set to block IPSec packets. NAT-T is on by default in the GVC and on all
SonicWALL devices, and its use is strongly recommended."
--Rob
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:drtony2
ID: 17076731
Thanks the info is written pretty clearly, but the question is that youre saying you should use NAT-T and it is set by default on both the sonicwall server & the GVC, so that it should already be working?  Was there something to change or try on either end?  My GVC is set to automatic.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17076779
I was wondering on the client on Peers tab, do you have the option to enable NAT-T. If so try enabling it. One of those posts suggests disabling it, so if one doesn't work, try the other.
0
 

Author Comment

by:drtony2
ID: 17077826
I didnt think this one was going to be solvable, but you got it - disabling NAT-T on the GVC worked, with all the firewalls enabled as well.  Everything read said the opposite to use NAT-T?  

Before I close out the question, is there any rationale / justification that they would have turned off NAT-T on the Server end, or should it have been left enabled as it defaulted?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17078176
I must apologize I don't fully understand NAT-T. I too would have thought it needed to be enabled when the client is behind a router. It does however usually have to be set the same on both ends of the tunnel. If disabled on the VPN server it would normally need to be disabled on the client end. It seems to be needed less often as more and more devices/routers support VPN pass-through, such as most Linksys units now do.
Glad to hear it is working for you now. Must have been getting frustrating.
0
 

Author Comment

by:drtony2
ID: 17078443
Thanks, great straight forward solution to a difficult problem, and good step for anyone to try having difficulty accessing VPN behind a router.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17078452
Thanks drtony2.
Unfortunately NAT-T is not a configurable option on many VPN clients. However, works here.
Cheers,
--Rob
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now