Can't access Sonicwall VPN server from behind router

From home I can access sonicwall directly from DSL modem.  If I try to access from behind router, I get connected message, but can not access any services.  Also, my sonicwall virtual adapter has an ip of

I have Speedstream 5100 DSL Modem to newer Linksys router with latest firmware.  
I disabled all firewals in both router & on PC.  
Modem is,  Router & PC on 192.168.15.X subnet
PC's at work on 192.168.1.x subnet
Modem has been tried in both gateway & ppoe mode.  
PC on Windows 2000 professional.
Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
I was wondering on the client on Peers tab, do you have the option to enable NAT-T. If so try enabling it. One of those posts suggests disabling it, so if one doesn't work, try the other.
Rob WilliamsCommented:
-The Linksys at your remote site should have the appropriate service enabled, This depends on the type or tunnel you have established. I assume it is IPSec, so on the Linksys there should be an option to "enable IPSec pass-through", or if using another protocol enable PPTP, or L2TP pass-through.
-Also what is the WAN IP of the Linksys? Is it a public IP or a private IP such as  to  to  to
If a private IP you would normally put the Modem in bridge mode but that is not an option with the 5100. Let us know and we can see if we can deal with it if it is a problem. The Linksys needs to have a public WAN IP.
drtony2Author Commented:
Linksys Model WRT55A+G - public ip - 69.x.x.x
It has a VPN passthrough panel to enable 3 protocols, 1 of which is IPSEC - all 3 are enabled.
This particular modem did give me an option to put it in bridge mode (perhaps firmware upgrade)  and it is set to bridge mode.

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Rob WilliamsCommented:
The Speedstream 5100 can be put in bridge mode? or another unit. In any case if it has a 69.x.x.x IP, that is not the problem.
It may be that the Sonicwall does not support NAT-T (remote end behind a router/NAT device). which model Sonicwall? Perhaps there is something in the documentation.
drtony2Author Commented:
The 5100 itself is in bridge mode.  The linksys has the 69.x.x.x ip passed through to it.  
Its a Sonicwall TZ170. I dont have access to the sonicwall server or doc.  
I do know another employee was able to use it behind a router who has a cable modem (v. DSL). Though I could get changes to be made to the sonicwall if there are some settings that can be modified.

Rob WilliamsCommented:
Interesting, looked at the web site and those 5100's are radically different than the ones I have seen here. Any way configuration sounds fine.

Have a look at the following question. Seems to be similar problem and the accepted answer tells you how to deal with NAT-T
See if it is any help.
...and another:

An outline from the SonicWall client manual:
[  ]
"Can I shut off NAT-T?
Yes – you can set NAT Traversal to ‘Automatic’, ‘Forced On’, or ‘Disabled’ on the GVC. This is on a per-connection
basis, and is controlled via the ‘Peers’ tab for each connection profile (simply select the peer from the list and click
on the ‘Edit…’ button to access the settings). By default, all connection profiles are set to ‘Automatic’, which means
that if the SonicWALL is also set to use NAT-T, it will be negotiated during the connection process. This is
controlled by the ‘Advanced’ VPN settings on the SonicWALL device.
So, what exactly is NAT-T and why would I want to use it?
Unfortunately, IKE/IPSec VPN connections cannot successfully negotiate if any device between the two endpoints
performs network address translation (NAT) on the session, since IKE/IPSec notes the original endpoint source IP
addresses as part of the setup. This is a common problem for software-based VPN clients that operate behind
remote Firewall/NAT devices that are not set for ‘IPSec Passthru’, or simply are not capable of it. In order to get
around this problem, NAT-T encapsulates the traffic into UDP packets. This also helps with environments where
any device between the two endpoints is set to block IPSec packets. NAT-T is on by default in the GVC and on all
SonicWALL devices, and its use is strongly recommended."
drtony2Author Commented:
Thanks the info is written pretty clearly, but the question is that youre saying you should use NAT-T and it is set by default on both the sonicwall server & the GVC, so that it should already be working?  Was there something to change or try on either end?  My GVC is set to automatic.
drtony2Author Commented:
I didnt think this one was going to be solvable, but you got it - disabling NAT-T on the GVC worked, with all the firewalls enabled as well.  Everything read said the opposite to use NAT-T?  

Before I close out the question, is there any rationale / justification that they would have turned off NAT-T on the Server end, or should it have been left enabled as it defaulted?
Rob WilliamsCommented:
I must apologize I don't fully understand NAT-T. I too would have thought it needed to be enabled when the client is behind a router. It does however usually have to be set the same on both ends of the tunnel. If disabled on the VPN server it would normally need to be disabled on the client end. It seems to be needed less often as more and more devices/routers support VPN pass-through, such as most Linksys units now do.
Glad to hear it is working for you now. Must have been getting frustrating.
drtony2Author Commented:
Thanks, great straight forward solution to a difficult problem, and good step for anyone to try having difficulty accessing VPN behind a router.
Rob WilliamsCommented:
Thanks drtony2.
Unfortunately NAT-T is not a configurable option on many VPN clients. However, works here.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.