• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1296
  • Last Modified:

Can't access Sonicwall VPN server from behind router

From home I can access sonicwall directly from DSL modem.  If I try to access from behind router, I get connected message, but can not access any services.  Also, my sonicwall virtual adapter has an ip of 0.0.0.0

I have Speedstream 5100 DSL Modem to newer Linksys router with latest firmware.  
I disabled all firewals in both router & on PC.  
Modem is 192.168.0.1,  Router & PC on 192.168.15.X subnet
PC's at work on 192.168.1.x subnet
Modem has been tried in both gateway & ppoe mode.  
PC on Windows 2000 professional.
0
drtony2
Asked:
drtony2
  • 6
  • 5
1 Solution
 
Rob WilliamsCommented:
-The Linksys at your remote site should have the appropriate service enabled, This depends on the type or tunnel you have established. I assume it is IPSec, so on the Linksys there should be an option to "enable IPSec pass-through", or if using another protocol enable PPTP, or L2TP pass-through.
-Also what is the WAN IP of the Linksys? Is it a public IP or a private IP such as
192.168.0.1  to 192.168.255.254
10.0.0.1  to  10.255.255.254
172.16.0.1  to 17.31.255.254
If a private IP you would normally put the Modem in bridge mode but that is not an option with the 5100. Let us know and we can see if we can deal with it if it is a problem. The Linksys needs to have a public WAN IP.
0
 
drtony2Author Commented:
Linksys Model WRT55A+G - public ip - 69.x.x.x
It has a VPN passthrough panel to enable 3 protocols, 1 of which is IPSEC - all 3 are enabled.
This particular modem did give me an option to put it in bridge mode (perhaps firmware upgrade)  and it is set to bridge mode.

0
 
Rob WilliamsCommented:
The Speedstream 5100 can be put in bridge mode? or another unit. In any case if it has a 69.x.x.x IP, that is not the problem.
It may be that the Sonicwall does not support NAT-T (remote end behind a router/NAT device). which model Sonicwall? Perhaps there is something in the documentation.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
drtony2Author Commented:
The 5100 itself is in bridge mode.  The linksys has the 69.x.x.x ip passed through to it.  
Its a Sonicwall TZ170. I dont have access to the sonicwall server or doc.  
I do know another employee was able to use it behind a router who has a cable modem (v. DSL). Though I could get changes to be made to the sonicwall if there are some settings that can be modified.

0
 
Rob WilliamsCommented:
Interesting, looked at the web site and those 5100's are radically different than the ones I have seen here. Any way configuration sounds fine.

Have a look at the following question. Seems to be similar problem and the accepted answer tells you how to deal with NAT-T
http://www.experts-exchange.com/Security/Firewalls/Q_20929807.html
See if it is any help.
...and another:
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21466307.html

An outline from the SonicWall client manual:
[  http://www.sonicwallfirewalls.com/support/pdfs/technotes/SonicWALL_GSC_GVC_FAQ_Final.pdf  ]
"Can I shut off NAT-T?
Yes – you can set NAT Traversal to ‘Automatic’, ‘Forced On’, or ‘Disabled’ on the GVC. This is on a per-connection
basis, and is controlled via the ‘Peers’ tab for each connection profile (simply select the peer from the list and click
on the ‘Edit…’ button to access the settings). By default, all connection profiles are set to ‘Automatic’, which means
that if the SonicWALL is also set to use NAT-T, it will be negotiated during the connection process. This is
controlled by the ‘Advanced’ VPN settings on the SonicWALL device.
So, what exactly is NAT-T and why would I want to use it?
Unfortunately, IKE/IPSec VPN connections cannot successfully negotiate if any device between the two endpoints
performs network address translation (NAT) on the session, since IKE/IPSec notes the original endpoint source IP
addresses as part of the setup. This is a common problem for software-based VPN clients that operate behind
remote Firewall/NAT devices that are not set for ‘IPSec Passthru’, or simply are not capable of it. In order to get
around this problem, NAT-T encapsulates the traffic into UDP packets. This also helps with environments where
any device between the two endpoints is set to block IPSec packets. NAT-T is on by default in the GVC and on all
SonicWALL devices, and its use is strongly recommended."
--Rob
0
 
drtony2Author Commented:
Thanks the info is written pretty clearly, but the question is that youre saying you should use NAT-T and it is set by default on both the sonicwall server & the GVC, so that it should already be working?  Was there something to change or try on either end?  My GVC is set to automatic.
0
 
Rob WilliamsCommented:
I was wondering on the client on Peers tab, do you have the option to enable NAT-T. If so try enabling it. One of those posts suggests disabling it, so if one doesn't work, try the other.
0
 
drtony2Author Commented:
I didnt think this one was going to be solvable, but you got it - disabling NAT-T on the GVC worked, with all the firewalls enabled as well.  Everything read said the opposite to use NAT-T?  

Before I close out the question, is there any rationale / justification that they would have turned off NAT-T on the Server end, or should it have been left enabled as it defaulted?
0
 
Rob WilliamsCommented:
I must apologize I don't fully understand NAT-T. I too would have thought it needed to be enabled when the client is behind a router. It does however usually have to be set the same on both ends of the tunnel. If disabled on the VPN server it would normally need to be disabled on the client end. It seems to be needed less often as more and more devices/routers support VPN pass-through, such as most Linksys units now do.
Glad to hear it is working for you now. Must have been getting frustrating.
0
 
drtony2Author Commented:
Thanks, great straight forward solution to a difficult problem, and good step for anyone to try having difficulty accessing VPN behind a router.
0
 
Rob WilliamsCommented:
Thanks drtony2.
Unfortunately NAT-T is not a configurable option on many VPN clients. However, works here.
Cheers,
--Rob
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now