Solved

Established Sonicwall site to site VPN wont allow PCs to talk to each other

Posted on 2006-11-30
15
446 Views
Last Modified: 2010-04-12

We have a site to site VPN established between two Sonicwall TZ170 firewalls and a Cisco 3030 concentrator.  

S1->S2->C

S1 is a Sonicwall Tz170w standard  :  Addresses behind this are 192.168.22.x and 192.168.23.x
S2 is a Sonicwall Tz170 enhanced :  Addresses behind this are 192.168.0.x thru 192.168.9.x
C is a Cicsco 3030  :  Addresses behind this are 10.x

The tunnels are up and we know that they are working because PCs behind S1 are able to access private resources behind C.  (using a variety of ports) However, PCs in S2 are not able to access servers or PCs behind S1.

Anyone know why S1 PCs can access C servers, but S2 PCs can't ping or VNC into S1 Pcs?
0
Comment
Question by:okacs
  • 10
  • 5
15 Comments
 
LVL 7

Expert Comment

by:jasonpaine
ID: 18049147
On the vpn policy make sure that Encryption and  Authentication match. What errors related the vpn's are you getting in the sonicwall logs? Can you download the TSR from both units and post
 
0
 

Author Comment

by:okacs
ID: 18049356

There are no errors in the logs.  The tunnels are up and stable.  S1 can access C via S2.  So we know the connectivity works from S1 PCs to C servers.
0
 
LVL 7

Expert Comment

by:jasonpaine
ID: 18051445
In S2
In the vpn policy in the sonicwall on the network tab > Destination Networks > Choose destination network from list > make sure you have create an address object for the S1 and cisco
On the advanced tab > VPN Policy bound to: lan or x1

In S1
In the vpn policy on the general tab > Destination Networks add you two destination networks
on advanced tab > VPN Terminated at: lan
May want to switch form ike using preshared secert to manual key

On the VPN > Advanced VPN Settings page ensure that Enable Fragmented Packet Handling  is checked

also you could do a continous ping from S2 to S1 from the System > Diagnostics page in the sonicwall and see if any vpn error are logged and adjust your wan mtu.

0
 

Author Comment

by:okacs
ID: 18054335
JasonPine,

To answer your questions:

    S1 & S2 both already have Enable Fragmented Packet Handling  checked.

    In S1, the VPN is currently terminating at LAN/WAN. (I think this was necesarry to facilitate S1 accessing C servers) (?)

    In S2, the policy is currently bound to zone WAN.  Are you saying that I should change this to LAN?  What effect will that have?

    When you say "In S2 ... make sure you have create an address object for the S1 and cisco" What do you mean?  
    I already have the internal LAN nic's address of the S1 sonicwall in that group of addressable objects.  
    Do I need an additional entry?  And if so, what?

FYI - C is a 3rd party device and is out of my control.  THe primary purpose of these hub & spoke VPNs is for S1 to reach services behind C, which works.  Now I'm tryign to enable a secondary purpose, which is to be able to Ping, VNC and HTTP or HTTPS from S2 PCs into S1 PCs and vica versa.

Thanks.
0
 
LVL 7

Expert Comment

by:jasonpaine
ID: 18056584
With the sonicwall the VPN needs to terminate on the LAN otherwise the connection will stop at the wan side of the sonicwall. the sonicwall bacisally stops everything on its wan then checks access rules ect.

In  enhanced firmware you create addess objects for networks that you are conncting to so the firewall knows what is is connecting too.
Name:  any
Zone Assignment: VPN
Type:  Network
Network:  192.168.50.xx
Netmask: 255.255.255.0
In your enhanced sonicwall on the Network > Address Objects click the ? on top right of page this will explain
0
 

Author Comment

by:okacs
ID: 18076766

>>> In  enhanced firmware you create addess objects for networks that you are conncting to so the firewall knows what is is connecting too

Yes, I know that.  I meant what address did you want me to create as an object?

Thanks.
0
 

Author Comment

by:okacs
ID: 18076979
PS - I changed the VPN to term at LAN and the tunnel restablished successfully, but still cant ping S1 PCs from S2 PCs.
The addresses of all the S1 objevts (interal addresses) are already in the VPN's destination networks group.

S1 network is 22.0 with a 255.0 mask

S2 network is multiple networks 1.0, 2.0, 3.0 all with 255.0 masks with gateways of 1.1, 2.1, 3.1 respectively.
The S2 sonicwall (enhanced) has a LAN IP of 0.1 with mack 0.0 and has "virtual IPs" for each of the networks gateways (1.1, 2.1, 3.1, etc) via static ARPs.

Thanks.


0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:okacs
ID: 18077172
More info...

Actually, the S1 network is 22.0 with a 255.0 mask and gateway of 22.1 and 23.0 with a 255.0 mask and gateway of 23.1  (WLAN)

After some testing, I find that I *can* ping from S2 PCs to S1 PCs now, but only from S2's 0.0 network to S1's 22.0 network. (and viceaversa)
S2's other netowrks (1.0, 2.0, 3.0) can't see any of S1's networks and S1's other network (23) can't see any of S2's networks.

I think the VPN part is fixed, but there seems to be internal routing issues for traffic that crosses the VPN??

Just to clarify, S1 22.0 can ping 23.0 just fine (and viceaversa)
And S2's 0.0 can ping all other local networks (1.0,.0, 3.0) just fine (and viceaversa)

It is ONLY the VPN traffic that can't seem to jump to the other local networks.  It is like the VPN traffic does not want to follow the ARPs...

Thanks.

0
 

Author Comment

by:okacs
ID: 18087113

Any ideas?
Help?
0
 
LVL 7

Expert Comment

by:jasonpaine
ID: 18089984
Is there any routers behide any of the firewalls? for example the vpn reachs the lan then hits another router that router would have to forward the vpn connection to the next subnet.  Do all of the firewalls have the others LAN's as destination networks?
0
 
LVL 7

Accepted Solution

by:
jasonpaine earned 500 total points
ID: 18108951
How are the vpn's coming along
0
 

Author Comment

by:okacs
ID: 18115782

No, There are no routers BEHIND the firewalls on either S1 or S2.

Yes, S1 has S2's LANs as destination networks and S2 has S1s' LANs as destination networks.

Still no luck.
0
 

Author Comment

by:okacs
ID: 18141073
Any ideas?
Help?
0
 

Author Comment

by:okacs
ID: 18548809
I figured it out.  The problem was that the subnet mask on the S2 network were fff.fff.0.0 instead of fff.fff.fff.0    I changed the mask and everythign works now.  Thanks.
0
 

Author Comment

by:okacs
ID: 18548831
I will accept your last comment to close the question because you had a lot of good suggestions and were so helpful.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Event log service wont start - windows 7 4 32
VPN speed and 3rd party service 13 33
ASA AnyConnect tunneling 3 19
RDP Sonicwall 8 32
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now