[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Sonicwall PORT issue

Posted on 2007-07-31
9
Medium Priority
?
4,329 Views
Last Modified: 2013-11-16
We have a VPN setup LAN to LAN Sonicwall standard OS and IBM needs to have a port open on the firewall port 5608, I have went under Firewall Service and created a custom service for this port 5608, I than went to access rules and added the service in to.

They can ping and telnet and ftp to the server fine over the VPN, but when they try to hit the port 5608 they  get: Connection Refused:
643230 Jul 31 11:59:45 DXE404I process segment 'PVD' len=84 tag=4
S-643230 Jul 31 11:59:45 DXE404I process segment 'PVD' len=92 tag=4
S-643230 Jul 31 11:59:45 DXE404I process segment 'PTT' len=92 tag=5
S-643230 Jul 31 11:59:45 DXE404I process segment 'DRU' len=282 tag=9
S-643230 Jul 31 11:59:45 DXE404I process segment 'UIT' len=13 tag=11
S-643230 Jul 31 11:59:45 DXE404I process segment 'UIZ' len=7 tag=12
S-643230 Jul 31 11:59:45 DXD402I routeof: Q1='P' L1='2362806' L3='BERGEN'
S-643230 Jul 31 11:59:45 DXD103I route 'psolution' to '172.24.26.100:5608' is CL
OSED
S-643230 Jul 31 11:59:45 DXD106I open route 'psolution' addr '172.24.26.100:5608
'
S-643230 Jul 31 11:59:45 DXD107E '172.24.26.100:5608' netopen (connect) failed,
errno=79: Connection refused
S-643230 Jul 31 11:59:45 DXD501I errmsg: '198.200.199.100:TCP:43735': 'At 10.205
.225.35:TCP:5608 - netopen 172.24.26.100:5608 - Connection refused'
S-643230 Jul 31 11:59:45 DXE420I build status code=600: At 10.205.225.35:TCP:560
8 - netopen 172.24.26.100:5608 - Connection refused
S-643230 Jul 31 11:59:45 DXE423I UNA segment len=9
S-643230 Jul 31 11:59:45 DXExxxI rls_ind=0x20
S-643230 Jul 31 11:59:45 DXE426I UIB segment len=85
S-643230 Jul 31 11:59:45 DXE429I UIH segment len=47
S-643230 Jul 31 11:59:45 DXE431I UIH parse rc=3: SEGMENT_COMPLETE
S-643230 Jul 31 11:59:45 DXE434I UIH parsed len=79
S-643230 Jul 31 11:59:45 DXE437I UIH build rc=3: SEGMENT_COMPLETE
S-643230 Jul 31 11:59:45 DXE440I UIH 'STATUS' built len=47
S-643230 Jul 31 11:59:45 sts_init: code='600': 'At 10.205.225.35:TCP:5608 - neto
pen 172.24.26.100:5608 - Connection refused'
S-643230 Jul 31 11:59:45 DRRxxxI STS: size=119
S-643230 Jul 31 11:59:45 BUF: 53545300 36303000 00000000 00000000 |STS.600......

Is there a way for me to test this port over the Sonicwall firewall or maybe it's on the server end that the connection is being refused. Can someone please advise me. thanks
0
Comment
Question by:edvernier
  • 5
  • 4
9 Comments
 
LVL 10

Expert Comment

by:budchawla
ID: 19604774
I haven't clearly understood your setup but if you basically want to check whether the sonicwall is allowing the packets through, go to system->diagnostics-> packet trace and run a packet trace on either your source or destination IP addresses (or both, in sequence) to see whether the packets are (a) hitting the sonicwall (b) being relayed by the sonicwall to your local server...

hth

bud
0
 

Author Comment

by:edvernier
ID: 19610449
The problem I have is that IBM is telling me that I do not have the port 5608 open on my firewall and they are getting connetion refused when they try to send to the local unix server.  I have opened the ports the same way as the other ports they needed and the other ports work fine.  How do I know that if it's the Sonicwall or the Local server that is blocking the port.  IBM is on the local VPN and I thought by default anyway the all ports are open for the local VPN.  If I try to do a local Telnet to the local server  IP and port 5608 it gets connection refused because telnet is not looking for that port address. I was thinking maybe what software they have on the unix box looking for port 5608 is not working. I just need to prove to IBM it's not the sonicwall blocing the port. thanks Ed
0
 
LVL 10

Expert Comment

by:budchawla
ID: 19615222
Hi Ed,

As I mentioned, you should do a packet trace on the source IP address (the one that's trying to connect to your LAN server on port 5608) to see if the packets are hitting the sonicwall at all...

then you can take it a step further once you know the answer to that...

BTW, in the firewall access rule, what did you set as the source and destination?
Can you copy/paste the rule here?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:edvernier
ID: 19616604
Hi I ran a port scanner over the VPN and that port is open on the Firewall and The server, I had the other company send me a trace route and what I see is they are coming over on IBM's 10 network and never making it to the 206 network that we have setup between us and IBM. so it seems like it's a issue on IBM's side and not ours. I would think IBM will need to route their 10 network to the 206 network on our VPN.  
0
 
LVL 10

Accepted Solution

by:
budchawla earned 2000 total points
ID: 19620516
ok that looks like you've got it under control... let me know if there are any more problems...
0
 

Author Comment

by:edvernier
ID: 19622134
On another note if I need to open 3 ports from the outside, I should go under services and add the 3 ports and than run the access rule wizard and pick the service I made, coming in from the WAN and than the source IP and End range IP than to LAN and to * for any ip's on the lan. this is correct yes? I had a software company that needs to have the ports open for their software, I did it the way I said above and the software still will not make it back in from the wan to the lan. thanks for your help. Ed
0
 
LVL 10

Expert Comment

by:budchawla
ID: 19623170
Hi,
Yes, follow the steps almost exactly as you mention, except for the bit about the * on the LAN side. If you want traffic on a certain port to go to a particular LAN device, then put in the IP of that LAN device - this will "port-forward" traffic for that service. If you want to be able to access multiple devices on your LAN with the same service, you'll need to get multiple public IPs and set up 1-1 NAT for those LAN devices.
Cheers
Bud
0
 

Author Comment

by:edvernier
ID: 19625137
Thanks  Bud for the reply back. I used the * for the Lan side because 5 computers on the local lan are on the private 172 address that have this medical software that needs  the 3 ports open in order to get the information back when they send the request out across the internet, right now it fails to work and the medical company said to open the 3 ports. So do I still need to do 1 to 1 nat for the local systems on the 172 address. and if so could you tell me how to set this up. Thanks Ed
0
 
LVL 10

Expert Comment

by:budchawla
ID: 19625550
Hi,

If the request originates internally then SPI shouldn't block a reply to that port... and then you wouldn't need 1-1 NAT.

Is your whole network on the 172 range? If not, then have you got these 172-range systems on the DMZ?
You should try and separate your subnets...

Also if you've got the deep packet inspection features (IPS/GAV/GAS) turned on, check the logs for detections and disable detection on those categories if needed...

Once again, I would recommend running a packet trace on the IP in question to see where the packets are going. Alternatively, use a hub + laptop with Ethereal (or other packet sniffer) to see whats going on...

0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month17 days, 22 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question