[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN Set up using BOTH RRAS and SonicWall?

Posted on 2007-10-17
10
Medium Priority
?
2,749 Views
Last Modified: 2008-01-09
Hello All,
I am trying to set up A vpn connection to my network using BOTH RRAS and my SonicWall Firewall,
I configured RRAS and had that working fine, but once I dropped in the Sonic Wall and Ran the VPN wizard using A service group I created with RRAS ports. i.e. 1723,1701,4500,500 I can not connect?
I have been trying many different configurations to no avail, I am not very happy with the Sonicwall's lack of granular config. It seems that any forwarding needs to be done using wizards.
The server NIC's are configured with... SOUTH=192.x.x.x private, NORTH 192.x.x.x public, I then of course have the sonicwall handling the rest. any help on this would be greatly appreciated
0
Comment
Question by:ssnyds
  • 6
  • 4
10 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20129854
Afraid I will not be much help, as I have done very little with Sonicwalls. However, just wanted to point out that it is not an easy configuration and might not even be possible. It is quite a lengthy procedure to set up site-to-site VPN using 2 RRAS servers. Using a hardware VPN device at one end, will even further complicate the configuration since your options will be somewhat different or even limited, as you have suggested. RRAS is best used for client-to-server configurations. Though site-to-site will work, VPN routers are so affordable these days, it is not often done.

Is it not possible to purchase another Sonicwall, even a smaller unit like the TZ170 series? Using 2 hardware firewalls is; easier to configure, offers better security, and better performance by using a dedicated device for encrypting and decrypting.

Could  you elaborate on: "server NIC's are configured with... SOUTH=192.x.x.x private, NORTH 192.x.x.x public" ? Not quite sure what you mean. if using 192.168.x.x that is not a public IP.
0
 
LVL 1

Author Comment

by:ssnyds
ID: 20130307
Hi Robwill,
Thanks for your response, I realize that 192 is not an public IP, however, when configuring the sonicwall os enhanced, for internet connection, I configured that for my real public IP to pass to the RRAS Incoming NIC... does this make sense to you? in other words if I were to take out the firewall and just use RRAS, the south NIC would have 192.... and the north NIC would be my public 74...... since I cannot have 2 of the same IP addresses on the network, I just used a private IP for the north NIC for configuring the firewall
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20130423
<G> I'll assume North = External, and South = Internal ?
So you have:
  Internet =>(74.x.x.x)Sonicwall(192.168.x.x)=>(192.168.x.x)RRAS
If configured correctly, this should work fine.
My apologies, I mis-understood earlier. My mistake, not yours. You have described it correctly, but I thought you were doing site-to-site, with Sonicwall as the endpoint at one site, and the RRAS at the other site.

The Sonicwall needs to forward the VPN traffic to the RRAS server. I am assuming you are using the basic PPTP RRAS service. If so you only need 2 things on the Sonicwall. Forward traffic on port 1723 to the RRAS server and enable GRE pass-through. I am not sure how you do the latter on the Sonicwall. On most similar routers there is an option to enable "PPTP pass-through". On some others if you can forward a built in PPTP service, rather than port 1723, it will also automatically enable GRE.

You may want to review the following for your RRAS configuration. Ports 1701, 4500, and 500 are used with an L2TP/IPSec VPN, which is much more difficult to configure, so at this time you do not need to worry about them. If you want to do so, I would recommend getting the basic PPTP working first, as a test.
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm


0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 78

Expert Comment

by:Rob Williams
ID: 20130452
ps-
Following link shows port forwarding on a Sonicwall. On the "Public Server" page, if there is a PPTP option, that will likely forward port 1723 as well as enable GRE;
http://www.no-ip.com/support/guides/routers/sonicwall.html

By the way....does your Sonicwall support using it as a VPN endpoint with the Sonicwall Global VPN client? This has some advantages; more granular control for VPN users, better performance, and increased security with IPSec.
0
 
LVL 1

Author Comment

by:ssnyds
ID: 20130531
Robwill,

Again, thank you for your timely response! I am using the sonic TZ 170 Enhanced, which has all the damn wizards in it. I have used both the Public server wizard and the VPN wizard, which have pre-configured port services available, ie.PPTP, L2TP,etc. I have tried using both of these and one at a time, for some reason It just won't let me through, I do have the global vpn client available on this unit, do you think it's possible that this can be a user licensing issue?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20130646
>>"I have used both the Public server wizard and the VPN wizard"
Shouldn't need the VPN wizard if using RRAS.

>>"do you think it's possible that this can be a user licensing issue?"
Licensing should only affect the Global VPN connections, though there could be a limit on the total number of internet users on the Sonicwall such as 10, 25, 50....

Is there a PPTP VPN configured on the Sonicwall all ready, as an endpoint? You cannot have both that and the RRAS server. You should however be able to configure IPSec Global VPN access as well as PPTP using RRAS.
The Global VPN does require licenses.
0
 
LVL 1

Author Comment

by:ssnyds
ID: 20130705
Ok, so let's say I wipe out all the settings on the firewall, configure RRAS on the server, use the public wizard  to allow internet, and then use the PUBLIC wizard again to forward PPTP, this should hypothetically work?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1500 total points
ID: 20132717
Hypothetically, yes <G>.

You could set  up RRAS and then try to connect using the LAN IP from the same network. This would verify RRAS is OK, and then start re-doing the Sonicwall as phase 2.
0
 
LVL 1

Author Comment

by:ssnyds
ID: 20132775
I do have RRAS working now, however I am using the actual Public IP address for the External NIC
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20166379
Thanks ssnyds.
Cheers !
--Rob
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question