We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


How do I access Interent from VPN spoke via Hub gateway using Sonicwall

Medium Priority
Last Modified: 2012-05-06

I currently have a site to site vpn using two sonicwall TZ190's. One sonicwall can be considered a hub as other remote offices will come on line. The other sonicwall is one of the branches/spokes.

My problem is that I want the branch office to access the internet for a specific ip via the head office sonicwall. i.e. from branch office via vpn to head office default gateway. All other internet traffic I wish to access via the branch offices own sonicwall.

I must mention that the vpn terminates at the Head office sonicwall on the same interface that I wish the Branch office to access the specific wan ip from.

Any help would be appreciated.
Watch Question

Distinguished Expert 2019
You need to setup a split tunnel rule and designate which IPs will go through the VPN.
I.e. you currently have the LAN to LAN type of rule.  Add the Host IP you want accessed through the VPN as part of that rule.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


I read the document you linked to and it doesn't show my situation and it is quite an old document. My problem is that I need the Branch office (192.168.10.x) to access the Head office (192.168.11.x) as well as the external IP (10.0.10.x) that is only accessible from Head Office (Due to the requirement that the 10.0.10.x subnet must come in as WAN traffic due to fail over capability). I know it might not make sense and I should just have the 10.0.10.x connection as LAN but I can't.
The vpns are site to site and I have tried putting a route on the Branch office that says to access 10.0.10.x from any source and any service then use the default gateway of the Head Office.
It doesn't like this and a trace route shows nothing.
Any further ideas would be appreciated.
Distinguished Expert 2019

Part of your site-to-site VPN setup, you need to push all the IPs that are accessible via this VPN.
Presumably currently, you have site a advertising LANA to site b, while site b is advertising LANB to site a.
You need to add a lanc to be advertised from the office to the branch.
With this change, the branch office will have a route for LANA to the Main office as well as 10.0.10.x

You do not need to add a static route on the branch, you need to push the route through the VPN configuration.

You may also have to allow a same traffic rule to allow traffic coming in over an interface to be able to get sent back out over the same interface.


Hi Arnold,

Thanks for replying so quickly. Are saying I need to change the vpn policy's destination address object on Site B to say that it can access both Site A's lan and the Site C lan (10.0.10.x)?
Also if that is what you are talking about then how do you do a same traffic rule? Would this be done via nat policies?
Distinguished Expert 2019

The option is as follows:
Since it is a single IP, you can add a static route on the branch Sonicwall to route traffic for this IP through the VPN.
You then need to configure the Office sonicwall to allow the VPN traffic to get out.  Do you currently NAT the outgoing traffic to 10.0.10.x such that it is seen as originating from the Office Sonicwall or is the VPN setup to allow Office LAN ips access to the 10.0.10.x?
If you are already nating traffic to the 10.0.10.x IP, all you have to make sure on the office firewall that traffic from LANB and LANC is allowed to cross boundaries.
The alternative is to setup a mapping on LANa that reroutes the requests to 10.0.10.x such that LANB and LANC will access an IP on LANa which will be nated and sent through to 10.0.10.x.


Hi Arnold,
I set the destination networks on site B's vpn policy to the lan subnet of site A and the 10.0.10.x Subnet.
I did this because this at least gives me an active vpn tunnel between site A and Site B but no green light for the Site C subnet. It wouldn't give me an active vpn tunnel at all if the Site C destination added was just a static ip.
I then went onto the Site A sonicwall and added firewall rules to allow traffic from 10.0.10.x subnet to Site B and allowed it to create a reflexive rule for this.
Pinging the respective destinations does not work.
If you are on site A's network all you have to do is type the Site C address you want to go to and it reaches it's destination.
I have attached a simplified diagram of what the network looks like hoping that it will make it clearer on what I am trying to achieve.

Distinguished Expert 2019

Something does not make sense, the IP on the Site C is within the same segment as SiteA's router's WAN IP.
If siteB can get to Site A's (router WAN), why can it not go directly to 10.0.10.x?

Is the Black cloud you have in the diagram includes an external firewall that has a punched hole to the
Double check the routing rules on your Site B router to make sure that not the entire 10.0.10.x segment is routed to a specific destination but only a 10.0.10.x is.
trying to make sure that a packet destined to 10.0.10.x could be sent through the VPN rather than routed through the external interface the same way a VPN tunnel to 10.0.10.x is.

When you have a hub and Spoke setup.  You could use the routing protocol OSPF through the tunnels to advertise which segments are available. The hub will rebroadcast the routes from SIteC along with sitea to sites B.
The problem with your current setup, you do not actually have a site C.  In your current setup Site C is an external "unsecured" LAN outside the siteA router.
Firstly I didn't mention that I had an open support call with Sonicwall and the tech I was assigned obviously wasn't very familiar with VPN's. I spoke to another tech who fixed the issue for me within half an hour.
Solution: You were partially right Arnold. The Site B sonicwall needed Site A and Site C in its destination networks under the VPN policy.
The second thing that needed to be done is that Site A's sonicwall needed site A and Site C's subnets in its local networks in it's VPN policy and Site B in its destination networks. Site C's address object in this situation is set to LAN.
The last step once this is done is to add a firewall rule allowing VPN to WAN so that it can allow traffic to SITE C.

Site C is actually a secured lan but I didn't want to confuse the issue as it has not place in the requirements I had.

Thanks for your help.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.