Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do I access Interent from VPN spoke via Hub gateway using Sonicwall

Posted on 2009-02-09
8
Medium Priority
?
366 Views
Last Modified: 2012-05-06
Hi,

I currently have a site to site vpn using two sonicwall TZ190's. One sonicwall can be considered a hub as other remote offices will come on line. The other sonicwall is one of the branches/spokes.

My problem is that I want the branch office to access the internet for a specific ip via the head office sonicwall. i.e. from branch office via vpn to head office default gateway. All other internet traffic I wish to access via the branch offices own sonicwall.

I must mention that the vpn terminates at the Head office sonicwall on the same interface that I wish the Branch office to access the specific wan ip from.

Any help would be appreciated.
0
Comment
Question by:workingtechnology
  • 4
  • 4
8 Comments
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1200 total points
ID: 23603327
You need to setup a split tunnel rule and designate which IPs will go through the VPN.
I.e. you currently have the LAN to LAN type of rule.  Add the Host IP you want accessed through the VPN as part of that rule.
http://www.sonicwall.com/downloads/advanced_vpn.pdf
0
 
LVL 1

Author Comment

by:workingtechnology
ID: 23629172
I read the document you linked to and it doesn't show my situation and it is quite an old document. My problem is that I need the Branch office (192.168.10.x) to access the Head office (192.168.11.x) as well as the external IP (10.0.10.x) that is only accessible from Head Office (Due to the requirement that the 10.0.10.x subnet must come in as WAN traffic due to fail over capability). I know it might not make sense and I should just have the 10.0.10.x connection as LAN but I can't.
The vpns are site to site and I have tried putting a route on the Branch office that says to access 10.0.10.x from any source and any service then use the default gateway of the Head Office.
It doesn't like this and a trace route shows nothing.
Any further ideas would be appreciated.
0
 
LVL 81

Expert Comment

by:arnold
ID: 23630149
Part of your site-to-site VPN setup, you need to push all the IPs that are accessible via this VPN.
Presumably currently, you have site a advertising LANA to site b, while site b is advertising LANB to site a.
You need to add a lanc to be advertised from the office to the branch.
With this change, the branch office will have a route for LANA to the Main office as well as 10.0.10.x

You do not need to add a static route on the branch, you need to push the route through the VPN configuration.

You may also have to allow a same traffic rule to allow traffic coming in over an interface to be able to get sent back out over the same interface.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 1

Author Comment

by:workingtechnology
ID: 23664654
Hi Arnold,

Thanks for replying so quickly. Are saying I need to change the vpn policy's destination address object on Site B to say that it can access both Site A's lan and the Site C lan (10.0.10.x)?
Also if that is what you are talking about then how do you do a same traffic rule? Would this be done via nat policies?
0
 
LVL 81

Expert Comment

by:arnold
ID: 23664960
Yes.
The option is as follows:
Since it is a single IP, you can add a static route on the branch Sonicwall to route traffic for this IP through the VPN.
You then need to configure the Office sonicwall to allow the VPN traffic to get out.  Do you currently NAT the outgoing traffic to 10.0.10.x such that it is seen as originating from the Office Sonicwall or is the VPN setup to allow Office LAN ips access to the 10.0.10.x?
If you are already nating traffic to the 10.0.10.x IP, all you have to make sure on the office firewall that traffic from LANB and LANC is allowed to cross boundaries.
The alternative is to setup a mapping on LANa that reroutes the requests to 10.0.10.x such that LANB and LANC will access an IP on LANa which will be nated and sent through to 10.0.10.x.
0
 
LVL 1

Author Comment

by:workingtechnology
ID: 23665502
Hi Arnold,
I set the destination networks on site B's vpn policy to the lan subnet of site A and the 10.0.10.x Subnet.
I did this because this at least gives me an active vpn tunnel between site A and Site B but no green light for the Site C subnet. It wouldn't give me an active vpn tunnel at all if the Site C destination added was just a static ip.
I then went onto the Site A sonicwall and added firewall rules to allow traffic from 10.0.10.x subnet to Site B and allowed it to create a reflexive rule for this.
Pinging the respective destinations does not work.
If you are on site A's network all you have to do is type the Site C address you want to go to and it reaches it's destination.
I have attached a simplified diagram of what the network looks like hoping that it will make it clearer on what I am trying to achieve.

Network-Diagram.pdf
0
 
LVL 81

Expert Comment

by:arnold
ID: 23666558
Something does not make sense, the IP on the Site C is within the same segment as SiteA's router's WAN IP.
If siteB can get to Site A's 10.0.10.1 (router WAN), why can it not go directly to 10.0.10.x?

Is the Black cloud you have in the diagram includes an external firewall that has a punched hole to the 10.0.10.1?
Double check the routing rules on your Site B router to make sure that not the entire 10.0.10.x segment is routed to a specific destination but only a 10.0.10.x is.
trying to make sure that a packet destined to 10.0.10.x could be sent through the VPN rather than routed through the external interface the same way a VPN tunnel to 10.0.10.x is.

When you have a hub and Spoke setup.  You could use the routing protocol OSPF through the tunnels to advertise which segments are available. The hub will rebroadcast the routes from SIteC along with sitea to sites B.
The problem with your current setup, you do not actually have a site C.  In your current setup Site C is an external "unsecured" LAN outside the siteA router.
0
 
LVL 1

Accepted Solution

by:
workingtechnology earned 0 total points
ID: 23666778
Firstly I didn't mention that I had an open support call with Sonicwall and the tech I was assigned obviously wasn't very familiar with VPN's. I spoke to another tech who fixed the issue for me within half an hour.
Solution: You were partially right Arnold. The Site B sonicwall needed Site A and Site C in its destination networks under the VPN policy.
The second thing that needed to be done is that Site A's sonicwall needed site A and Site C's subnets in its local networks in it's VPN policy and Site B in its destination networks. Site C's address object in this situation is set to LAN.
The last step once this is done is to add a firewall rule allowing VPN to WAN so that it can allow traffic to SITE C.

Site C is actually a secured lan but I didn't want to confuse the issue as it has not place in the requirements I had.

Thanks for your help.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month20 days, 22 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question