workingtechnology
asked on
How do I access Interent from VPN spoke via Hub gateway using Sonicwall
Hi,
I currently have a site to site vpn using two sonicwall TZ190's. One sonicwall can be considered a hub as other remote offices will come on line. The other sonicwall is one of the branches/spokes.
My problem is that I want the branch office to access the internet for a specific ip via the head office sonicwall. i.e. from branch office via vpn to head office default gateway. All other internet traffic I wish to access via the branch offices own sonicwall.
I must mention that the vpn terminates at the Head office sonicwall on the same interface that I wish the Branch office to access the specific wan ip from.
Any help would be appreciated.
I currently have a site to site vpn using two sonicwall TZ190's. One sonicwall can be considered a hub as other remote offices will come on line. The other sonicwall is one of the branches/spokes.
My problem is that I want the branch office to access the internet for a specific ip via the head office sonicwall. i.e. from branch office via vpn to head office default gateway. All other internet traffic I wish to access via the branch offices own sonicwall.
I must mention that the vpn terminates at the Head office sonicwall on the same interface that I wish the Branch office to access the specific wan ip from.
Any help would be appreciated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Part of your site-to-site VPN setup, you need to push all the IPs that are accessible via this VPN.
Presumably currently, you have site a advertising LANA to site b, while site b is advertising LANB to site a.
You need to add a lanc to be advertised from the office to the branch.
With this change, the branch office will have a route for LANA to the Main office as well as 10.0.10.x
You do not need to add a static route on the branch, you need to push the route through the VPN configuration.
You may also have to allow a same traffic rule to allow traffic coming in over an interface to be able to get sent back out over the same interface.
Presumably currently, you have site a advertising LANA to site b, while site b is advertising LANB to site a.
You need to add a lanc to be advertised from the office to the branch.
With this change, the branch office will have a route for LANA to the Main office as well as 10.0.10.x
You do not need to add a static route on the branch, you need to push the route through the VPN configuration.
You may also have to allow a same traffic rule to allow traffic coming in over an interface to be able to get sent back out over the same interface.
ASKER
Hi Arnold,
Thanks for replying so quickly. Are saying I need to change the vpn policy's destination address object on Site B to say that it can access both Site A's lan and the Site C lan (10.0.10.x)?
Also if that is what you are talking about then how do you do a same traffic rule? Would this be done via nat policies?
Thanks for replying so quickly. Are saying I need to change the vpn policy's destination address object on Site B to say that it can access both Site A's lan and the Site C lan (10.0.10.x)?
Also if that is what you are talking about then how do you do a same traffic rule? Would this be done via nat policies?
Yes.
The option is as follows:
Since it is a single IP, you can add a static route on the branch Sonicwall to route traffic for this IP through the VPN.
You then need to configure the Office sonicwall to allow the VPN traffic to get out. Do you currently NAT the outgoing traffic to 10.0.10.x such that it is seen as originating from the Office Sonicwall or is the VPN setup to allow Office LAN ips access to the 10.0.10.x?
If you are already nating traffic to the 10.0.10.x IP, all you have to make sure on the office firewall that traffic from LANB and LANC is allowed to cross boundaries.
The alternative is to setup a mapping on LANa that reroutes the requests to 10.0.10.x such that LANB and LANC will access an IP on LANa which will be nated and sent through to 10.0.10.x.
The option is as follows:
Since it is a single IP, you can add a static route on the branch Sonicwall to route traffic for this IP through the VPN.
You then need to configure the Office sonicwall to allow the VPN traffic to get out. Do you currently NAT the outgoing traffic to 10.0.10.x such that it is seen as originating from the Office Sonicwall or is the VPN setup to allow Office LAN ips access to the 10.0.10.x?
If you are already nating traffic to the 10.0.10.x IP, all you have to make sure on the office firewall that traffic from LANB and LANC is allowed to cross boundaries.
The alternative is to setup a mapping on LANa that reroutes the requests to 10.0.10.x such that LANB and LANC will access an IP on LANa which will be nated and sent through to 10.0.10.x.
ASKER
Hi Arnold,
I set the destination networks on site B's vpn policy to the lan subnet of site A and the 10.0.10.x Subnet.
I did this because this at least gives me an active vpn tunnel between site A and Site B but no green light for the Site C subnet. It wouldn't give me an active vpn tunnel at all if the Site C destination added was just a static ip.
I then went onto the Site A sonicwall and added firewall rules to allow traffic from 10.0.10.x subnet to Site B and allowed it to create a reflexive rule for this.
Pinging the respective destinations does not work.
If you are on site A's network all you have to do is type the Site C address you want to go to and it reaches it's destination.
I have attached a simplified diagram of what the network looks like hoping that it will make it clearer on what I am trying to achieve.
Network-Diagram.pdf
I set the destination networks on site B's vpn policy to the lan subnet of site A and the 10.0.10.x Subnet.
I did this because this at least gives me an active vpn tunnel between site A and Site B but no green light for the Site C subnet. It wouldn't give me an active vpn tunnel at all if the Site C destination added was just a static ip.
I then went onto the Site A sonicwall and added firewall rules to allow traffic from 10.0.10.x subnet to Site B and allowed it to create a reflexive rule for this.
Pinging the respective destinations does not work.
If you are on site A's network all you have to do is type the Site C address you want to go to and it reaches it's destination.
I have attached a simplified diagram of what the network looks like hoping that it will make it clearer on what I am trying to achieve.
Network-Diagram.pdf
Something does not make sense, the IP on the Site C is within the same segment as SiteA's router's WAN IP.
If siteB can get to Site A's 10.0.10.1 (router WAN), why can it not go directly to 10.0.10.x?
Is the Black cloud you have in the diagram includes an external firewall that has a punched hole to the 10.0.10.1?
Double check the routing rules on your Site B router to make sure that not the entire 10.0.10.x segment is routed to a specific destination but only a 10.0.10.x is.
trying to make sure that a packet destined to 10.0.10.x could be sent through the VPN rather than routed through the external interface the same way a VPN tunnel to 10.0.10.x is.
When you have a hub and Spoke setup. You could use the routing protocol OSPF through the tunnels to advertise which segments are available. The hub will rebroadcast the routes from SIteC along with sitea to sites B.
The problem with your current setup, you do not actually have a site C. In your current setup Site C is an external "unsecured" LAN outside the siteA router.
If siteB can get to Site A's 10.0.10.1 (router WAN), why can it not go directly to 10.0.10.x?
Is the Black cloud you have in the diagram includes an external firewall that has a punched hole to the 10.0.10.1?
Double check the routing rules on your Site B router to make sure that not the entire 10.0.10.x segment is routed to a specific destination but only a 10.0.10.x is.
trying to make sure that a packet destined to 10.0.10.x could be sent through the VPN rather than routed through the external interface the same way a VPN tunnel to 10.0.10.x is.
When you have a hub and Spoke setup. You could use the routing protocol OSPF through the tunnels to advertise which segments are available. The hub will rebroadcast the routes from SIteC along with sitea to sites B.
The problem with your current setup, you do not actually have a site C. In your current setup Site C is an external "unsecured" LAN outside the siteA router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The vpns are site to site and I have tried putting a route on the Branch office that says to access 10.0.10.x from any source and any service then use the default gateway of the Head Office.
It doesn't like this and a trace route shows nothing.
Any further ideas would be appreciated.