Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VPN Routing problem, new Router

Posted on 2009-04-09
7
Medium Priority
?
333 Views
Last Modified: 2012-05-06
I am trying to replace our SonicWall Pro 3060 Router with an Endian Firewall as router.  Here is the layout:

192.168.10.210 - Sonicwall Router
192.168.10.220 - Endian Firewall   (2.2RC3)
192.168.10.230 - 3000 Series Concentrator
192.168.15.x - Remote software VPN clients  (connects to concentrator)
192.168.20.x - Remote Office A (connects  to concentrator)
192.168.30.x - Remote Office B (connects to concentrator)

User in 15.x / 20.x /30.x cannot access servers in 10.x if I change them to have the Endian firewall as default gateway (meaning I can't through that SonicWall in the trash where it belongs).   I have default routes setup in the Endian GUI.   Maybe they are not working?   Something else?
0
Comment
Question by:zreisman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 24108502
You need static routes on the servers pointing to the VPN concentrator.

I've frequently seen the same problem with Cisco PIX/ASA devices; the firewall wants all traffic to be stateful.  Since it only sees 1/2 of the traffic, it blocks it because it's not part of an established session.
0
 
LVL 1

Author Comment

by:zreisman
ID: 24108572
The remote sites are connecting through PIX 515s.   I'm confused on why it only sees half the traffic?   Which firewall wants all traffic to be stateful?  If I am setting up static routes on every server (or client if they are accessing resources in the remote sites) that kind of defeats the purpose of a "router".
0
 
LVL 1

Author Comment

by:zreisman
ID: 24108593
To elaborate.   The problem is...    Any host in 192.168.10.x when setup with a default gateway of 192.168.10.220 (Endian),  cannot access resources in the remote domains, and remote domains cannot access that host.  
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Assisted Solution

by:asavener
asavener earned 2000 total points
ID: 24108621
The Endian Firewall is the one blocking the traffic:


Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
Server responds (SYN/ACK):  Server->(Default route) ->Endian Firewall (Blocks traffic)

Once you add a static route:

Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
 Server responds (SYN/ACK):  Server->(Static Route)->VPN Concentrator->VPN->Remote site
Client responds (ACK)

 
0
 
LVL 1

Author Comment

by:zreisman
ID: 24108741
Thanks.  I get it now.   IPTables just handles traffic differently than the Sonicwall.   I guess the easiest thing to do is do route add in a startup script?
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 2000 total points
ID: 24108792
Depends on the OS.

With windows, you can add a persistent route by appending the "-p" switch to your "route add" statement so that the route is retained after a reboot.
0
 
LVL 1

Author Closing Comment

by:zreisman
ID: 31568589
Thanks.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question