Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 342
  • Last Modified:

VPN Routing problem, new Router

I am trying to replace our SonicWall Pro 3060 Router with an Endian Firewall as router.  Here is the layout:

192.168.10.210 - Sonicwall Router
192.168.10.220 - Endian Firewall   (2.2RC3)
192.168.10.230 - 3000 Series Concentrator
192.168.15.x - Remote software VPN clients  (connects to concentrator)
192.168.20.x - Remote Office A (connects  to concentrator)
192.168.30.x - Remote Office B (connects to concentrator)

User in 15.x / 20.x /30.x cannot access servers in 10.x if I change them to have the Endian firewall as default gateway (meaning I can't through that SonicWall in the trash where it belongs).   I have default routes setup in the Endian GUI.   Maybe they are not working?   Something else?
0
zreisman
Asked:
zreisman
  • 4
  • 3
3 Solutions
 
asavenerCommented:
You need static routes on the servers pointing to the VPN concentrator.

I've frequently seen the same problem with Cisco PIX/ASA devices; the firewall wants all traffic to be stateful.  Since it only sees 1/2 of the traffic, it blocks it because it's not part of an established session.
0
 
zreismanAuthor Commented:
The remote sites are connecting through PIX 515s.   I'm confused on why it only sees half the traffic?   Which firewall wants all traffic to be stateful?  If I am setting up static routes on every server (or client if they are accessing resources in the remote sites) that kind of defeats the purpose of a "router".
0
 
zreismanAuthor Commented:
To elaborate.   The problem is...    Any host in 192.168.10.x when setup with a default gateway of 192.168.10.220 (Endian),  cannot access resources in the remote domains, and remote domains cannot access that host.  
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
asavenerCommented:
The Endian Firewall is the one blocking the traffic:


Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
Server responds (SYN/ACK):  Server->(Default route) ->Endian Firewall (Blocks traffic)

Once you add a static route:

Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
 Server responds (SYN/ACK):  Server->(Static Route)->VPN Concentrator->VPN->Remote site
Client responds (ACK)

 
0
 
zreismanAuthor Commented:
Thanks.  I get it now.   IPTables just handles traffic differently than the Sonicwall.   I guess the easiest thing to do is do route add in a startup script?
0
 
asavenerCommented:
Depends on the OS.

With windows, you can add a persistent route by appending the "-p" switch to your "route add" statement so that the route is retained after a reboot.
0
 
zreismanAuthor Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now