Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

VPN Routing problem, new Router

Posted on 2009-04-09
7
Medium Priority
?
338 Views
Last Modified: 2012-05-06
I am trying to replace our SonicWall Pro 3060 Router with an Endian Firewall as router.  Here is the layout:

192.168.10.210 - Sonicwall Router
192.168.10.220 - Endian Firewall   (2.2RC3)
192.168.10.230 - 3000 Series Concentrator
192.168.15.x - Remote software VPN clients  (connects to concentrator)
192.168.20.x - Remote Office A (connects  to concentrator)
192.168.30.x - Remote Office B (connects to concentrator)

User in 15.x / 20.x /30.x cannot access servers in 10.x if I change them to have the Endian firewall as default gateway (meaning I can't through that SonicWall in the trash where it belongs).   I have default routes setup in the Endian GUI.   Maybe they are not working?   Something else?
0
Comment
Question by:zreisman
  • 4
  • 3
7 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 24108502
You need static routes on the servers pointing to the VPN concentrator.

I've frequently seen the same problem with Cisco PIX/ASA devices; the firewall wants all traffic to be stateful.  Since it only sees 1/2 of the traffic, it blocks it because it's not part of an established session.
0
 
LVL 1

Author Comment

by:zreisman
ID: 24108572
The remote sites are connecting through PIX 515s.   I'm confused on why it only sees half the traffic?   Which firewall wants all traffic to be stateful?  If I am setting up static routes on every server (or client if they are accessing resources in the remote sites) that kind of defeats the purpose of a "router".
0
 
LVL 1

Author Comment

by:zreisman
ID: 24108593
To elaborate.   The problem is...    Any host in 192.168.10.x when setup with a default gateway of 192.168.10.220 (Endian),  cannot access resources in the remote domains, and remote domains cannot access that host.  
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 28

Assisted Solution

by:asavener
asavener earned 2000 total points
ID: 24108621
The Endian Firewall is the one blocking the traffic:


Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
Server responds (SYN/ACK):  Server->(Default route) ->Endian Firewall (Blocks traffic)

Once you add a static route:

Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
 Server responds (SYN/ACK):  Server->(Static Route)->VPN Concentrator->VPN->Remote site
Client responds (ACK)

 
0
 
LVL 1

Author Comment

by:zreisman
ID: 24108741
Thanks.  I get it now.   IPTables just handles traffic differently than the Sonicwall.   I guess the easiest thing to do is do route add in a startup script?
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 2000 total points
ID: 24108792
Depends on the OS.

With windows, you can add a persistent route by appending the "-p" switch to your "route add" statement so that the route is retained after a reboot.
0
 
LVL 1

Author Closing Comment

by:zreisman
ID: 31568589
Thanks.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question