VPN Routing problem, new Router

I am trying to replace our SonicWall Pro 3060 Router with an Endian Firewall as router.  Here is the layout:

192.168.10.210 - Sonicwall Router
192.168.10.220 - Endian Firewall   (2.2RC3)
192.168.10.230 - 3000 Series Concentrator
192.168.15.x - Remote software VPN clients  (connects to concentrator)
192.168.20.x - Remote Office A (connects  to concentrator)
192.168.30.x - Remote Office B (connects to concentrator)

User in 15.x / 20.x /30.x cannot access servers in 10.x if I change them to have the Endian firewall as default gateway (meaning I can't through that SonicWall in the trash where it belongs).   I have default routes setup in the Endian GUI.   Maybe they are not working?   Something else?
LVL 1
zreismanAsked:
Who is Participating?
 
asavenerConnect With a Mentor Commented:
You need static routes on the servers pointing to the VPN concentrator.

I've frequently seen the same problem with Cisco PIX/ASA devices; the firewall wants all traffic to be stateful.  Since it only sees 1/2 of the traffic, it blocks it because it's not part of an established session.
0
 
zreismanAuthor Commented:
The remote sites are connecting through PIX 515s.   I'm confused on why it only sees half the traffic?   Which firewall wants all traffic to be stateful?  If I am setting up static routes on every server (or client if they are accessing resources in the remote sites) that kind of defeats the purpose of a "router".
0
 
zreismanAuthor Commented:
To elaborate.   The problem is...    Any host in 192.168.10.x when setup with a default gateway of 192.168.10.220 (Endian),  cannot access resources in the remote domains, and remote domains cannot access that host.  
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
asavenerConnect With a Mentor Commented:
The Endian Firewall is the one blocking the traffic:


Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
Server responds (SYN/ACK):  Server->(Default route) ->Endian Firewall (Blocks traffic)

Once you add a static route:

Session initiated (SYN):  Remote site->VPN->VPN Concentrator->Server
 Server responds (SYN/ACK):  Server->(Static Route)->VPN Concentrator->VPN->Remote site
Client responds (ACK)

 
0
 
zreismanAuthor Commented:
Thanks.  I get it now.   IPTables just handles traffic differently than the Sonicwall.   I guess the easiest thing to do is do route add in a startup script?
0
 
asavenerConnect With a Mentor Commented:
Depends on the OS.

With windows, you can add a persistent route by appending the "-p" switch to your "route add" statement so that the route is retained after a reboot.
0
 
zreismanAuthor Commented:
Thanks.
0
All Courses

From novice to tech pro — start learning today.