• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 614
  • Last Modified:

VPN configuration

I am attempting to test a VPN connection between our California office and us and could use some assistance / confirmation on the below. My goal is to create a VPN tunnel that only allows 2 workstations file/print sharing capabilities (I will be copying a 27mb file to help calculate the bandwidth).

Sonicwall Pro1260 side (Chicago)

Network\Address Objects:
California Network (Network:172.16.1.0 Netmask:255.255.0.0) Type:Network, Zone:VPN
California Workstation (IP Address: 172.16.1.131) Type:Host, Zone:VPN
Chicago Network (Network:172.16.2.0 Netmask:255.255.0.0) Type:Network,  Zone:LAN
Chicago Workstation (IP Address: 172.16.2.171) Type:Host, Zone:LAN

Firewall\Services:
Service Group
California Test (California Test UDP Ports and California Test TCP Ports)
Services
California Test UDP Ports (Protocol:UDP, Ports:135-139)
California Test TCP Port's (Protocol:TCP, Ports:445)

Firewall\Access Rules:
VPN > LAN
Priority:5 Source:California Workstation, Destination:Chicago Workstation, Service:California Test, Action:Allow, Users:All
LAN > VPN
Priority:2 Source:Chicago Workstation, Destination:California Workstation, Service:California Test, Action:Allow, Users:All



Sonicwall TZ170 (California)
(Note that its OS is standard and not the enhanced)

Firewall\Services:
Services
California Test UDP Ports (Protocol:UDP, Ports:135-139)
California Test TCP Port's (Protocol:TCP, Ports:445)

Firewall\Access Rules:
Priority:1 Source:WAN, Destination:LAN, Service:Any, Action:Deny
Priority:2 Source:LAN, Destination:WAN, Service:Any, Action:Deny
Priority:3 Source:WAN, Destination:172.16.1.1(LAN), Service:HTTPS Management, Action:Allow
Priority:4 Source:WAN, Destination:172.16.1.131(LAN), Service:California Test UDP Ports, Action:Allow
Priority:5 Source:WAN, Destination:172.16.1.131(LAN), Service:California Test TCP Ports, Action:Allow
Priority:6 Source:172.16.1.131(LAN), Destination:WAN, Service:California Test UDP Ports, Action:Allow
Priority:7 Source:172.16.1.131(LAN), Destination:WAN, Service:California Test TCP Ports, Action:Allow


0
RLAInc
Asked:
RLAInc
  • 5
  • 4
1 Solution
 
halejr1Commented:
how did your test go?
0
 
RLAIncAuthor Commented:
I haven't done it yet. I was hoping EE land can confirm the above settings before I implemented my test. I also need to add the MS Remote Desktop service for 1 workstations on the TZ170 side.

So in the end, the TZ170 will be configured to allow only the following through the VPN:
- File / Print sharing between to specific IP's (i.e. copying a file between 2 workstations)
- Remote Desktop access to the TZ170 side workstation
- Remote administration for the TZ170

Did I miss anything? I am needing this to be perfect because I have no physical access to the TZ170 otherwise I am screwed.
0
 
halejr1Commented:
good point... in cisco land, the way we dealt with that was that configurations not saved would be lost if the router were rebooted.  so a simple power cycle in remote office would solve the problem.  Do you have people in the remote office?

If so -- you can install logmein-FREE on a workstation at the remote office (logmein.com) and any changes you make, if they block you out, you can still get remote access via the internal network.  If your unsure that the router will allow access to logmeinfree, then just open up all ports both ways for that one host.

That way you will at least maintain a back-door for recovery.  

go to www.logmein.com -- register with the site ... it's painless, and no marketing stuff.  Pretty clean - make sure you load the "logmein-FREE"

Let me know if you think that'll work.   Then you can at least test, and fine-tune your configuration.

Good Luck!!!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
RLAIncAuthor Commented:
Wow Sonicwall support sure can suck sometimes!

I've been working w. them on my problem for weeks now. I posted to them the exact test as I posted above. I run some tests to make sure this will work (aka had a spare Pro1260 which I configured w/ a different locally accessible ISP). I then try to pull the trigger on the TZ170 and I can't get the access rules to apply to the VPN tunnel traffic. It turns out that since I only have the Standard OS on this firewall, I can't do what they told me I can do (EVEN THOUGH I TOLD THEM ALL ALONG MULTIPLE TIMES THAT I HAVE THE STANDARD OS!).

So now I am configuring our Pro1260 for my remote office to replace the TZ170. WAY over kill but I have to get this done. I posted the below question to my Sonicwall support rep and they told me it will work. However after this little fiasco, I am second guessing their conclusions:

I wish to create a default deny for all zones. To set this up, I would create the following rule in all zone combinations:

Source: Any Destination: Any Action: Deny Users: All

So this means the following:
- Any access rule who's priority is a larger number than the "Default Deny" rule will NOT work.
- Any access rule who's priority is a smaller number that the "Default Deny" rule WILL work.

Am I doing this correctly?
0
 
halejr1Commented:
yes ... looks good.  The rules are applied in order of priority based on your "versioning" of the rules.  So if you have a rule that is more restrictive, with a higher priority it will be applied before any lower priority rules and therefore those rules will be irrelevant.

Sonicwall support is hit and miss.  I've had the same problems.. it almost feels like if you get some interest from the support staff they provide great service, if their not interested ... then your pretty much on your own --

good luck.
0
 
RLAIncAuthor Commented:
Now that I have a more robust firewall, I would like your feedback on the below:
California has a T1 that is shared for VPN data, internet traffic, and VOIP. The VPN and VOIP go to corporate. There's no QOS (inherited design. NOT my choice).
I want to:
-  Only have services in the VPN tunnel that are needed for the network (Win2k3 AD w/ an Exchang2k7 server which is in corporate). Not sure what all services are needed.
- Have the phones go through the OPT. The plan here is to eventually get the phones off of this T1 so I am going to configure this now.

0
 
RLAIncAuthor Commented:
Additional question:

Do you know if the Pro1260 w/ the Enhanced OS has the capability of segmenting the WAN bandwidth (connected rate shaping)? If so, does it do load balancing?

I am want to dedicate x amount of bandwidth per Address Groups/Objects.
0
 
RLAIncAuthor Commented:
Pro1260 does have bandwidth managment. I have the following question posted w/ there support:

Heres what I need to do:

- Use the OPT port as an additional WAN port then route all traffic to/from an Address Object (which is setup as an IP range). I also want to setup BWM for all inbound/outbound traffic for just this Address Object. At some point Ill put on some firewall access rules for this Address Object but for now I just want to get this segmentation setup w/ no restrictions.

This setup is to accommodate our phones. We have only 1 T1 at this location. This above design is desired because we do have plans on getting an additional internet location for the voice traffic and if I design our firewall in this way, all I should have to do is change the OPT port static IP w. the new broadband connection.

What do you think?
Can you give me some step by step instructions on how to accomplish the above?
0
 
halejr1Commented:
actually I am not an expert at this level.  I would however take your approach and start with just getting it working before applying any complex firewall rules or filters.  Also for the allocated bandwidth I would allocate my anticipated max(1.20) -- not knowing what the result would be if you reached or came close to your allocated max.

I currently have a site that has two separate T1's 1 for voice 1 for data, both separate address objects.  It works very well, but not as complex as your settings.  I am running on a 3060 pro.  

Good luck, let me know how it turns out.  

0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now