Link to home
Start Free TrialLog in
Avatar of RLAInc
RLAInc

asked on

VPN configuration

I am attempting to test a VPN connection between our California office and us and could use some assistance / confirmation on the below. My goal is to create a VPN tunnel that only allows 2 workstations file/print sharing capabilities (I will be copying a 27mb file to help calculate the bandwidth).

Sonicwall Pro1260 side (Chicago)

Network\Address Objects:
California Network (Network:172.16.1.0 Netmask:255.255.0.0) Type:Network, Zone:VPN
California Workstation (IP Address: 172.16.1.131) Type:Host, Zone:VPN
Chicago Network (Network:172.16.2.0 Netmask:255.255.0.0) Type:Network,  Zone:LAN
Chicago Workstation (IP Address: 172.16.2.171) Type:Host, Zone:LAN

Firewall\Services:
Service Group
California Test (California Test UDP Ports and California Test TCP Ports)
Services
California Test UDP Ports (Protocol:UDP, Ports:135-139)
California Test TCP Port's (Protocol:TCP, Ports:445)

Firewall\Access Rules:
VPN > LAN
Priority:5 Source:California Workstation, Destination:Chicago Workstation, Service:California Test, Action:Allow, Users:All
LAN > VPN
Priority:2 Source:Chicago Workstation, Destination:California Workstation, Service:California Test, Action:Allow, Users:All



Sonicwall TZ170 (California)
(Note that its OS is standard and not the enhanced)

Firewall\Services:
Services
California Test UDP Ports (Protocol:UDP, Ports:135-139)
California Test TCP Port's (Protocol:TCP, Ports:445)

Firewall\Access Rules:
Priority:1 Source:WAN, Destination:LAN, Service:Any, Action:Deny
Priority:2 Source:LAN, Destination:WAN, Service:Any, Action:Deny
Priority:3 Source:WAN, Destination:172.16.1.1(LAN), Service:HTTPS Management, Action:Allow
Priority:4 Source:WAN, Destination:172.16.1.131(LAN), Service:California Test UDP Ports, Action:Allow
Priority:5 Source:WAN, Destination:172.16.1.131(LAN), Service:California Test TCP Ports, Action:Allow
Priority:6 Source:172.16.1.131(LAN), Destination:WAN, Service:California Test UDP Ports, Action:Allow
Priority:7 Source:172.16.1.131(LAN), Destination:WAN, Service:California Test TCP Ports, Action:Allow


Avatar of halejr1
halejr1
Flag of United States of America image
how did your test go?
Avatar of RLAInc
RLAInc

ASKER

I haven't done it yet. I was hoping EE land can confirm the above settings before I implemented my test. I also need to add the MS Remote Desktop service for 1 workstations on the TZ170 side.

So in the end, the TZ170 will be configured to allow only the following through the VPN:
- File / Print sharing between to specific IP's (i.e. copying a file between 2 workstations)
- Remote Desktop access to the TZ170 side workstation
- Remote administration for the TZ170

Did I miss anything? I am needing this to be perfect because I have no physical access to the TZ170 otherwise I am screwed.
Avatar of halejr1
halejr1
Flag of United States of America image
good point... in cisco land, the way we dealt with that was that configurations not saved would be lost if the router were rebooted.  so a simple power cycle in remote office would solve the problem.  Do you have people in the remote office?

If so -- you can install logmein-FREE on a workstation at the remote office (logmein.com) and any changes you make, if they block you out, you can still get remote access via the internal network.  If your unsure that the router will allow access to logmeinfree, then just open up all ports both ways for that one host.

That way you will at least maintain a back-door for recovery.  

go to www.logmein.com -- register with the site ... it's painless, and no marketing stuff.  Pretty clean - make sure you load the "logmein-FREE"

Let me know if you think that'll work.   Then you can at least test, and fine-tune your configuration.

Good Luck!!!
Avatar of RLAInc
RLAInc

ASKER

Wow Sonicwall support sure can suck sometimes!

I've been working w. them on my problem for weeks now. I posted to them the exact test as I posted above. I run some tests to make sure this will work (aka had a spare Pro1260 which I configured w/ a different locally accessible ISP). I then try to pull the trigger on the TZ170 and I can't get the access rules to apply to the VPN tunnel traffic. It turns out that since I only have the Standard OS on this firewall, I can't do what they told me I can do (EVEN THOUGH I TOLD THEM ALL ALONG MULTIPLE TIMES THAT I HAVE THE STANDARD OS!).

So now I am configuring our Pro1260 for my remote office to replace the TZ170. WAY over kill but I have to get this done. I posted the below question to my Sonicwall support rep and they told me it will work. However after this little fiasco, I am second guessing their conclusions:

I wish to create a default deny for all zones. To set this up, I would create the following rule in all zone combinations:

Source: Any Destination: Any Action: Deny Users: All

So this means the following:
- Any access rule who's priority is a larger number than the "Default Deny" rule will NOT work.
- Any access rule who's priority is a smaller number that the "Default Deny" rule WILL work.

Am I doing this correctly?
Avatar of halejr1
halejr1
Flag of United States of America image
yes ... looks good.  The rules are applied in order of priority based on your "versioning" of the rules.  So if you have a rule that is more restrictive, with a higher priority it will be applied before any lower priority rules and therefore those rules will be irrelevant.

Sonicwall support is hit and miss.  I've had the same problems.. it almost feels like if you get some interest from the support staff they provide great service, if their not interested ... then your pretty much on your own --

good luck.
Avatar of RLAInc
RLAInc

ASKER

Now that I have a more robust firewall, I would like your feedback on the below:
California has a T1 that is shared for VPN data, internet traffic, and VOIP. The VPN and VOIP go to corporate. There's no QOS (inherited design. NOT my choice).
I want to:
-  Only have services in the VPN tunnel that are needed for the network (Win2k3 AD w/ an Exchang2k7 server which is in corporate). Not sure what all services are needed.
- Have the phones go through the OPT. The plan here is to eventually get the phones off of this T1 so I am going to configure this now.

Avatar of RLAInc
RLAInc

ASKER

Additional question:

Do you know if the Pro1260 w/ the Enhanced OS has the capability of segmenting the WAN bandwidth (connected rate shaping)? If so, does it do load balancing?

I am want to dedicate x amount of bandwidth per Address Groups/Objects.
Avatar of RLAInc
RLAInc

ASKER

Pro1260 does have bandwidth managment. I have the following question posted w/ there support:

Heres what I need to do:

- Use the OPT port as an additional WAN port then route all traffic to/from an Address Object (which is setup as an IP range). I also want to setup BWM for all inbound/outbound traffic for just this Address Object. At some point Ill put on some firewall access rules for this Address Object but for now I just want to get this segmentation setup w/ no restrictions.

This setup is to accommodate our phones. We have only 1 T1 at this location. This above design is desired because we do have plans on getting an additional internet location for the voice traffic and if I design our firewall in this way, all I should have to do is change the OPT port static IP w. the new broadband connection.

What do you think?
Can you give me some step by step instructions on how to accomplish the above?
ASKER CERTIFIED SOLUTION
Avatar of halejr1
halejr1
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial