[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Sonicwall VPN Routing OSEnhanced Nat rule help needed

Posted on 2010-03-25
14
Medium Priority
?
804 Views
Last Modified: 2013-11-16
How can i fix this error....

  03/25/2010 12:23:25.432 Notice Network Access Web access request dropped 192.168.0.16, 52526, X1, UNI-TERMINAL 192.168.17.86, 80, X1 TCP HTTP

I am trying to route traffic to the .17.86 device from router A on the 0.0 subnet through router B on the 11.0 subnet to a device on router C subnet 17.0 .  Need mainly port 80 http but it would be nice to route Printer functions also.

Traffic appears to be getting from 2040 Pro (Router A) to NSA 2400 (router B) but not being sent to TZ190 (router C).  Getting the error listed above on Router B.  All OS are Enhanced.

Thanks
0
Comment
Question by:troycasper
  • 6
  • 6
12 Comments
 
LVL 8

Expert Comment

by:dosdet2
ID: 28642552
What does the routing table on router B look like?
What is the next-hop IP address on router C?
0
 

Author Comment

by:troycasper
ID: 28679394
Here is the routing table on B Dosdet2....

1 Any 255.255.255.255/32 Any 0.0.0.0 X0 20 1        
 2 Any X1 Default Gateway Any 0.0.0.0 X1 20 2        
 3 Any X2 Default Gateway Any 0.0.0.0 X2 20 3        
 4 Any X1 Subnet Any 0.0.0.0 X1 20 4        
 5 Any X2 Subnet Any 0.0.0.0 X2 20 5        
 6 Any X0 Subnet Any 0.0.0.0 X0 20 6        
 7 Any X3 Subnet Any 0.0.0.0 X3 20 7        
 8 Any X4 Subnet Any 0.0.0.0 X4 20 8        
 9 X1 IP Any Any X1 Default Gateway X1 20 9        
 10 X2 IP Any Any X2 Default Gateway X2 20 10        
 11 Any Any Opt Port Services Secondary Default Gateway X2 1 11        
 12 Any 0.0.0.0/0 Any 216.23.112.198 X1 20 12        

The Router IP on C is 192.168.17.1 and the device I am trying to reach is 192.168.17.86 which is a device on that network if that answers your Hop question.

Thanks
0
 

Author Comment

by:troycasper
ID: 29266608
Any other info needed?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 8

Expert Comment

by:dosdet2
ID: 29271973
Give me a bit & I'll get a diagram done.  Sorry, I've been slammed.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 29352640
You mention VPNs.  Are these routers connected by VPNs or hard wired?
0
 

Author Comment

by:troycasper
ID: 29354134
They are all connected by Site to Site VPN's at different geographical locations.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 29364659
Check the diagram attached, This is what I see your network as being.
I am going to assume that Network A & B can communicate and Network B & C can communicate.

Within router A:
Create an address object (under Network):
Name it something like "Subnet .17"
Zone=LAN
Type=Network
Address=192.168.17.0
Mask=255.255.255.0   (assuming you are using this mask in the C network)

Create another object = "Router B"
Zone = VPN
Type = Host
Address = 192.168.11.1   (or whatever Router B's Ip is)

Goto Routes = create new route
Source = any
destination = Subnet .17
service = any
gateway = Router B
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence
****

Go to Router C
Create an address object:
Name it something like "Subnet .0"
Zone=LAN
Type=Network
Address=192.168.0.0
Mask=255.255.255.0   (assuming you are using this mask in the A network)

Create another object = "Router B"
Zone = VPN
Type = Host
Address = 192.168.11.1   (or whatever Router B's Ip is)

Goto Routes = create new route
Source = any
destination = Subnet .0
service = any
gateway = Router B
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence
****

Go to router B
Create an address object:
Name "Subnet .0"
Zone=LAN
Type=Network
Address=192.168.0.0
Mask=255.255.255.0   (assuming you are using this mask in the A network)

Create another address object:
Name "Subnet .17"
Zone=LAN
Type=Network
Address=192.168.17.0
Mask=255.255.255.0   (assuming you are using this mask in the A network)

Create another object = "Router A"
Zone = VPN
Type = Host
Address = 192.168.0.1   (or whatever Router A's Ip is)

Create another object = "Router C"
Zone = VPN
Type = Host
Address = 192.168.17.1   (or whatever Router C's Ip is)

Goto Routes = create new route
Source = any
destination = Subnet .17
service = any
gateway = Router C
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence

Create another new route
Source = any
destination = Subnet .0
service = any
gateway = Router A
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence


If you have created VPN Zones for each VPN, then substitute your zones for the default VPN zones shown above.
Let us know how it goes.

0
 
LVL 8

Expert Comment

by:dosdet2
ID: 29364753
Sorry, forgot the file.
Routers-ABC.JPG
0
 

Author Comment

by:troycasper
ID: 29846896
Sorry for the delay.  Couldn't check until after the holidays. Your Diagram is correct.  I got to checking this and made the mistake of doing this remotely from Router B.  When I entered the routes into Router B it messed up the internet access and vpn to Router A.  I deleted the routes created on Router B and restarted Router B and everything was fine again.  I am not sure which route caused the problem.  I just had them delete both because everyone was in a panic and going through internet withdrawals.    Please think about the router B routes and I will either try them again or try new if you suggest when I can take the router offline on a Saturday in case there is still a problem.
0
 
LVL 8

Accepted Solution

by:
dosdet2 earned 1500 total points
ID: 29854600
That's interesting.  
This shouldn't have had any affect on internet access so they must access differently the internet differently than I thought.

Can you do an "ipconfig /all" from a workstation in each network and post those.  I think that will tell us where everybody is going to find the internet.  

It sounds line router A's hosts might be getting to the internet via the VPN through router B, but we'll see.

Sorry about the panic.
0
 

Author Comment

by:troycasper
ID: 29855762
I may have also somehow entered something incorrectly.   I could not see them to verify before I had them delete them because I could not remotely access anything.

The clients directly access the internet from each of their respective routers without going accross the VPN's.

Here is the IPconfigs.....


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
roller
        Physical Address. . . . . . . . . : 00-18-8B-57-70-5D
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.11.162
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.11.1
        DHCP Server . . . . . . . . . . . : 192.168.11.1
        DNS Servers . . . . . . . . . . . : 192.168.0.15
                                            4.2.2.2
        Lease Obtained. . . . . . . . . . : Monday, April 05, 2010 5:22:38 PM
        Lease Expires . . . . . . . . . . : Tuesday, April 06, 2010 5:22:38 PM

0
 

Author Closing Comment

by:troycasper
ID: 32775814
Awarding points.  Have not been able to take the system offline yet to test fully and find out why it was causing traffic issues.   Will reopen if necessary.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question