Sonicwall VPN Routing OSEnhanced Nat rule help needed

How can i fix this error....

  03/25/2010 12:23:25.432 Notice Network Access Web access request dropped 192.168.0.16, 52526, X1, UNI-TERMINAL 192.168.17.86, 80, X1 TCP HTTP

I am trying to route traffic to the .17.86 device from router A on the 0.0 subnet through router B on the 11.0 subnet to a device on router C subnet 17.0 .  Need mainly port 80 http but it would be nice to route Printer functions also.

Traffic appears to be getting from 2040 Pro (Router A) to NSA 2400 (router B) but not being sent to TZ190 (router C).  Getting the error listed above on Router B.  All OS are Enhanced.

Thanks
troycasperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dosdet2Commented:
What does the routing table on router B look like?
What is the next-hop IP address on router C?
0
troycasperAuthor Commented:
Here is the routing table on B Dosdet2....

1 Any 255.255.255.255/32 Any 0.0.0.0 X0 20 1        
 2 Any X1 Default Gateway Any 0.0.0.0 X1 20 2        
 3 Any X2 Default Gateway Any 0.0.0.0 X2 20 3        
 4 Any X1 Subnet Any 0.0.0.0 X1 20 4        
 5 Any X2 Subnet Any 0.0.0.0 X2 20 5        
 6 Any X0 Subnet Any 0.0.0.0 X0 20 6        
 7 Any X3 Subnet Any 0.0.0.0 X3 20 7        
 8 Any X4 Subnet Any 0.0.0.0 X4 20 8        
 9 X1 IP Any Any X1 Default Gateway X1 20 9        
 10 X2 IP Any Any X2 Default Gateway X2 20 10        
 11 Any Any Opt Port Services Secondary Default Gateway X2 1 11        
 12 Any 0.0.0.0/0 Any 216.23.112.198 X1 20 12        

The Router IP on C is 192.168.17.1 and the device I am trying to reach is 192.168.17.86 which is a device on that network if that answers your Hop question.

Thanks
0
troycasperAuthor Commented:
Any other info needed?
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

dosdet2Commented:
Give me a bit & I'll get a diagram done.  Sorry, I've been slammed.
0
dosdet2Commented:
You mention VPNs.  Are these routers connected by VPNs or hard wired?
0
troycasperAuthor Commented:
They are all connected by Site to Site VPN's at different geographical locations.
0
dosdet2Commented:
Check the diagram attached, This is what I see your network as being.
I am going to assume that Network A & B can communicate and Network B & C can communicate.

Within router A:
Create an address object (under Network):
Name it something like "Subnet .17"
Zone=LAN
Type=Network
Address=192.168.17.0
Mask=255.255.255.0   (assuming you are using this mask in the C network)

Create another object = "Router B"
Zone = VPN
Type = Host
Address = 192.168.11.1   (or whatever Router B's Ip is)

Goto Routes = create new route
Source = any
destination = Subnet .17
service = any
gateway = Router B
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence
****

Go to Router C
Create an address object:
Name it something like "Subnet .0"
Zone=LAN
Type=Network
Address=192.168.0.0
Mask=255.255.255.0   (assuming you are using this mask in the A network)

Create another object = "Router B"
Zone = VPN
Type = Host
Address = 192.168.11.1   (or whatever Router B's Ip is)

Goto Routes = create new route
Source = any
destination = Subnet .0
service = any
gateway = Router B
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence
****

Go to router B
Create an address object:
Name "Subnet .0"
Zone=LAN
Type=Network
Address=192.168.0.0
Mask=255.255.255.0   (assuming you are using this mask in the A network)

Create another address object:
Name "Subnet .17"
Zone=LAN
Type=Network
Address=192.168.17.0
Mask=255.255.255.0   (assuming you are using this mask in the A network)

Create another object = "Router A"
Zone = VPN
Type = Host
Address = 192.168.0.1   (or whatever Router A's Ip is)

Create another object = "Router C"
Zone = VPN
Type = Host
Address = 192.168.17.1   (or whatever Router C's Ip is)

Goto Routes = create new route
Source = any
destination = Subnet .17
service = any
gateway = Router C
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence

Create another new route
Source = any
destination = Subnet .0
service = any
gateway = Router A
Interface = (vpn interface)
Metric = 1
ck - disable route when int is down
ck - allow VPN path to take precedence


If you have created VPN Zones for each VPN, then substitute your zones for the default VPN zones shown above.
Let us know how it goes.

0
dosdet2Commented:
Sorry, forgot the file.
Routers-ABC.JPG
0
troycasperAuthor Commented:
Sorry for the delay.  Couldn't check until after the holidays. Your Diagram is correct.  I got to checking this and made the mistake of doing this remotely from Router B.  When I entered the routes into Router B it messed up the internet access and vpn to Router A.  I deleted the routes created on Router B and restarted Router B and everything was fine again.  I am not sure which route caused the problem.  I just had them delete both because everyone was in a panic and going through internet withdrawals.    Please think about the router B routes and I will either try them again or try new if you suggest when I can take the router offline on a Saturday in case there is still a problem.
0
dosdet2Commented:
That's interesting.  
This shouldn't have had any affect on internet access so they must access differently the internet differently than I thought.

Can you do an "ipconfig /all" from a workstation in each network and post those.  I think that will tell us where everybody is going to find the internet.  

It sounds line router A's hosts might be getting to the internet via the VPN through router B, but we'll see.

Sorry about the panic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
troycasperAuthor Commented:
I may have also somehow entered something incorrectly.   I could not see them to verify before I had them delete them because I could not remotely access anything.

The clients directly access the internet from each of their respective routers without going accross the VPN's.

Here is the IPconfigs.....


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
roller
        Physical Address. . . . . . . . . : 00-18-8B-57-70-5D
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.11.162
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.11.1
        DHCP Server . . . . . . . . . . . : 192.168.11.1
        DNS Servers . . . . . . . . . . . : 192.168.0.15
                                            4.2.2.2
        Lease Obtained. . . . . . . . . . : Monday, April 05, 2010 5:22:38 PM
        Lease Expires . . . . . . . . . . : Tuesday, April 06, 2010 5:22:38 PM

0
troycasperAuthor Commented:
Awarding points.  Have not been able to take the system offline yet to test fully and find out why it was causing traffic issues.   Will reopen if necessary.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.