Solved

Sonicwall Blocking Outgoing VPN Connections

Posted on 2010-09-01
19
4,420 Views
Last Modified: 2013-11-16
ANother Sonicwall issue, not becoming a Sonicwall Fan at all. Never have I had so many issues with Sonicwall. It might also be that the past Provider were idoits but I would past judgement.

Anyways!  We have a Contractor that uses his old PC and Connects to his Companies Network Via a Cisco VPN Connection. Now it seems that our Sonicwall is blocking that connection so I am being told. How do I go about allowing a VPN Connection using say 11.11.11.11 IP Address leaving the internal Network. Would it be the IP address or would it be the Protocol...

Please be discriptive
0
Comment
Question by:rperault
  • 6
  • 5
  • 4
19 Comments
 
LVL 16

Expert Comment

by:ccomley
ID: 33578581
Hmm.

By default Sonicawll doesn't block ANY outgoing traffic, and all incoming. You need to create rules to vary this. But on a newer machine you may also have the Application Firewall blocking traffic based on it's profile. So we really need a bit more information on what's going on here.  What version are you running? What Security tools are enabled?

To permit outbound traffic that's being blocked you need to identify why.

BUT

If it's being blocked by an explcit DENY rule in the "Lan to Wan" section of Firewall/AccessRules then you can

- disable that rule or delete it completely - if you don't mind anyone using VPNs
or
- create a PERMIT rule which permits his IP address specifically to access the WAN on that port, which will automatically over-ride the more general "everyone can't" rule.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33578923
You also may want to view the logs to see if it's dropping those connections.  My guess is their end isn't allow NAT traversal since the Cisco clients are being a router that NATs traffic to the Internet.
0
 

Author Comment

by:rperault
ID: 33579108
All of the things I have already checked..
Nothing in the Logs with the specific IP address except for my Ping Requests.
I created Special ACL's to allow traffic to the IP address and using Port 500/4500 So it has to be somewhere and I don't believe that it is on my end. Actually I am pretty sure that it is not. We recently changed ISP Providers, from Verizon to CavTel. The Connection never had an issue with Verzion but all of a sudden has one with Cavtel.

I worked with CavTel and I am told it not them. Though they aren't checking the upstrean Checkpoint Firewall for activity. I need to get ont he phone with the other end and see what they are doing different. Any other ideas?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:ccomley
ID: 33579152
Hmm. I would not discard the idea taht it could be the new ISP totally, it would not be the first time I've come across an ISP blocking VPN access. In the case I have in mind, it was initially in all innocence as the ISP were trying to introduce their own commercial VPN product and thus "grabbed" IKE traffic without realising it would cause people problems - but I was less inclinde to be nice about it when they didn't immediatly stop doing this on discovering they were wrong.

If it's an outbound connection, it should be covered by the default rule unless someone has created a specific one. In which case revoke it or create a MORE specific permit rule.

Other than that I don't know. Can you put Wireshark on the WAN side of the Sonicwall? (I keep a small managed switch with port mirroring enabled in order to do this sort of thing...)

What routers are in use between the Sonic wan port and the comms link? Is that the SAME router or did that change at the same time as the ISP swap?
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 250 total points
ID: 33579399
Perhaps a long shot, but have you checked the MTU on WAN interface of the sonicwall?  Here's an article I wrote on how to set that on the Sonicwall.

http://www.experts-exchange.com/viewArticle.jsp?aid=3110
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33584357
Good idea, as the VPN encapsulation process will make the packets from that sender longer!!!

Can't hurt to knock it back a few bytes and see if it helps.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588374
One can certainly believe the NSA 240 does behave differently.  I remember when the 190 came out.  We had all sorts of trouble getting it to work with ISP provided WAN IP addresses on cable modems.  We worked with support from the ISP and Sonicwall.  Never could get it to work.  Ended up putting a 170 and it worked flawlessly.  Later, we discovered it was due to an improperly configured MTU.  These days, we have calculating this as our setup process for all our clients...regardless of the type of internet connection.
0
 
LVL 16

Accepted Solution

by:
ccomley earned 250 total points
ID: 33588433
We hit MTU problems really early in the ADSL era with TZ170s and onwards, and now we click it down a couple of bytes automatically, so much so it didn't occur to me to mention it here until your suggestion!

I've not found the TZ190 to be any worse, better, or, indeed, any other way different from earlier TZs or NSA and above units. They run the same code, at the end of the day! Might've been an issue with a particular code ver.

We often have problems with the main "cable/fibre" ISP in the UK as they don't assing a block of IPs, they assign a random selection of numbers which can't be defined as a network/mask chunk and don't seem to think this is at all unusual.

0
 

Author Comment

by:rperault
ID: 33588453
My Problem is that nothing has changed in the Configuration and it always worked with the past provider, but it woudn't work with the current provider. It's Weird.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588474
no way to know until we try.  good luck and let us know how it goes.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33588662
Try reducing the MTU anyway - it may be an issue with the way your new provider's network operates! If that doesn't work then I suggest you are going to need to try to Sniff the network outside of the Sonicwall to see fi the packets in question are getting through! If they are you can defintily blame your new supplier, if not, it's definitly a Sonicwall issue.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588760
i concur.
0
 

Author Comment

by:rperault
ID: 33641935
Sorry I had thought I had choosen the Correct Expert
0
 

Author Comment

by:rperault
ID: 33641963
I am now unable to assign points. Sorry Guys I got swamped and Fast so I apologize for my delay in response because it is unlike me. I agree in spliting the points, as one had Mentioned the MTU and the Other explained..... If I could award the points please
0
 
LVL 33

Expert Comment

by:digitap
ID: 33678352
thanks for the points!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to route a specific IP address to a specific port on a Fortinet 90D 2 40
network error 8 56
VLAN Question 13 44
IPsec VPN - which encryption? 5 38
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question