Solved

Sonicwall Blocking Outgoing VPN Connections

Posted on 2010-09-01
19
4,069 Views
Last Modified: 2013-11-16
ANother Sonicwall issue, not becoming a Sonicwall Fan at all. Never have I had so many issues with Sonicwall. It might also be that the past Provider were idoits but I would past judgement.

Anyways!  We have a Contractor that uses his old PC and Connects to his Companies Network Via a Cisco VPN Connection. Now it seems that our Sonicwall is blocking that connection so I am being told. How do I go about allowing a VPN Connection using say 11.11.11.11 IP Address leaving the internal Network. Would it be the IP address or would it be the Protocol...

Please be discriptive
0
Comment
Question by:rperault
  • 6
  • 5
  • 4
19 Comments
 
LVL 16

Expert Comment

by:ccomley
ID: 33578581
Hmm.

By default Sonicawll doesn't block ANY outgoing traffic, and all incoming. You need to create rules to vary this. But on a newer machine you may also have the Application Firewall blocking traffic based on it's profile. So we really need a bit more information on what's going on here.  What version are you running? What Security tools are enabled?

To permit outbound traffic that's being blocked you need to identify why.

BUT

If it's being blocked by an explcit DENY rule in the "Lan to Wan" section of Firewall/AccessRules then you can

- disable that rule or delete it completely - if you don't mind anyone using VPNs
or
- create a PERMIT rule which permits his IP address specifically to access the WAN on that port, which will automatically over-ride the more general "everyone can't" rule.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33578923
You also may want to view the logs to see if it's dropping those connections.  My guess is their end isn't allow NAT traversal since the Cisco clients are being a router that NATs traffic to the Internet.
0
 

Author Comment

by:rperault
ID: 33579108
All of the things I have already checked..
Nothing in the Logs with the specific IP address except for my Ping Requests.
I created Special ACL's to allow traffic to the IP address and using Port 500/4500 So it has to be somewhere and I don't believe that it is on my end. Actually I am pretty sure that it is not. We recently changed ISP Providers, from Verizon to CavTel. The Connection never had an issue with Verzion but all of a sudden has one with Cavtel.

I worked with CavTel and I am told it not them. Though they aren't checking the upstrean Checkpoint Firewall for activity. I need to get ont he phone with the other end and see what they are doing different. Any other ideas?
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33579152
Hmm. I would not discard the idea taht it could be the new ISP totally, it would not be the first time I've come across an ISP blocking VPN access. In the case I have in mind, it was initially in all innocence as the ISP were trying to introduce their own commercial VPN product and thus "grabbed" IKE traffic without realising it would cause people problems - but I was less inclinde to be nice about it when they didn't immediatly stop doing this on discovering they were wrong.

If it's an outbound connection, it should be covered by the default rule unless someone has created a specific one. In which case revoke it or create a MORE specific permit rule.

Other than that I don't know. Can you put Wireshark on the WAN side of the Sonicwall? (I keep a small managed switch with port mirroring enabled in order to do this sort of thing...)

What routers are in use between the Sonic wan port and the comms link? Is that the SAME router or did that change at the same time as the ISP swap?
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 250 total points
ID: 33579399
Perhaps a long shot, but have you checked the MTU on WAN interface of the sonicwall?  Here's an article I wrote on how to set that on the Sonicwall.

http://www.experts-exchange.com/viewArticle.jsp?aid=3110
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33584357
Good idea, as the VPN encapsulation process will make the packets from that sender longer!!!

Can't hurt to knock it back a few bytes and see if it helps.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588374
One can certainly believe the NSA 240 does behave differently.  I remember when the 190 came out.  We had all sorts of trouble getting it to work with ISP provided WAN IP addresses on cable modems.  We worked with support from the ISP and Sonicwall.  Never could get it to work.  Ended up putting a 170 and it worked flawlessly.  Later, we discovered it was due to an improperly configured MTU.  These days, we have calculating this as our setup process for all our clients...regardless of the type of internet connection.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 16

Accepted Solution

by:
ccomley earned 250 total points
ID: 33588433
We hit MTU problems really early in the ADSL era with TZ170s and onwards, and now we click it down a couple of bytes automatically, so much so it didn't occur to me to mention it here until your suggestion!

I've not found the TZ190 to be any worse, better, or, indeed, any other way different from earlier TZs or NSA and above units. They run the same code, at the end of the day! Might've been an issue with a particular code ver.

We often have problems with the main "cable/fibre" ISP in the UK as they don't assing a block of IPs, they assign a random selection of numbers which can't be defined as a network/mask chunk and don't seem to think this is at all unusual.

0
 

Author Comment

by:rperault
ID: 33588453
My Problem is that nothing has changed in the Configuration and it always worked with the past provider, but it woudn't work with the current provider. It's Weird.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588474
no way to know until we try.  good luck and let us know how it goes.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33588662
Try reducing the MTU anyway - it may be an issue with the way your new provider's network operates! If that doesn't work then I suggest you are going to need to try to Sniff the network outside of the Sonicwall to see fi the packets in question are getting through! If they are you can defintily blame your new supplier, if not, it's definitly a Sonicwall issue.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588760
i concur.
0
 

Author Comment

by:rperault
ID: 33641935
Sorry I had thought I had choosen the Correct Expert
0
 

Author Comment

by:rperault
ID: 33641963
I am now unable to assign points. Sorry Guys I got swamped and Fast so I apologize for my delay in response because it is unlike me. I agree in spliting the points, as one had Mentioned the MTU and the Other explained..... If I could award the points please
0
 
LVL 33

Expert Comment

by:digitap
ID: 33678352
thanks for the points!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now