circuits2
asked on
Cannot Connect to Exchange via SonicWall Site-to-Site VPN
I am setting up a Site-to-Site VPN between two SonicWall appliances and have hit a minor road block. The main SonicWall is an NSA 2400 and is located at our corporate office with a Static Public IP. The remote SonicWall is a TZ 100 and is located in a branch office with a Dynamic Public IP. Both devices have been configured in Aggressive Mode.
Here is a summary of the configurations:
Corporate Office NSA 2400
Public IP: 1.2.3.4
Lan IP: 10.10.1.1/24
Our Exchange Server is 10.10.1.2
Branch Office TZ 100
Public IP: Dynamic
Lan IP: 10.10.3.1/24
I have configured the Corporate SonicWall with an Address Object for the Branch Office and vice versa for the Branch SonicWall. I have also made sure the VPN Policies have the correct Device ID's.
The VPN Tunnel shows that it is established on both SonicWall's and I am able to ping any of the corporate computers from the Branch Office using the IP Addresses. However, I am unable to ping any of the Corporate computers from the Branch Office using the computer names and I cannot ping any of the computers in the Branch Office from the Corporate Office. So basically I have one-way connectivity. I think this is the reason why I am unable to connect to Exchange from the Branch Office.
Any clues as to why I cannot ping from the Corporate Office or connect to Exchange?
Thank you in advance!
Here is a summary of the configurations:
Corporate Office NSA 2400
Public IP: 1.2.3.4
Lan IP: 10.10.1.1/24
Our Exchange Server is 10.10.1.2
Branch Office TZ 100
Public IP: Dynamic
Lan IP: 10.10.3.1/24
I have configured the Corporate SonicWall with an Address Object for the Branch Office and vice versa for the Branch SonicWall. I have also made sure the VPN Policies have the correct Device ID's.
The VPN Tunnel shows that it is established on both SonicWall's and I am able to ping any of the corporate computers from the Branch Office using the IP Addresses. However, I am unable to ping any of the Corporate computers from the Branch Office using the computer names and I cannot ping any of the computers in the Branch Office from the Corporate Office. So basically I have one-way connectivity. I think this is the reason why I am unable to connect to Exchange from the Branch Office.
Any clues as to why I cannot ping from the Corporate Office or connect to Exchange?
Thank you in advance!
check your firewall rules vpn to lan on both ends. if you had any misconfiguration on on the SAs on either end then the tunnel would not come up. the other thought i have is if you perhaps have a rogue route on the 240 that's preventing the traffic from traversing the vpn.
ASKER
Thanks for your response digitap!
I checked both devices and there is an entry to allow all traffic from VPN-LAN, LAN-VPN, and VPN-VPN.
One other odd thing that I just found out is that I can ping the LAN address of the Branch Office from the Corporate Office, but still cannot ping any other LAN addresses in the Branch Office.
I checked both devices and there is an entry to allow all traffic from VPN-LAN, LAN-VPN, and VPN-VPN.
One other odd thing that I just found out is that I can ping the LAN address of the Branch Office from the Corporate Office, but still cannot ping any other LAN addresses in the Branch Office.
Remember when pinging by computer names that you need use the FQDN unless you have allowed Netbios translations over the VPN.
Also can you clarify what You can ping via IPA?
As far as pinging the computers in the branch office, is the Computer Firewall active?
I would focus on getting the Branch offices to be able to Ping the Exchange server 1st.
Also can you clarify what You can ping via IPA?
As far as pinging the computers in the branch office, is the Computer Firewall active?
I would focus on getting the Branch offices to be able to Ping the Exchange server 1st.
ASKER
Thank you for the response ahdfx!
If I ping from the Branch Office using the IP Address I am successful. I have tried pinging using just the computer name as well as the FQDN and was unsuccessful.
From the Branch Office I can ping any IP Address on the Corporate Subnet. I cannot ping using anything other than the IP Address.
From the Corporate Office I can ping the LAN IP of the Branch SonicWall but no other IP's.
The Computer Firewalls are active but I have even tried turning them off to no avail.
I can ping the Exchange Server from the Branch PC's, but Outlook says a connection to Exchange is not available.
If I ping from the Branch Office using the IP Address I am successful. I have tried pinging using just the computer name as well as the FQDN and was unsuccessful.
From the Branch Office I can ping any IP Address on the Corporate Subnet. I cannot ping using anything other than the IP Address.
From the Corporate Office I can ping the LAN IP of the Branch SonicWall but no other IP's.
The Computer Firewalls are active but I have even tried turning them off to no avail.
I can ping the Exchange Server from the Branch PC's, but Outlook says a connection to Exchange is not available.
What are the DNS servers for the Branch Office PC's?
ASKER
The Branch Office DNS Servers are Dynamically Assigned by the ISP. I tried setting the DNS servers to Static and added the Corporate DNS as Primary but still got the same results.
Something is preventing DNS or NetBIOS information from getting back to the Branch Office from the Corporate Office. I just don't know what. All of the firewall policies are set to allow all traffic from Corporate to Branch.
Something is preventing DNS or NetBIOS information from getting back to the Branch Office from the Corporate Office. I just don't know what. All of the firewall policies are set to allow all traffic from Corporate to Branch.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
alternatively, add a doamin prefix registration in the tcp ip settings of a host. this will allow fqdn resolution.
You don't have any other gateways at either site do you? Is your default gateway at each site your sonicwall?
When you send a ping, look in the sonicwall logs of both firewalls, you should are looking for something like ICMP packet dropped due to policy.
When you setup your source and destination networks on the VPN tunnel, what did you set (did you set ranges or an actual network like 192.168.1.0 255.255.255.0 ? Are you trying to route all internet traffic from the branch site back across to the HQ then out that firewall? If so, that setup takes a few more steps. If you are not wanting to send internet traffic across the VPN to HQ, make sure you do not have the "any address" radio button checked in your network settings of the sonicwall.
On the advanced tab on both endes make sure you have enable keep alive checked
With a dynamic ip, you may want to setup Dynamic DNS under the Network settings in case your IP changes.
When you send a ping, look in the sonicwall logs of both firewalls, you should are looking for something like ICMP packet dropped due to policy.
When you setup your source and destination networks on the VPN tunnel, what did you set (did you set ranges or an actual network like 192.168.1.0 255.255.255.0 ? Are you trying to route all internet traffic from the branch site back across to the HQ then out that firewall? If so, that setup takes a few more steps. If you are not wanting to send internet traffic across the VPN to HQ, make sure you do not have the "any address" radio button checked in your network settings of the sonicwall.
On the advanced tab on both endes make sure you have enable keep alive checked
With a dynamic ip, you may want to setup Dynamic DNS under the Network settings in case your IP changes.
The other thing you can do that is helpful is to enable WAN management of the firewall to allow you to access that sonicwall remotely, however once you do, you should go in and restrict the firewall rules to specific IPs on the internet that can manage it. For example, set the static ip of your HQ and maybe your house (if you have a static) . This will allow you to troubleshoot and connect to the firewall if things like RDP or VPN are not working, yet block out the rest of the world from trying to hack the admin interface.
changing the default https port to something other than the default 443, will help too. you'll have to change the port any way if your redirecting port 443 for a secure server or exchange.
ASKER
Thank you to all who posted suggestions. I modified the host file on one of the Branch PC's to include the LAN IP of the Exchange server. Now everything works as it should.
For further clarification, I added the following entries to the C:\Windows\System32\Driver
10.10.1.2 mail.mycompany.com
10.10.1.2 myservername.mycompany.com
Thanks again!
For further clarification, I added the following entries to the C:\Windows\System32\Driver
10.10.1.2 mail.mycompany.com
10.10.1.2 myservername.mycompany.com
Thanks again!
so, whenever your server name changes you're going to update hosts files on all your workstations? also, shouldn't the MX record also resolve externally?
ASKER
digitap,
I know it sounds absurd to modify the host file on each workstation, but there will never be more than 5 computers in this branch office. I can live with changing hosts files until another solution can be found.
The MX record can be resolved externally, but does not need to be resolved externally from inside the Branch office as long as the Site-to-Site is active. I understand this is going to create a single point of failure, but it is only a temporary fix until a permanent solution can be found.
I know it sounds absurd to modify the host file on each workstation, but there will never be more than 5 computers in this branch office. I can live with changing hosts files until another solution can be found.
The MX record can be resolved externally, but does not need to be resolved externally from inside the Branch office as long as the Site-to-Site is active. I understand this is going to create a single point of failure, but it is only a temporary fix until a permanent solution can be found.
The Branch Office PC's should either have their own local DSN server that gets updates from the Corp DNS server, or they just need to use the Corp DNS server for all DNS resolution.
Only problem with the 2nd option is is the VPN is down, branch office PC cannot even get to the internet.
Glad the Hosts file works. Sounds like the Branch office PC were going over the internet to get to Corp and Corp was answering back on the VPN.
The Hosts file is not bad, but like digitap states, if there are any changes on the Domain, you need to update all the Hosts files.
This is something you could handle with a bat file of script if you had to.
Only problem with the 2nd option is is the VPN is down, branch office PC cannot even get to the internet.
Glad the Hosts file works. Sounds like the Branch office PC were going over the internet to get to Corp and Corp was answering back on the VPN.
The Hosts file is not bad, but like digitap states, if there are any changes on the Domain, you need to update all the Hosts files.
This is something you could handle with a bat file of script if you had to.
I would not have taken the route of modifying the hosts file. That should only be used in very, very specific situations. May the force of network maintenance and upkeep be with you :-)
you picked up on my point well enough. as long as you understand the cons of a host file solution and it fits your particular scenario, then i won't worry about it...>GRIN<!
The remote office computers should definitely be pointing to the HQ office for DNS resolution.
ASKER