Solved

SonicWall Configuration for VPN Access

Posted on 2010-11-24
7
657 Views
Last Modified: 2012-05-10
We are attempting to force traffic over a (second) VPN from an outside agency. We re running a SonicWall NSA 240 and the agency is running a Cisco device.  The connection between us has been successfully established but, for example, FTP traffic never reaches the intended server. Here are the particulars:

a.      the VPN is established.
b.      The agency NATs all of their outbound traffic over a single IP
c.      The FTP server works over our own VPN or, if I turn it on, over the WAN interface. Accordingly, it also works for the agency (no surprise there) if that access rule is activated.
d.      An access rule (network) has been created to support the NAT-ed address over the VPN
e.      A firewall access rule has been created for:  VPN > LAN and VPN > WAN to the host for the agency network as well as VPN <-> WAN (X1 Subnet, both ways) to support the agency VPN connection.
f.      The appropriate protocols have been activated on the host and have been tested.

The agency performed a TRACERT and it would seem that they can get to our system, but I’m not seeing it on the firewall logs. They are reporting “connection refused”.

It would seem that we’re missing something simple.  I compared the settings with our existing VPN, and all is accounted for.  The biggest difference is that they are NAT-ing to a single address. Further, I’m not sure that will work when we bring on clients to access our applications.

Thanking you in advance for your insight.  Greatly appreciated.

Happy Thanksgiving!
0
Comment
Question by:MSConsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34205431
hello - NAT'ing to a single IP should be fine.  i have several clients doing this over a VPN.  are you running any security services on the VPN zone?  IPS can block FTP traffic if configured to do so.
0
 

Author Comment

by:MSConsulting
ID: 34206146
Thanks for the quick response. No, I'm not running any security on the firewall/VPN zone(s).  Perhaps you could outline the steps necessary to set up the NSA so that I can support access to my servers over the VPN. Like I said, I set it up for our private network and it works fine.  It's a spoke-hub configuration, where the applications servers are at the hub and we're just adding another "spoke".

Cheers,
Marc
0
 
LVL 33

Expert Comment

by:digitap
ID: 34206347
OK...read through your particulars.  when setting up a VPN, you typically don't have to configure any firewall access rules.  default allows all of the hosts specified in the address object (group) of the VPN SA and any services.  i've gone back and tweaked the access rules to lock down services, but i don't do this often.

i need some clarification on the NAT part.  are they NAT'ing such that their network (Destination Networks) appears as a single IP address or your network (Local Networks) appears as a single IP address?

Are you performing any NAT work on your sonicwall?
0
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

 

Author Comment

by:MSConsulting
ID: 34209211
Thanks again. I would have thought as much about VPNs (re: firewall access rules).  I will relook to see if I've compromised anyting in my setup.

They are NAT'ing so that their network looks like a single IP.  
Yes, we are performing some NAT'ing on our network. Specifically, the target server is NAT'ed to translate the public address to the private one. It might be helpful to know that they are using the server's public address when trying to engage its services.

Cheers,
M.
0
 
LVL 33

Accepted Solution

by:
digitap earned 250 total points
ID: 34209238
ok...getting a clearer picture.  NAT'ing as in WAN > LAN has nothing to do with VPN > LAN.  they SHOULD be using the private IP address of the server as it is on your LAN and NOT the public IP address.  doing so will not send the traffic over the VPN.

the address object representing the Destination Network should be the single IP address that they are NAT'ing their LAN to.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34415371
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question