Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Sonicwall firewall question

Posted on 2011-02-18
12
489 Views
Last Modified: 2012-05-11
Setup:

Site A: 192.168.200.0
Sonicwall Pro 2040 with a site to site VPN to site B (only the 192.168.175.0 network connected)

Site B: 192.168.175.0
Sonicwall NSA 240 (192.168.175.253).  This Sonicwall is only used to scan traffic, all routing is done from a Cisco router (192.168.175.1) sitting behind it.  The router is used to connect to remote branches on different subnets.  I want to make it so that I am able to see those remote subnets from site A: through site B: (ie 192.168.123.0)

I created a route in the site A sonicwall that says 192.168.123.0 traffic point to 192.168.175.1 (its pingable) WAN zone.  I still can't see it.  If I add to connectable networks in the VPN setup, the VPN never establishes.

How can I make 192.168.123.0 reachable?

Hmm... come to think of it, perhaps I need to contact the cisco guy and ask him to add a route that says all traffic from 192.168.200.0 pass to the NSA 240?
0
Comment
Question by:GDavis193
  • 5
  • 4
  • 3
12 Comments
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34928453
You will need to have 192.168.123 defined on your IPsec selectors for phase 2 on both ends.  Route statements won't be required on the VPN termination points. The Cisco or anything else downstream will definitely need a route statement.
0
 

Author Comment

by:GDavis193
ID: 34928486
"You will need to have 192.168.123 defined on your IPsec selectors for phase 2 on both ends"

? I don't follow.  Phase 2 only has settings for Protocol, encryption, and authentication for ipsec.

0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34930188
This is why I have GUI based firewalls.....

So, phase 2 of IPsec includes the negotiation of what networks will be allowed to pass across the tunnel.  If the two ends don't have a match setting of network rules then the tunnel will fail to establish.  This is an IPSec thing and doesn't matter brand, make or model.

On a Sonicwall you typically to go Networks--Zones and create a zone for the VPN connection.  You then have to go to Firewall--Access Rules and set the allow/deny conditions for that zone.  This is were you will need to define the 192.168.123 range.

I am not nearly as familiar with Sonicwall as I am with Cisco and Adtran, but ipsec conditions are standards based and always the same.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:GDavis193
ID: 34930389
So you're saying this is an access rule and not a route?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34934865
i'm having a hard time picturing your network config.  what i think i'm seeing is your have your sonicwall as the firewall with a public IP on the WAN interface.  then, you have a cisco with a LAN interface on the same network as your sonicwall LAN interface.  the cisco is routing intranet traffic to remote sites, right?  what's establishing the VPN, the cisco or the sonicwall?  i think if i understood this, the answer would be more clear.
0
 
LVL 3

Accepted Solution

by:
Rick_at_ptscinti earned 500 total points
ID: 34935281
"So you're saying this is an access rule and not a route?"

Yes,  You can define routes when doing VPN with SonicWall routers but typically you don't need to.  The router know the route because it is part of the access rule used to establish the VPN tunnel.  It's kind of the same concept as locally connected networks.  You don't have to define routes because the router know about them inherently and therefore route statements aren't needed.  Route statements are only needed for networks that the router is not aware of.
0
 

Author Comment

by:GDavis193
ID: 34935333
digittap - We have a cisco router actiing as the 'core' router.  It''s responsible for routing all traffic between the main and remote branches  (MPLS cloud).  It takes any data destined for the internet and passes through the Sonicwall (firewall).  We have a Pro2040 at our office (we are the IT support staff) and have a site to site VPN to the main office.  I am able to see the main office's local network but not the networks the cisco router knows about (the remote sites).  There is a route to pass all traffic going to 192.168.200.x (our local network - IT staff) to the sonicwall.

I figured it out.  If this is what Rick was saying - I apologize because I did not get this from his posts.

I had to create an access group and add all of the remote network (address object) to this group along with the X0 (local lan interface).  Then, when modifying the VPN connection from the NSA 240 - I changed the 'local network object from X0 (LAN) to this new new group.  I then modified the Pro2040 VPN connection (its running standard OS) to include the destination networks of the remote offices.

Works perfectly.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34935402
yup...that's it.  thanks for clarifying the question for me and glad it's working!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34935408
one more thing, you'll want to add routes to the sonicwall for the networks that the cisco knows about that the sonicwall does not.  using the cisco as the gateway for those MPLS networks.
0
 

Author Comment

by:GDavis193
ID: 34935746
digitap - I had site to site VPN's to these remote sites before so they were part of the VPN group.  What I did was just simply change to them to the LAN group and added them to an access group called <company name local subnet> along with X0 and then added that to the VPN tunnel as the primary local network.  I didn't have to add any routes.  The cisco router was already configured to pass all (my company) traffic to the sonicwall so it's all working.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34935748
@GDavis :: thanks for the extra info...glad it's working!
0
 

Author Closing Comment

by:GDavis193
ID: 35065923
not 100% right on but pointing in the correct direction./
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fabric 1 31
Multiple MPLS Circuits Connecting to LAN 3 43
Windows Server to Cisco switch connectivity 10 72
Use multiple VLANs on the same interface on a Cisco 877 4 44
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question