Solved

Can not see subnets across sonicwall Site to Site VPN

Posted on 2011-03-16
12
926 Views
Last Modified: 2012-05-11
I have a small network in which there is a Dell Powerconnect switch acting as the default gateway.  On the switch there are two vlans 192.168.10.0/24 and 192.168.0.0/24; the 10 network is for ip phones and the other for data.  The data network is a windows network with a SBS 2008 controlling DHCP and DNS.  The SBS server IP is 192.168.0.2 and the dell switch on data vlan is 192.168.0.254.  The SBS DHCP scope is set to use the dell switch as the default gateway and SBS is also statically set to use the dell switch as the gateway.  The router to the internet is a sonicwall TZ 210 with a lan IP of 192.168.0.1.  Oh yeah, there is a route set on the dell switch (0.0.0.0 0.0.0.0 192.168.0.1).  Everything works internally in the office between the vlans (there is a phone server at 192.168.10.10) and I can from 192.168.0.2 to 192.168.10.10 and vice versa.

The problem I am having is when I add a remote site connected with a site to site vpn from another sonicwall TZ180 i can not see either subnet.  The subnet of the remote site is 192.168.1.0/24.  The site to site is up and I can ping from the remote site to 192.168.0.1 but no where else.  I also noticed if i change the statically assigned gateway on the SBS then I can ping it from the remote site (seems anything on the data subnet with default gateway set to 192.168.0.1 responds to pings from the remote subnet).  I have not been able to ping the dell switch at 192.168.0.254 from the remote site.

The entire goal here is to get an IP phone working on the remote site which really just means it needs to see 192.168.10.10.

The Dell switch is where my expertise is a little lacking (this was set up by the phone vendor).  i have access to it and have been able to play around with setting up routes and vlans but I am not that familiar with it.  Dell switch is PowerConnect 6224p
0
Comment
Question by:jcwilets
  • 7
  • 5
12 Comments
 
LVL 13

Accepted Solution

by:
kdearing earned 500 total points
ID: 35153319
Make sure you add the other end subnet(s) to the Sonicwall as a trusted network.
0
 

Author Comment

by:jcwilets
ID: 35153402
All subnets are added to the sonicwall as trusted subnets.  What I just cant get over is that I can not ping the dell switch from the remote site, just doesnt make sense.  I have tried playing around with static routes on the sonicwall but just ran into dead ends.  I have set up several site to site vpns with sonicwalls with multiple subnets so i am stuck thinking it is the dell switch.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35153654
You may need to go into the security policies and specifically allow traffic between those subnets.
0
 

Author Comment

by:jcwilets
ID: 35156045
I actually tried that too.  I know I am missing something simple but I just keep missing it.  The subnets can see each other and i think the key is something to do the switch being the default gateway.  I cant explain why I can ping the SBS at 192.168.0.2 from the remote site when its default gateway is 192.168.0.1 and cannot ping it when its gateway is 192.168.0.254.  
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35157894
Definitely looks like a problem with the Dell's routing

On the Dell switch, double-check:
Default gateway; should be 192.168.0.1
Subnet mask; should be 255.255.255.0
0
 

Author Comment

by:jcwilets
ID: 35160415
Here is the Dell config.  Any thoughts on this would be appreciated:

!Current Configuration:
!System Description "PowerConnect 6224P, 2.2.0.3, VxWorks5.5.1"
!System Software Version 2.2.0.3
!
configure
vlan database
vlan  2,10,99,254
vlan association subnet 192.168.65.0 255.255.255.0 65
exit
stack
member 1 4
exit
ip address 192.168.99.254 255.255.255.0
ip default-gateway 192.168.99.254
ip address vlan 99
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
bootpdhcprelay enable
bootpdhcprelay serverip 192.168.0.2
ip helper-address 192.168.10.254 192.168.0.2 37
ip helper-address 192.168.10.254 192.168.0.2 49


ip helper-address 192.168.10.254 192.168.0.2 137
ip helper-address 192.168.10.254 192.168.0.2 138
ip helper-address 192.168.254.1 192.168.254.254 37
ip helper-address 192.168.254.1 192.168.254.254 49
ip helper-address 192.168.254.1 192.168.254.254 137
ip helper-address 192.168.254.1 192.168.254.254 138
interface vlan 1
routing
ip address  192.168.0.254  255.255.255.0
no ip proxy-arp
exit
interface vlan 2
name "vpn"
routing
ip address  192.168.1.254  255.255.255.0
no ip proxy-arp
exit
interface vlan 10
name "ShoreTel"
routing
ip address  192.168.10.254  255.255.255.0


no ip proxy-arp
exit
interface vlan 99
name "Management"
exit
interface vlan 254
name "P2P"
routing
ip address  192.168.254.1  255.255.255.0
no ip proxy-arp
exit
username "admin" password b40b6ccca3e502d00861995886ef5b31 level 15 encrypted
!
interface ethernet 1/g1
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g2
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g3
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g4
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g5
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit


!
interface ethernet 1/g6
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g7
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g8
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g9
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g10
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g11
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g12
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit


!
interface ethernet 1/g13
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g14
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g15
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g16
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g17
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g18
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g19
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g20
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g21
no negotiation
speed 100
spanning-tree disable
spanning-tree portfast
switchport mode general
switchport general pvid 254
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 254
switchport general allowed vlan remove 1
exit


!
interface ethernet 1/g23
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g24
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
exit
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 13

Expert Comment

by:kdearing
ID: 35161117
You have the sollowing in your config:

    ip default-gateway 192.168.99.254
    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.0.1

The default-gateway statement should be removed.
If ip routing is enabled, you should use a "gateway of last resort" (ip route 0.0.0.0 0.0.0.0 x.x.x.x) instead.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml
0
 

Author Comment

by:jcwilets
ID: 35162333
thanks, will give a try tomorrow and let you know
0
 

Author Comment

by:jcwilets
ID: 35182402
sorry for the delay.  This did not work.  If I remove the ip routing statement all traffic on the switch stops
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35189590
Remove this:

    ip default-gateway 192.168.99.254

Keep these:

    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.0.1

0
 

Author Comment

by:jcwilets
ID: 35192887
tried that too and it didnt work.  Think I need to take a step back a start over.  I have been trying too many things and think I am stepping on top of myself.  One thing I did try with success was set up the IPsec VPN client for the sonicwall.  When the VPN connects it gets a DHCP address from the SBS so it is on the same subnet.  The I add a static route on the sonicwall for the vpn traffic going to 192.168.10.0/24 to point to 192.168.0.254 and it works.  Point is I still think it is the dell configuration that is the problem
0
 

Author Closing Comment

by:jcwilets
ID: 35209577
Well I got it figured out.  I decided to just start over.  So I erased any of the configuration changes to the Dell and completely removed the VPN in the sonicwall.  Set up the sonicwall VPN from scratch and added routes for the other subnet from the VPN.  This is all it took - noconfiguration changes on the dell switch.  I thought I had done this before but guess not.  Anyway I awarded the points since you first suggested to check the sonicwall and that is indeed where the problem was
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now