jcwilets
asked on
Can not see subnets across sonicwall Site to Site VPN
I have a small network in which there is a Dell Powerconnect switch acting as the default gateway. On the switch there are two vlans 192.168.10.0/24 and 192.168.0.0/24; the 10 network is for ip phones and the other for data. The data network is a windows network with a SBS 2008 controlling DHCP and DNS. The SBS server IP is 192.168.0.2 and the dell switch on data vlan is 192.168.0.254. The SBS DHCP scope is set to use the dell switch as the default gateway and SBS is also statically set to use the dell switch as the gateway. The router to the internet is a sonicwall TZ 210 with a lan IP of 192.168.0.1. Oh yeah, there is a route set on the dell switch (0.0.0.0 0.0.0.0 192.168.0.1). Everything works internally in the office between the vlans (there is a phone server at 192.168.10.10) and I can from 192.168.0.2 to 192.168.10.10 and vice versa.
The problem I am having is when I add a remote site connected with a site to site vpn from another sonicwall TZ180 i can not see either subnet. The subnet of the remote site is 192.168.1.0/24. The site to site is up and I can ping from the remote site to 192.168.0.1 but no where else. I also noticed if i change the statically assigned gateway on the SBS then I can ping it from the remote site (seems anything on the data subnet with default gateway set to 192.168.0.1 responds to pings from the remote subnet). I have not been able to ping the dell switch at 192.168.0.254 from the remote site.
The entire goal here is to get an IP phone working on the remote site which really just means it needs to see 192.168.10.10.
The Dell switch is where my expertise is a little lacking (this was set up by the phone vendor). i have access to it and have been able to play around with setting up routes and vlans but I am not that familiar with it. Dell switch is PowerConnect 6224p
The problem I am having is when I add a remote site connected with a site to site vpn from another sonicwall TZ180 i can not see either subnet. The subnet of the remote site is 192.168.1.0/24. The site to site is up and I can ping from the remote site to 192.168.0.1 but no where else. I also noticed if i change the statically assigned gateway on the SBS then I can ping it from the remote site (seems anything on the data subnet with default gateway set to 192.168.0.1 responds to pings from the remote subnet). I have not been able to ping the dell switch at 192.168.0.254 from the remote site.
The entire goal here is to get an IP phone working on the remote site which really just means it needs to see 192.168.10.10.
The Dell switch is where my expertise is a little lacking (this was set up by the phone vendor). i have access to it and have been able to play around with setting up routes and vlans but I am not that familiar with it. Dell switch is PowerConnect 6224p
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may need to go into the security policies and specifically allow traffic between those subnets.
ASKER
I actually tried that too. I know I am missing something simple but I just keep missing it. The subnets can see each other and i think the key is something to do the switch being the default gateway. I cant explain why I can ping the SBS at 192.168.0.2 from the remote site when its default gateway is 192.168.0.1 and cannot ping it when its gateway is 192.168.0.254.
Definitely looks like a problem with the Dell's routing
On the Dell switch, double-check:
Default gateway; should be 192.168.0.1
Subnet mask; should be 255.255.255.0
On the Dell switch, double-check:
Default gateway; should be 192.168.0.1
Subnet mask; should be 255.255.255.0
ASKER
Here is the Dell config. Any thoughts on this would be appreciated:
!Current Configuration:
!System Description "PowerConnect 6224P, 2.2.0.3, VxWorks5.5.1"
!System Software Version 2.2.0.3
!
configure
vlan database
vlan 2,10,99,254
vlan association subnet 192.168.65.0 255.255.255.0 65
exit
stack
member 1 4
exit
ip address 192.168.99.254 255.255.255.0
ip default-gateway 192.168.99.254
ip address vlan 99
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
bootpdhcprelay enable
bootpdhcprelay serverip 192.168.0.2
ip helper-address 192.168.10.254 192.168.0.2 37
ip helper-address 192.168.10.254 192.168.0.2 49
ip helper-address 192.168.10.254 192.168.0.2 137
ip helper-address 192.168.10.254 192.168.0.2 138
ip helper-address 192.168.254.1 192.168.254.254 37
ip helper-address 192.168.254.1 192.168.254.254 49
ip helper-address 192.168.254.1 192.168.254.254 137
ip helper-address 192.168.254.1 192.168.254.254 138
interface vlan 1
routing
ip address 192.168.0.254 255.255.255.0
no ip proxy-arp
exit
interface vlan 2
name "vpn"
routing
ip address 192.168.1.254 255.255.255.0
no ip proxy-arp
exit
interface vlan 10
name "ShoreTel"
routing
ip address 192.168.10.254 255.255.255.0
no ip proxy-arp
exit
interface vlan 99
name "Management"
exit
interface vlan 254
name "P2P"
routing
ip address 192.168.254.1 255.255.255.0
no ip proxy-arp
exit
username "admin" password b40b6ccca3e502d00861995886
!
interface ethernet 1/g1
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g2
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g3
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g4
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g5
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g6
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g7
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g8
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g9
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g10
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g11
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g12
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g13
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g14
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g15
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g16
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g17
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g18
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g19
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g20
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g21
no negotiation
speed 100
spanning-tree disable
spanning-tree portfast
switchport mode general
switchport general pvid 254
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 254
switchport general allowed vlan remove 1
exit
!
interface ethernet 1/g23
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g24
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
exit
!Current Configuration:
!System Description "PowerConnect 6224P, 2.2.0.3, VxWorks5.5.1"
!System Software Version 2.2.0.3
!
configure
vlan database
vlan 2,10,99,254
vlan association subnet 192.168.65.0 255.255.255.0 65
exit
stack
member 1 4
exit
ip address 192.168.99.254 255.255.255.0
ip default-gateway 192.168.99.254
ip address vlan 99
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
bootpdhcprelay enable
bootpdhcprelay serverip 192.168.0.2
ip helper-address 192.168.10.254 192.168.0.2 37
ip helper-address 192.168.10.254 192.168.0.2 49
ip helper-address 192.168.10.254 192.168.0.2 137
ip helper-address 192.168.10.254 192.168.0.2 138
ip helper-address 192.168.254.1 192.168.254.254 37
ip helper-address 192.168.254.1 192.168.254.254 49
ip helper-address 192.168.254.1 192.168.254.254 137
ip helper-address 192.168.254.1 192.168.254.254 138
interface vlan 1
routing
ip address 192.168.0.254 255.255.255.0
no ip proxy-arp
exit
interface vlan 2
name "vpn"
routing
ip address 192.168.1.254 255.255.255.0
no ip proxy-arp
exit
interface vlan 10
name "ShoreTel"
routing
ip address 192.168.10.254 255.255.255.0
no ip proxy-arp
exit
interface vlan 99
name "Management"
exit
interface vlan 254
name "P2P"
routing
ip address 192.168.254.1 255.255.255.0
no ip proxy-arp
exit
username "admin" password b40b6ccca3e502d00861995886
!
interface ethernet 1/g1
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g2
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g3
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g4
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g5
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g6
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g7
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g8
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g9
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g10
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g11
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g12
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g13
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g14
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g15
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g16
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g17
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g18
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g19
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g20
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g21
no negotiation
speed 100
spanning-tree disable
spanning-tree portfast
switchport mode general
switchport general pvid 254
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 254
switchport general allowed vlan remove 1
exit
!
interface ethernet 1/g23
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g24
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
exit
You have the sollowing in your config:
ip default-gateway 192.168.99.254
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
The default-gateway statement should be removed.
If ip routing is enabled, you should use a "gateway of last resort" (ip route 0.0.0.0 0.0.0.0 x.x.x.x) instead.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml
ip default-gateway 192.168.99.254
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
The default-gateway statement should be removed.
If ip routing is enabled, you should use a "gateway of last resort" (ip route 0.0.0.0 0.0.0.0 x.x.x.x) instead.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml
ASKER
thanks, will give a try tomorrow and let you know
ASKER
sorry for the delay. This did not work. If I remove the ip routing statement all traffic on the switch stops
Remove this:
ip default-gateway 192.168.99.254
Keep these:
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip default-gateway 192.168.99.254
Keep these:
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ASKER
tried that too and it didnt work. Think I need to take a step back a start over. I have been trying too many things and think I am stepping on top of myself. One thing I did try with success was set up the IPsec VPN client for the sonicwall. When the VPN connects it gets a DHCP address from the SBS so it is on the same subnet. The I add a static route on the sonicwall for the vpn traffic going to 192.168.10.0/24 to point to 192.168.0.254 and it works. Point is I still think it is the dell configuration that is the problem
ASKER
Well I got it figured out. I decided to just start over. So I erased any of the configuration changes to the Dell and completely removed the VPN in the sonicwall. Set up the sonicwall VPN from scratch and added routes for the other subnet from the VPN. This is all it took - noconfiguration changes on the dell switch. I thought I had done this before but guess not. Anyway I awarded the points since you first suggested to check the sonicwall and that is indeed where the problem was
ASKER