KANEWONG
asked on
site to site vpn
hi;
i just set up a site to site vpn between 2 offices, both are uisng sonicwall firewall. from the HQ, I can ping to the local LAN ip on firewall at remote office and I can either manage the firewall there from HQ via VPN tunnel but I cannot ping one of the workstation there for test, any idea?
the testing host in remote office has no desktop firewall block, the windows firewall was disabled and the gateway of the testing host has been point to the sonicwall lan IP of remote office too. I have only the default policy on both sonicwall firewall, and I checked there is VPN->LAN policy in remote office firewall that allow all traffic from source traffic from HQ to destination LAN Subnet of remote office.
what should I check?
i just set up a site to site vpn between 2 offices, both are uisng sonicwall firewall. from the HQ, I can ping to the local LAN ip on firewall at remote office and I can either manage the firewall there from HQ via VPN tunnel but I cannot ping one of the workstation there for test, any idea?
the testing host in remote office has no desktop firewall block, the windows firewall was disabled and the gateway of the testing host has been point to the sonicwall lan IP of remote office too. I have only the default policy on both sonicwall firewall, and I checked there is VPN->LAN policy in remote office firewall that allow all traffic from source traffic from HQ to destination LAN Subnet of remote office.
what should I check?
I would check the NAT setting on both side firewall to make sure the NAT do not involve for VPN traffic
Also, check the logs on the SonicWalls and see if it shows anything...
ASKER
Hi;
At both site, I found the "Enable NAT Traversal" is checked on both Sonicwall, should I disable it?
At both site, I found the "Enable NAT Traversal" is checked on both Sonicwall, should I disable it?
That should be ok to leave checked. From the remote SW, can you System->Diagnostics->Ping to the local machine?
ASKER
Yes, from the Diagnostic Ping tool on SW, I can ping the local host.
ASKER
Also, from remote site, when another user do the test for me, he can ping my computer too.
You have the zone on the address objects correct for both SW? LAN for the local subnet address object and VPN for the remote subnet address object? Your VPN>LAN rules allow the remote subnet address object access on all services to the local subnet address object? And there is a corresponding LAN>VPN rule allowing the local subnet address oibject access on all services to the remote subnet address object? The default gw of the remote computer is the SW? If you tracert from the local computer to the remote computer, where does it timeout? At the remote SW? When you ping the remote computer, are the any log entries showing up in the remote SW?
ASKER
the rules are ok, I checked on both SW, they do have a rule for
VPN->LAN SOURCE LAN DEST LAN ALLOW ALL SERVICE
LAN->VPN SOURCE LAN DEST LAN ALLOW ALL SERVICE
On remote SW, I just changed from LAN subnets (address group) to LAN Primary subnet (address object) to see how it work, because no one at remote site to assist me for test, I have to wait.
VPN->LAN SOURCE LAN DEST LAN ALLOW ALL SERVICE
LAN->VPN SOURCE LAN DEST LAN ALLOW ALL SERVICE
On remote SW, I just changed from LAN subnets (address group) to LAN Primary subnet (address object) to see how it work, because no one at remote site to assist me for test, I have to wait.
Do either of these SWs have support from SW? If it still doesn't work, you should definitely give them a call. They are not too bad on the phone and can remote in if you need....
ASKER
Yes, I have support. I will test again tomorrow.
ASKER
in my test, I can ping from remote site to my head office, I can also ping the server like sharepoint but not able to open the sharepoint page, any idea?
I have all the default rules of firewall configured for VPN tunnel, on both SW, I have these rules.
LAN - VPN allow all service, all host
VPN - LAN allow all server, all host
I have all the default rules of firewall configured for VPN tunnel, on both SW, I have these rules.
LAN - VPN allow all service, all host
VPN - LAN allow all server, all host
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
not complete but solve by myself.