Link to home
Create AccountLog in
Avatar of KANEWONG
KANEWONG

asked on

site to site vpn

hi;

i just set up a site to site vpn between 2 offices, both are uisng sonicwall firewall.  from the HQ, I can ping to the local LAN ip on firewall at remote office and I can either manage the firewall there from HQ via VPN tunnel but I cannot ping one of the workstation there for test, any idea?

the testing host in remote office has no desktop firewall block, the windows firewall was disabled and the gateway of the testing host has been point to the sonicwall lan IP of remote office too.  I have only the default policy on both sonicwall firewall, and I checked there is VPN->LAN policy in remote office firewall that allow all traffic from source traffic from HQ to destination LAN Subnet of remote office.

what should I check?
Avatar of gcl_hk
gcl_hk

I would check the NAT setting on both side firewall to make sure the NAT do not involve for VPN traffic
Also, check the logs on the SonicWalls and see if it shows anything...
Avatar of KANEWONG

ASKER

Hi;

At both site, I found the "Enable NAT Traversal" is checked on both Sonicwall, should I disable it?
That should be ok to leave checked. From the remote SW, can you System->Diagnostics->Ping to the local machine?
Yes, from the Diagnostic Ping tool on SW, I can ping the local host.
Also, from remote site, when another user do the test for me, he can ping my computer too.
You have the zone on the address objects correct for both SW? LAN for the local subnet address object and VPN for the remote subnet address object? Your VPN>LAN rules allow the remote subnet address object access on all services to the local subnet address object? And there is a corresponding LAN>VPN rule allowing the local subnet address oibject access on all services to the remote subnet address object? The default gw of the remote computer is the SW? If you tracert from the local computer to the remote computer, where does it timeout? At the remote SW? When you ping the remote computer, are the any log entries showing up in the remote SW?
the rules are ok, I checked on both SW, they do have a rule for

VPN->LAN      SOURCE LAN             DEST LAN                ALLOW ALL SERVICE
LAN->VPN      SOURCE LAN             DEST LAN                ALLOW ALL SERVICE

On remote SW, I just changed from LAN subnets (address group) to LAN Primary subnet (address object) to see how it work, because no one at remote site to assist me for test, I have to wait.
Do either of these SWs have support from SW? If it still doesn't work, you should definitely give them a call. They are not too bad on the phone and can remote in if you need....
Yes, I have support.  I will test again tomorrow.
in my test, I can ping from remote site to my head office, I can also ping the server like sharepoint but not able to open the sharepoint page, any idea?

I have all the default rules of firewall configured for VPN tunnel, on both SW,  I have these rules.

LAN - VPN allow all service, all host
VPN - LAN allow all server, all host
ASKER CERTIFIED SOLUTION
Avatar of BWaring
BWaring

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
not complete but solve by myself.