sonicwall site to site vpn

Posted on 2011-05-05
Medium Priority
Last Modified: 2012-05-11
hi, i have two sonicwall, TZ200 at the main office and TZ170 at the home office. The TZ200 has one static IP as main WAN and the ISP has routet one more IP to the main ip address. The TZ170 is a site to site VPN and the pc at the home office get ip from DHCP server on the office so the home pc/server is at the same range and subnet and use the same gateway. The extra ip that is routet to the main wan ip have a rule for connecting with https to the home office server/pc, but if i tru to access https://z.z.z.z from the outside i get this error

web access request dropped x.x.x.x, 23023, X1   y.y.y.y, 443, X1 TCP HTTPS

z.z.z.z is the extra ip that is routed to the wan ip
x.x.x.x is the public ip from the outside computer
y.y.y.y is the home server/pc lan adress

If i change the firewall rule so it goes to a server on the office its okey, but it cant reach the server thats on the other side of the VPN, but itsn not any problem to connect to the home office server/pc from the office.
Question by:cral
  • 4
  • 3

Expert Comment

ID: 35698798
If the addresses are the same at home and in the office you would need to either change your home range and use dhcp on the home sonicwall, or nat the addresses across the site to site connection.

Author Comment

ID: 35699180
The server at the office have DHCP, the site to site VPN is configured that all servers, pcs, printers etc. that is in use on the home office get ip adresses from that dhcp server and that function 110% and everything is okey. You dont need to have different ip adresses at home if you have high quality hardware that can be configured for this type of use. I think the problem is that the sonicwall at the office see the https traffic to the server at the home office as managment traffic since it need to go in a "loop" at the X1 (WAN network) because of the external routed extra ip adress.

Sonicwall TZ 200 Office
WAN: IP=x.x.160.138 GW=x.x.160.137 MASK=
it use NAT
the ISP has routed a sngel adress y.y.235.250 to the WAN IP x.x.160.138
VPN: site to site

Windows 2008 SBS

Sonicwall TZ 100 Home office
WAN: dynamic IP
LAN: std sonicwall ip since its not in use for other than configuration
VPN: site to site and that ALL clients get ip from remote DHCP server

Home clients and servers get ip from office dhcp server and the home server gets the same ip all the time.

Everything function okey and the only problem is when making a firewall rule thats tell the routed y.y.235.250 adress to be forwarded to the home server as HTTPS traffic.

I can forward HTTPS traffic to the office server from y.y.235.250
I can forward HTTPS traffic to the home server from the WAN ip x.x.160.138

The only problem is when forwarding HTTPS traffic from y.y.235.250 to the home server. I have added y.y.235.250 in ARP on the office sonicwall. So i think the problem has something to do with Sonicwalls HTTPS management to do since thats turned off from the WAN side and i cant turn it on since i allready forward HTTPS traffic from WAN (x.x.160.138) to the server at the office.

Expert Comment

ID: 35699649
Sorry, reading your original post i thought you meant you were using the same LAN addresses at both locations....

And if I am reading your second post correctly you have a service externally on y.y.235.250 for which the back end LAN server is actually in your home location across the vpn? y.y.235.250 is on your office sonicwall and x.x.160.138 is on your dsl router in front of the sonciwall?

If that is the case, you are looking at creating a NAT rule which basically says https on y.y.235.2500 NAT to YourHomeServerLanIP.

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 35701144
yes, but all the NATs are correct and everything works, if i use some other services than HTTPS then everything works okey, so the only problem is to get HTTPS to forward over the VPN. I can change the service to SMTP, FTP or whatever and thats function okey.

Expert Comment

ID: 35702245
have you tried changing the port of the https management so it doesn't try and use 443?

Accepted Solution

cral earned 0 total points
ID: 35825676
moved the server to the office, workaround :-)

Author Closing Comment

ID: 35868938
couldnt solve it

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question