cral
asked on
sonicwall site to site vpn
hi, i have two sonicwall, TZ200 at the main office and TZ170 at the home office. The TZ200 has one static IP as main WAN and the ISP has routet one more IP to the main ip address. The TZ170 is a site to site VPN and the pc at the home office get ip from DHCP server on the office so the home pc/server is at the same range and subnet and use the same gateway. The extra ip that is routet to the main wan ip have a rule for connecting with https to the home office server/pc, but if i tru to access https://z.z.z.z from the outside i get this error
web access request dropped x.x.x.x, 23023, X1 y.y.y.y, 443, X1 TCP HTTPS
z.z.z.z is the extra ip that is routed to the wan ip
x.x.x.x is the public ip from the outside computer
y.y.y.y is the home server/pc lan adress
If i change the firewall rule so it goes to a server on the office its okey, but it cant reach the server thats on the other side of the VPN, but itsn not any problem to connect to the home office server/pc from the office.
web access request dropped x.x.x.x, 23023, X1 y.y.y.y, 443, X1 TCP HTTPS
z.z.z.z is the extra ip that is routed to the wan ip
x.x.x.x is the public ip from the outside computer
y.y.y.y is the home server/pc lan adress
If i change the firewall rule so it goes to a server on the office its okey, but it cant reach the server thats on the other side of the VPN, but itsn not any problem to connect to the home office server/pc from the office.
d3ath5tar
If the addresses are the same at home and in the office you would need to either change your home range and use dhcp on the home sonicwall, or nat the addresses across the site to site connection.
ASKER
The server at the office have DHCP, the site to site VPN is configured that all servers, pcs, printers etc. that is in use on the home office get ip adresses from that dhcp server and that function 110% and everything is okey. You dont need to have different ip adresses at home if you have high quality hardware that can be configured for this type of use. I think the problem is that the sonicwall at the office see the https traffic to the server at the home office as managment traffic since it need to go in a "loop" at the X1 (WAN network) because of the external routed extra ip adress.
OFFICE
Sonicwall TZ 200 Office
WAN: IP=x.x.160.138 GW=x.x.160.137 MASK=255.255.255.252
it use NAT
the ISP has routed a sngel adress y.y.235.250 to the WAN IP x.x.160.138
LAN: 192.168.1.1
VPN: site to site
Windows 2008 SBS
IP 192.168.1.10
DHCP 192.168.1.100-200
HOME
Sonicwall TZ 100 Home office
WAN: dynamic IP
LAN: std sonicwall ip since its not in use for other than configuration 192.168.168.168
VPN: site to site and that ALL clients get ip from remote DHCP server
Home clients and servers get ip from office dhcp server and the home server gets the same ip all the time.
Everything function okey and the only problem is when making a firewall rule thats tell the routed y.y.235.250 adress to be forwarded to the home server as HTTPS traffic.
I can forward HTTPS traffic to the office server from y.y.235.250
I can forward HTTPS traffic to the home server from the WAN ip x.x.160.138
The only problem is when forwarding HTTPS traffic from y.y.235.250 to the home server. I have added y.y.235.250 in ARP on the office sonicwall. So i think the problem has something to do with Sonicwalls HTTPS management to do since thats turned off from the WAN side and i cant turn it on since i allready forward HTTPS traffic from WAN (x.x.160.138) to the server at the office.
OFFICE
Sonicwall TZ 200 Office
WAN: IP=x.x.160.138 GW=x.x.160.137 MASK=255.255.255.252
it use NAT
the ISP has routed a sngel adress y.y.235.250 to the WAN IP x.x.160.138
LAN: 192.168.1.1
VPN: site to site
Windows 2008 SBS
IP 192.168.1.10
DHCP 192.168.1.100-200
HOME
Sonicwall TZ 100 Home office
WAN: dynamic IP
LAN: std sonicwall ip since its not in use for other than configuration 192.168.168.168
VPN: site to site and that ALL clients get ip from remote DHCP server
Home clients and servers get ip from office dhcp server and the home server gets the same ip all the time.
Everything function okey and the only problem is when making a firewall rule thats tell the routed y.y.235.250 adress to be forwarded to the home server as HTTPS traffic.
I can forward HTTPS traffic to the office server from y.y.235.250
I can forward HTTPS traffic to the home server from the WAN ip x.x.160.138
The only problem is when forwarding HTTPS traffic from y.y.235.250 to the home server. I have added y.y.235.250 in ARP on the office sonicwall. So i think the problem has something to do with Sonicwalls HTTPS management to do since thats turned off from the WAN side and i cant turn it on since i allready forward HTTPS traffic from WAN (x.x.160.138) to the server at the office.
Sorry, reading your original post i thought you meant you were using the same LAN addresses at both locations....
And if I am reading your second post correctly you have a service externally on y.y.235.250 for which the back end LAN server is actually in your home location across the vpn? y.y.235.250 is on your office sonicwall and x.x.160.138 is on your dsl router in front of the sonciwall?
If that is the case, you are looking at creating a NAT rule which basically says https on y.y.235.2500 NAT to YourHomeServerLanIP.
And if I am reading your second post correctly you have a service externally on y.y.235.250 for which the back end LAN server is actually in your home location across the vpn? y.y.235.250 is on your office sonicwall and x.x.160.138 is on your dsl router in front of the sonciwall?
If that is the case, you are looking at creating a NAT rule which basically says https on y.y.235.2500 NAT to YourHomeServerLanIP.
ASKER
yes, but all the NATs are correct and everything works, if i use some other services than HTTPS then everything works okey, so the only problem is to get HTTPS to forward over the VPN. I can change the service to SMTP, FTP or whatever and thats function okey.
have you tried changing the port of the https management so it doesn't try and use 443?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
couldnt solve it