?
Solved

Sonicwall NSA 2400: Management

Posted on 2011-10-12
9
Medium Priority
?
1,598 Views
Last Modified: 2013-11-16
I recently deployed four Sonicwall NSA 2400 units to multiple physical locations all connected over a fiber network. Each site has its own LAN subnet:

Site 1: 172.20.10.x
Site 2: 172.20.50.x
Site 3: 172.20.80.x
Site 4: 172.20.110.x

All servers, computers, and resources are accessible from any other location (I can ping and log into servers at Site 3 from Site 1 for example.) However, I cannot ping or access any Sonicwalls in other buildings. For example: if physically at Site 2, I can go to http://172.20.50.1 and log into the management interface. If at another site, I cannot access or ping the firewall at that Site 2.

In the firewall rules, it appears that 4 rules were automatically generated by the device and cannot be edited. There is one for PING and another for HTTP management. Both are set up in the following manner:  From LAN --> LAN,  ANY source, Management IP destination, (PING or HTTP Management) as the service, traffic is set to ALLOW.

How can I allow these other sites to manage / ping the Sonicwalls at the other sites?
0
Comment
Question by:Ad-Apex
  • 5
  • 3
8 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 36961376
Under Network -> Interfaces select configure for X1 (Default WAN) or other X? interface you are using. On the General tab look for the line with Management and make sure the box for https and ping (if you want it) are checked.

Did this solve your problem?
0
 

Author Comment

by:Ad-Apex
ID: 36961588
I already have those checked. Here's a screen shot of all configurations related to what I mentioned in my original post and your suggestion-- perhaps it would be easier to have something for people to look at.

Network Interfaces The auto-created HTTP management rule
0
 
LVL 20

Expert Comment

by:carlmd
ID: 36961800
In your example, it appears you are using the Sonicwall LAN interface of the sites. Try using the WAN interface ip in your http.

If that does not work, it could be that all http traffic is being routed over the VPN connection. Given that, you cannot reach the other sites unless you define routes to them. Try running a traceroute from another site to the Site 2 firewall. Also do the same thing for a pc at Site 2. How far do you get?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:Ad-Apex
ID: 36961913
Here's the problem-- though I am not sure how to fix it.  In the logs I see warnings when i try to connect that say "Alert, Intrusion Protection, IP spoof dropped" and it lists the IP address of the remote system I am trying to use to log in.
0
 

Author Comment

by:Ad-Apex
ID: 36961942
Got it.  I think this explains it all for me:

"Another cause of IP spoof messages is the existence of additional subnets on the LAN. In a standard setup, the SonicWall will only recognize the subnet of its LAN IP address as being valid. If there are additional subnets connected to the LAN, in the SonicWALL you must create a route policy for those networks."

So since I essentially want to be able to remotely administer the Sonicwall from any subnet within 172.20.0.0, I need to set this up to be allowed.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 36962193
Check Help for the following topic on the Sonicwall to configure....

Route Entries for Different Network Segments
0
 

Accepted Solution

by:
Ad-Apex earned 0 total points
ID: 37133188
I searched for a solution as recommended by CARLMD but didn't find what I was looking for.  I eventually received help from a Sonicwall forum moderator who gave me the following solution which I will share with the community:

On the appliance you want to manage remotely from another subnet:
Network --> Routing --> Add...
This will produce a window asking for information. Provide the following:
Source: Any
Destination: Create a new address object for the remote network you want to manage FROM.
Service: Any
Gateway: Create a new address object for the host IP Address of the gateway onthe appliance's subnet through which you can access the remote network subnet created above.
Interface: Interface on the appliance used to access the above

Do this for each subnet you wish to use to access the appliance.
0
 

Author Closing Comment

by:Ad-Apex
ID: 37163656
I accepted my own solution as it was complete and solved my problem.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month15 days, 23 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question