enable SBS VPN to pass through Sonicwall TZ210

Pinging the small business server times out, and running a tracert times out after reaching the Hardware firewall, a sonicwall tz210.  What can I check on the Sonicwall to see if that is where the problem is?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
Your SonicWALL shouldn't allow pings in from the WAN side so that is working as expected.  You will have to open the approperiate ports for your VPN on the SonicWALL as well as configure NAT policies.  If you don't know how to configure NAT policies just use the wizard on the SonicWALL to create these mappings.  To see what is open click Firewall then in the Matrix click WAN to LAN and look for any rules that allow these ports.  Remember that you will need a NAT policy too.  http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/Add_NAT_Policy.htm

See this KB article for the ports you will need.  It depends on which VPN you are implementing.

The most common for Windows VPNs are 1723 and 47.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcsweenSr. Network AdministratorCommented:


As mcsween stated, the SonicWALL should not have ping enabled on the WAN interface as this is generally considered to be insecure. Further, the SonicWALL, by default, does not decrement the IP TTL for forwarded traffic. As such, you will never see the SonicWALL in a traceroute; however, this behavior can be modified, but is not important for troubleshooting.

Additionally, unless you configured a wide open NAT and firewall access, or specifically created one to forward ICMP traffic to the server, you won't receive a response from it either.

I would honestly recommend highly that you leverage the power of the SonicWALL's Packet Monitor / Packet Capture feature. This is actually really quite easy to configure. Just take the following steps:

-- Login to the SonicWALL
-- Expand the System menu
-- Click on the Packet Capture / Packet Monitor link

--- Click on the Capture Filter / Monitor Filter tab
---- Set the Ether Type field to IP
---- Set the IP Type field to TCP, UDP, ICMP
---- Set the Destination IP Address field to the IP of the server (public)
----- If this is also the IP of the SonicWALL, set the Destination Port to the one used to connect to the server
---- Check the checkbox for bidirectional address and port matching
---- Ensure any other checkbox you may see is unchecked

--- Click on the Display Filter tab
---- Ensure all fields are blank
---- Ensure all 5 checkboxes are checked

--- Click on the Advanced  / Advanced Monitor Filter tab
---- Check the top two checkboxes for capturing / monitoring generated and intermediate packets

Once this is done, click the OK button to save the configuration. When ready to attempt to hit the server, click the Start Capture button, then try to hit the server. Afterward, use the "Export As" dropdown menu (to the right of the Log to FTP button) to save the capture data in both libpcap and HTML formats.

When you have acquired these files from the SonicWALL, please upload them to the thread; I will review them for you, and provide you with the root cause analysis. Please be sure to also include the IP address used by the server, and the ports.

Take care,
AE_JBAuthor Commented:
Thanks.  It turns out the problem was that the problem was with CALs.  Once all users were licensed, access t VPN was restored.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.