Solved

Routing on Sonicwall Firewall (diagram attached)

Posted on 2012-03-12
31
868 Views
Last Modified: 2012-03-13
hey guys

I've attached a diagram on here to better describe my problem.

We have a warehouse at Site A. They have a VPN directly to our head office at Site B. At both of these sites we have a Sonicwall fireall (one is a TZ 210 and another an NSA 3500).

From Site B, have a VPn connection to our hosting provider. So we use a LAN IP to connect to a remote desktop services session using a 10.45.190.0/24 address.

However, we want people at site A to be able to remote desktop on to the 10.45.190.0/24 network by routing it via Site B. How can I do it so that somebody at a PC at Site A is able to remote desktop onto the 10.45.190.0 network in that way? (i.e. routing it via Site B)

Many thanks
Yashy
Routing-Warehouse-to-Attenda.jpg
0
Comment
Question by:Yashy
  • 15
  • 14
  • 2
31 Comments
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
1. At Site A - Create an Address Group that includes an object for Site B's network and External Company's network. Make that the Destination for the VPN.
2. At Site B - Create an Address Group that includes an object for Site A's network and the LAN of Site B. Make that the Local network for the VPN to External Company.
3. At External Company - Have them add the network for Site A to their Destination Networks definition for the VPN.

All objects specified would be members of the VPN Zone.
0
 
LVL 8

Expert Comment

by:Frank McCourry
Comment Utility
Setup a static route on site A's sonicwall that will take all traffic destined for 10.45.190.0 to to the IP address of Site B's VPN tunnel to External Company.

ie..

If Site B's VPN gateway (from B to External Company) address is 10.0.0.1 The you need a static route on Site A that directs all traffic destined for 10.45.190.0 to 10.0.0.1.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
@frankmcc - That wouldn't work without the Address Group and changes to the VPNs I specified above. If the networks in question are not part of the Security Association for the VPN tunnel you can't make a static route to send traffic over it. They won't match the allowed traffic and will be dropped.
0
 
LVL 8

Expert Comment

by:Frank McCourry
Comment Utility
You could setup a separate tunnel from Site A to the External Company...
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
@ - frankmcc. We're unable to do that for the meantime.

@ - crouthamela - I'm a little confused, not because of your explanation, but because I don't know how to do that on the actual firewall.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
To create an Address Group, go to Network -> Address Objects.

To change the Destination/Local selections for the VPNs, go to VPN and click the Configure icon for your VPN tunnel in question. Then go to the Network tab to make your selections.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Okay, I get it now mate. Thanks for that.

Out of curiosity, is this method possible at all:

1) Have Sonicwall at Site A route any attempted RDP traffic to 10.45.190.0 network to be directed to the Sonicwall at site B.

And seeing as Sonicwall B already routes' traffic over the VPn to the external site, that it would automatically be taken care of?

I'm asking these questions purely from lack of experience. Thanks mate.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
The steps I provided above do exactly that, all traffic headed for the External Company will go through the VPN to Site B, then to the External Company. But the External Company is going to need to add the network (10.0.200.0/24) for Site A to their side of the VPN for the return traffic to route properly.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Thanks a lot Crouthamela.

I'm creating a new group in the Sonicwall at Site A and adding the network at site B and the external company into it. However, what Zone Assignment should I give them when adding?

So when I add the add an Object for Site B. Should it be under the 'LAN' Zone Assignment and the 'Type' as being Network?
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
Use the Zone LAN for only local stuff to the SonicWALL you are on. If you are making an object for a network at another site, then the Zone will be VPN.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Okay, I've set it all up. External company called me to say that they have opened up their VPN traffic for RDP coming from the 10.0.200.x network.

However, Site A is still unable to connect to the remote desktop services at the external company.

I am at Site B and I can still connect to the external company's remote desktop, even after the changes were made.

Any ideas where I can look to find where the issue is?
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
What networks show as "up" with the green dot at eat SonicWALL? You should have two for each VPN now.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Well only one for each still. What I did was at Site A, in the VPn it already had up I merely added the 'External company' VPN zone into it.

Then at site B, I added Site A network object in to the already existing VPN connection to the external company.

Then the external company told me that they opened up the firewall at their end for RDP traffic from anything at 10.0.200.0 network.

I thought doing this was exactly what you mentioned. No?
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
Oh I'm sorry I missed a step. At Site B, add to the Address Group that has Site A and the LAN subnet in it, an Address Object for the External Company. That should bring up the External Company network from Site A -> Site B in the VPN status.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Still not working Crouthamela. I did that and I'm not able to connect from Site A to the External Company using the local 10.45.190.10 ip in remote desktop. I can though when I am at Site B still.

I've attached screenshots of the VPN at Site A. And the one at Site B.

And here are the details for the VPN connections along with the groups settings.

Site A VPN:

From -> Site A Local LAN (10.0.200.0/24)
(the below two are in one group)
To-> Site B LAN (10.0.0.0/24, Zone: VPN)
        External Company (10.45.190.0/27)

Site B VPN:
(the below three are in one group)
From -> Site B Local LAN (10.0.0.0/24)
              Site A LAN (10.0.200.0/24, Zone: VPN)
              External Company (10.45.190.0/27, Zone VPN)

To -> External Company (10.45.190.0/27, Zone VPN)
Sonicwall-on-Site-A.jpeg
Sonicwall-at-Site-B.jpg
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:Yashy
Comment Utility
Maybe it's because of the fact that the security used between Site B to external company is higher and therefore the same needs to be used between Site A to Site B VPN?
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
I just spoke to Sonicwall. After 1hr of playing around, they ouldn't do it. Then they said the only way was to configure what's called a 'Hub' and 'Spoke' configuration.They're sending me the link, but I was wondering surely that's not possible?! There must be a way without doing this?
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
We'll get it working, what you posted in the big post above is good, thank you for the info. What I see looks correct there, but can you provide the same information at Site B for the Site B -> Site A VPN?

What networks/address objects/groups are involved, with screenshot?

One note: At Site B, don't have the External Company network in your "From" Address Group.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Welcome sir:).

So Site B to Site A VPN:

From-> Site B LAN (10.0.0.0/24, Zone: LAN)

To ->Site A LAN (10.0.200.0/24, Zone: VPN


At Site B in the 'From' group, I did include the External company. If you look again, I've shown it:

From -> Site B Local LAN (10.0.0.0/24)
              Site A LAN (10.0.200.0/24, Zone: VPN)
              External Company (10.45.190.0/27, Zone VPN)
0
 
LVL 11

Accepted Solution

by:
crouthamela earned 500 total points
Comment Utility
Ok so what we want to do here is to remove the External Company network from your Address Group for the Site B -> External Company VPN. So you want it to look like:

Site B VPN:
(the below two are in one group)
From -> Site B Local LAN (10.0.0.0/24)
              Site A LAN (10.0.200.0/24, Zone: VPN)
To -> External Company (10.45.190.0/27, Zone VPN)

For the Site B -> Site A VPN we need to add that External Company network to an Address Group for that VPN (you are going to have two groups at Site B for the two different VPNs), so it looks like:

Site B VPN:
(the below two are in one group)
From -> Site B Local LAN (10.0.0.0/24)
        External Company (10.45.190.0/27 Zone: VPN)
To-> Site A LAN (10.0.200.0/24, Zone: VPN)

---

So all together you will have:

Site A VPN:
From -> Site A Local LAN (10.0.200.0/24)
(the below two are in one group)
To-> Site B LAN (10.0.0.0/24, Zone: VPN)
        External Company (10.45.190.0/27 Zone: VPN)

Site B VPN:
(the below two are in one group)
From -> Site B Local LAN (10.0.0.0/24)
        External Company (10.45.190.0/27 Zone: VPN)
To-> Site A LAN (10.0.200.0/24, Zone: VPN)

Site B VPN:
(the below two are in one group)
From -> Site B Local LAN (10.0.0.0/24)
              Site A LAN (10.0.200.0/24, Zone: VPN)
To -> External Company (10.45.190.0/27, Zone VPN)
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Okay, I've configured everything as you have said. I'll even show you the screenshot for the two lights that have shown up at Site A.

But still Site A can't connect to External Company. I've also tried to log on to the servers at External Company and attempt to ping the Site A gateway and it doesn't. So it's a two way thing.

Can it be the firewall at the end of the External Company would you think not properly opened up?
Sonicwall-at-Site-A.jpeg
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
Ok good. Since you have the External Company network "up" between Site A and B, half the battle is over. I do suggest changing the proposal to IKEv2 (preferably with AES-256) to help with renegotiations and keeping the tunnel up.

As for the other half, it does appear to be an issue at the External Company. When you view you VPN Status area on Site B, does it show 10.0.200.0 as a network connected to External Company? It will show below the VPNs. If not, you'll have to diagnose that with the External Company.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
hi mate,

Yes, in reference to what you're saying I've got a screenshot showing also Site B to External Company.

Should I try anything like routing tables? Should I attempt to add any route entries from Site A at all?
VPNS.jpg
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
WORKED!!!

It was the external company, they had something to do with the front facing and backfacing firewalls requiring the changes to be updated.

Dude, it worked!!! WAHHOOOOOOO.

Much appreciate your helped Crouthemela. I'd offer you beers if I could.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
Hah, told you we would get it.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
Also for future reference, what we are doing on Site B is called "VPN Hairpinning". If everything looks good, I'll just take the points, no beer necessary. :)
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Legend mate, legend. Sonicwall didn't even get it right..lol.

Now a quick question. I want to get myself trained up on these firewalls and learn, but I want to do this....fast, as in within the next 2-3 months I want to immerse myself.

I've got two test Sonicwalls, along with two different internet lines which I can play around with. But I want to learn the basics to slightly more complex things. What would you suggest as a method to immerse myself into an environment where I can learn quickly? Sadly courses are rarely good, as they never teach you real scenarios.

Are there people out there who teach privately?
Thanks man.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
I'll close this for now dude. No need to answer that. I'm sure I'll find a way.

You've been a huge help, massive. Thanks a mil.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
Best suggestion I can give is to go at least go through the Sonicwall Network Security Essentials course. Either for free online (http://www.sonicwall.com/us/support/eLearning.html) or through a training company like Global Knowledge (http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=11193&catid=191&country=United+States).

This more advanced stuff they don't cover though. I manage 800+ Sonicwalls everyday, each with VPNs on it. So I have just ended up learning ways to accomplish things over time. As you saw, even Sonicwall support really doesn't know how to do it unless you get to the Tech 2/3 guys. Other stuff that may help is training material for CCNP Security as Cisco always goes into great detail on technologies they certify on.

As for private training, I have been producing videos on YouTube lately (http://www.youtube.com/ShrikeCast), but have only covered basic things so far. Eventually I'll get more advanced, but not yet. I'd be willing to privately train you if you're near PA/NJ/NY, else we could do an e-learning type thing. Unfortunately SonicWALL is rather strict on who become an official trainer though to do the CSSA certification course trainings; I actually tried to do that myself last year (I'm already a Cisco instructor) and had to deal with too much flak about territories with Global Knowledge and others.
0
 
LVL 1

Author Comment

by:Yashy
Comment Utility
Ah, politics with companies ey?

I'm sadly based in the UK, so unless I cought a flight over, I would be willing to attempt the elearning. I'm sure we can attempt the e-learning stuff somehow. I'm sure I can find you on linkedin or the like.

Again, from the last post to the help on the Sonicwall VPN. Thanks again.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now