Routing on Sonicwall Firewall (diagram attached)
hey guys
I've attached a diagram on here to better describe my problem.
We have a warehouse at Site A. They have a VPN directly to our head office at Site B. At both of these sites we have a Sonicwall fireall (one is a TZ 210 and another an NSA 3500).
From Site B, have a VPn connection to our hosting provider. So we use a LAN IP to connect to a remote desktop services session using a 10.45.190.0/24 address.
However, we want people at site A to be able to remote desktop on to the 10.45.190.0/24 network by routing it via Site B. How can I do it so that somebody at a PC at Site A is able to remote desktop onto the 10.45.190.0 network in that way? (i.e. routing it via Site B)
Many thanks
Yashy
Routing-Warehouse-to-Attenda.jpg
I've attached a diagram on here to better describe my problem.
We have a warehouse at Site A. They have a VPN directly to our head office at Site B. At both of these sites we have a Sonicwall fireall (one is a TZ 210 and another an NSA 3500).
From Site B, have a VPn connection to our hosting provider. So we use a LAN IP to connect to a remote desktop services session using a 10.45.190.0/24 address.
However, we want people at site A to be able to remote desktop on to the 10.45.190.0/24 network by routing it via Site B. How can I do it so that somebody at a PC at Site A is able to remote desktop onto the 10.45.190.0 network in that way? (i.e. routing it via Site B)
Many thanks
Yashy
Routing-Warehouse-to-Attenda.jpg
Setup a static route on site A's sonicwall that will take all traffic destined for 10.45.190.0 to to the IP address of Site B's VPN tunnel to External Company.
ie..
If Site B's VPN gateway (from B to External Company) address is 10.0.0.1 The you need a static route on Site A that directs all traffic destined for 10.45.190.0 to 10.0.0.1.
ie..
If Site B's VPN gateway (from B to External Company) address is 10.0.0.1 The you need a static route on Site A that directs all traffic destined for 10.45.190.0 to 10.0.0.1.
@frankmcc - That wouldn't work without the Address Group and changes to the VPNs I specified above. If the networks in question are not part of the Security Association for the VPN tunnel you can't make a static route to send traffic over it. They won't match the allowed traffic and will be dropped.
You could setup a separate tunnel from Site A to the External Company...
ASKER
@ - frankmcc. We're unable to do that for the meantime.
@ - crouthamela - I'm a little confused, not because of your explanation, but because I don't know how to do that on the actual firewall.
@ - crouthamela - I'm a little confused, not because of your explanation, but because I don't know how to do that on the actual firewall.
To create an Address Group, go to Network -> Address Objects.
To change the Destination/Local selections for the VPNs, go to VPN and click the Configure icon for your VPN tunnel in question. Then go to the Network tab to make your selections.
To change the Destination/Local selections for the VPNs, go to VPN and click the Configure icon for your VPN tunnel in question. Then go to the Network tab to make your selections.
ASKER
Okay, I get it now mate. Thanks for that.
Out of curiosity, is this method possible at all:
1) Have Sonicwall at Site A route any attempted RDP traffic to 10.45.190.0 network to be directed to the Sonicwall at site B.
And seeing as Sonicwall B already routes' traffic over the VPn to the external site, that it would automatically be taken care of?
I'm asking these questions purely from lack of experience. Thanks mate.
Out of curiosity, is this method possible at all:
1) Have Sonicwall at Site A route any attempted RDP traffic to 10.45.190.0 network to be directed to the Sonicwall at site B.
And seeing as Sonicwall B already routes' traffic over the VPn to the external site, that it would automatically be taken care of?
I'm asking these questions purely from lack of experience. Thanks mate.
The steps I provided above do exactly that, all traffic headed for the External Company will go through the VPN to Site B, then to the External Company. But the External Company is going to need to add the network (10.0.200.0/24) for Site A to their side of the VPN for the return traffic to route properly.
ASKER
Thanks a lot Crouthamela.
I'm creating a new group in the Sonicwall at Site A and adding the network at site B and the external company into it. However, what Zone Assignment should I give them when adding?
So when I add the add an Object for Site B. Should it be under the 'LAN' Zone Assignment and the 'Type' as being Network?
I'm creating a new group in the Sonicwall at Site A and adding the network at site B and the external company into it. However, what Zone Assignment should I give them when adding?
So when I add the add an Object for Site B. Should it be under the 'LAN' Zone Assignment and the 'Type' as being Network?
Use the Zone LAN for only local stuff to the SonicWALL you are on. If you are making an object for a network at another site, then the Zone will be VPN.
ASKER
Okay, I've set it all up. External company called me to say that they have opened up their VPN traffic for RDP coming from the 10.0.200.x network.
However, Site A is still unable to connect to the remote desktop services at the external company.
I am at Site B and I can still connect to the external company's remote desktop, even after the changes were made.
Any ideas where I can look to find where the issue is?
However, Site A is still unable to connect to the remote desktop services at the external company.
I am at Site B and I can still connect to the external company's remote desktop, even after the changes were made.
Any ideas where I can look to find where the issue is?
What networks show as "up" with the green dot at eat SonicWALL? You should have two for each VPN now.
ASKER
Well only one for each still. What I did was at Site A, in the VPn it already had up I merely added the 'External company' VPN zone into it.
Then at site B, I added Site A network object in to the already existing VPN connection to the external company.
Then the external company told me that they opened up the firewall at their end for RDP traffic from anything at 10.0.200.0 network.
I thought doing this was exactly what you mentioned. No?
Then at site B, I added Site A network object in to the already existing VPN connection to the external company.
Then the external company told me that they opened up the firewall at their end for RDP traffic from anything at 10.0.200.0 network.
I thought doing this was exactly what you mentioned. No?
Oh I'm sorry I missed a step. At Site B, add to the Address Group that has Site A and the LAN subnet in it, an Address Object for the External Company. That should bring up the External Company network from Site A -> Site B in the VPN status.
ASKER
Still not working Crouthamela. I did that and I'm not able to connect from Site A to the External Company using the local 10.45.190.10 ip in remote desktop. I can though when I am at Site B still.
I've attached screenshots of the VPN at Site A. And the one at Site B.
And here are the details for the VPN connections along with the groups settings.
Site A VPN:
From -> Site A Local LAN (10.0.200.0/24)
(the below two are in one group)
To-> Site B LAN (10.0.0.0/24, Zone: VPN)
External Company (10.45.190.0/27)
Site B VPN:
(the below three are in one group)
From -> Site B Local LAN (10.0.0.0/24)
Site A LAN (10.0.200.0/24, Zone: VPN)
External Company (10.45.190.0/27, Zone VPN)
To -> External Company (10.45.190.0/27, Zone VPN)
Sonicwall-on-Site-A.jpeg
Sonicwall-at-Site-B.jpg
I've attached screenshots of the VPN at Site A. And the one at Site B.
And here are the details for the VPN connections along with the groups settings.
Site A VPN:
From -> Site A Local LAN (10.0.200.0/24)
(the below two are in one group)
To-> Site B LAN (10.0.0.0/24, Zone: VPN)
External Company (10.45.190.0/27)
Site B VPN:
(the below three are in one group)
From -> Site B Local LAN (10.0.0.0/24)
Site A LAN (10.0.200.0/24, Zone: VPN)
External Company (10.45.190.0/27, Zone VPN)
To -> External Company (10.45.190.0/27, Zone VPN)
Sonicwall-on-Site-A.jpeg
Sonicwall-at-Site-B.jpg
ASKER
Maybe it's because of the fact that the security used between Site B to external company is higher and therefore the same needs to be used between Site A to Site B VPN?
ASKER
I just spoke to Sonicwall. After 1hr of playing around, they ouldn't do it. Then they said the only way was to configure what's called a 'Hub' and 'Spoke' configuration.They're sending me the link, but I was wondering surely that's not possible?! There must be a way without doing this?
We'll get it working, what you posted in the big post above is good, thank you for the info. What I see looks correct there, but can you provide the same information at Site B for the Site B -> Site A VPN?
What networks/address objects/groups are involved, with screenshot?
One note: At Site B, don't have the External Company network in your "From" Address Group.
What networks/address objects/groups are involved, with screenshot?
One note: At Site B, don't have the External Company network in your "From" Address Group.
ASKER
Welcome sir:).
So Site B to Site A VPN:
From-> Site B LAN (10.0.0.0/24, Zone: LAN)
To ->Site A LAN (10.0.200.0/24, Zone: VPN
At Site B in the 'From' group, I did include the External company. If you look again, I've shown it:
From -> Site B Local LAN (10.0.0.0/24)
Site A LAN (10.0.200.0/24, Zone: VPN)
External Company (10.45.190.0/27, Zone VPN)
So Site B to Site A VPN:
From-> Site B LAN (10.0.0.0/24, Zone: LAN)
To ->Site A LAN (10.0.200.0/24, Zone: VPN
At Site B in the 'From' group, I did include the External company. If you look again, I've shown it:
From -> Site B Local LAN (10.0.0.0/24)
Site A LAN (10.0.200.0/24, Zone: VPN)
External Company (10.45.190.0/27, Zone VPN)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I've configured everything as you have said. I'll even show you the screenshot for the two lights that have shown up at Site A.
But still Site A can't connect to External Company. I've also tried to log on to the servers at External Company and attempt to ping the Site A gateway and it doesn't. So it's a two way thing.
Can it be the firewall at the end of the External Company would you think not properly opened up?
Sonicwall-at-Site-A.jpeg
But still Site A can't connect to External Company. I've also tried to log on to the servers at External Company and attempt to ping the Site A gateway and it doesn't. So it's a two way thing.
Can it be the firewall at the end of the External Company would you think not properly opened up?
Sonicwall-at-Site-A.jpeg
Ok good. Since you have the External Company network "up" between Site A and B, half the battle is over. I do suggest changing the proposal to IKEv2 (preferably with AES-256) to help with renegotiations and keeping the tunnel up.
As for the other half, it does appear to be an issue at the External Company. When you view you VPN Status area on Site B, does it show 10.0.200.0 as a network connected to External Company? It will show below the VPNs. If not, you'll have to diagnose that with the External Company.
As for the other half, it does appear to be an issue at the External Company. When you view you VPN Status area on Site B, does it show 10.0.200.0 as a network connected to External Company? It will show below the VPNs. If not, you'll have to diagnose that with the External Company.
ASKER
hi mate,
Yes, in reference to what you're saying I've got a screenshot showing also Site B to External Company.
Should I try anything like routing tables? Should I attempt to add any route entries from Site A at all?
VPNS.jpg
Yes, in reference to what you're saying I've got a screenshot showing also Site B to External Company.
Should I try anything like routing tables? Should I attempt to add any route entries from Site A at all?
VPNS.jpg
ASKER
WORKED!!!
It was the external company, they had something to do with the front facing and backfacing firewalls requiring the changes to be updated.
Dude, it worked!!! WAHHOOOOOOO.
Much appreciate your helped Crouthemela. I'd offer you beers if I could.
It was the external company, they had something to do with the front facing and backfacing firewalls requiring the changes to be updated.
Dude, it worked!!! WAHHOOOOOOO.
Much appreciate your helped Crouthemela. I'd offer you beers if I could.
Hah, told you we would get it.
Also for future reference, what we are doing on Site B is called "VPN Hairpinning". If everything looks good, I'll just take the points, no beer necessary. :)
ASKER
Legend mate, legend. Sonicwall didn't even get it right..lol.
Now a quick question. I want to get myself trained up on these firewalls and learn, but I want to do this....fast, as in within the next 2-3 months I want to immerse myself.
I've got two test Sonicwalls, along with two different internet lines which I can play around with. But I want to learn the basics to slightly more complex things. What would you suggest as a method to immerse myself into an environment where I can learn quickly? Sadly courses are rarely good, as they never teach you real scenarios.
Are there people out there who teach privately?
Thanks man.
Now a quick question. I want to get myself trained up on these firewalls and learn, but I want to do this....fast, as in within the next 2-3 months I want to immerse myself.
I've got two test Sonicwalls, along with two different internet lines which I can play around with. But I want to learn the basics to slightly more complex things. What would you suggest as a method to immerse myself into an environment where I can learn quickly? Sadly courses are rarely good, as they never teach you real scenarios.
Are there people out there who teach privately?
Thanks man.
ASKER
I'll close this for now dude. No need to answer that. I'm sure I'll find a way.
You've been a huge help, massive. Thanks a mil.
You've been a huge help, massive. Thanks a mil.
Best suggestion I can give is to go at least go through the Sonicwall Network Security Essentials course. Either for free online (http://www.sonicwall.com/us/support/eLearning.html) or through a training company like Global Knowledge (http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=11193&catid=191&country=United+States).
This more advanced stuff they don't cover though. I manage 800+ Sonicwalls everyday, each with VPNs on it. So I have just ended up learning ways to accomplish things over time. As you saw, even Sonicwall support really doesn't know how to do it unless you get to the Tech 2/3 guys. Other stuff that may help is training material for CCNP Security as Cisco always goes into great detail on technologies they certify on.
As for private training, I have been producing videos on YouTube lately (http://www.youtube.com/ShrikeCast), but have only covered basic things so far. Eventually I'll get more advanced, but not yet. I'd be willing to privately train you if you're near PA/NJ/NY, else we could do an e-learning type thing. Unfortunately SonicWALL is rather strict on who become an official trainer though to do the CSSA certification course trainings; I actually tried to do that myself last year (I'm already a Cisco instructor) and had to deal with too much flak about territories with Global Knowledge and others.
This more advanced stuff they don't cover though. I manage 800+ Sonicwalls everyday, each with VPNs on it. So I have just ended up learning ways to accomplish things over time. As you saw, even Sonicwall support really doesn't know how to do it unless you get to the Tech 2/3 guys. Other stuff that may help is training material for CCNP Security as Cisco always goes into great detail on technologies they certify on.
As for private training, I have been producing videos on YouTube lately (http://www.youtube.com/ShrikeCast), but have only covered basic things so far. Eventually I'll get more advanced, but not yet. I'd be willing to privately train you if you're near PA/NJ/NY, else we could do an e-learning type thing. Unfortunately SonicWALL is rather strict on who become an official trainer though to do the CSSA certification course trainings; I actually tried to do that myself last year (I'm already a Cisco instructor) and had to deal with too much flak about territories with Global Knowledge and others.
ASKER
Ah, politics with companies ey?
I'm sadly based in the UK, so unless I cought a flight over, I would be willing to attempt the elearning. I'm sure we can attempt the e-learning stuff somehow. I'm sure I can find you on linkedin or the like.
Again, from the last post to the help on the Sonicwall VPN. Thanks again.
I'm sadly based in the UK, so unless I cought a flight over, I would be willing to attempt the elearning. I'm sure we can attempt the e-learning stuff somehow. I'm sure I can find you on linkedin or the like.
Again, from the last post to the help on the Sonicwall VPN. Thanks again.
2. At Site B - Create an Address Group that includes an object for Site A's network and the LAN of Site B. Make that the Local network for the VPN to External Company.
3. At External Company - Have them add the network for Site A to their Destination Networks definition for the VPN.
All objects specified would be members of the VPN Zone.