Solved

Sonicwall VPN to specific LAN IP address

Posted on 2012-04-05
7
420 Views
Last Modified: 2014-06-14
Hi all,

I need to create a VPN rule on my Sonicwall NSA 2400 that allows for an outside network to have VPN connectivity to individual workstations on my LAN network. I don't want to open up a full subnet site-to-site rule for security reasons. I've created a network address object, assigned it to the VPN zone, type is Host, and I've specified the IP address of the workstation within the network. I then created the VPN rule like I have with all my other sites (site-to-site, IKE preshared key, etc etc) and specified my custom address object above under local networks. The Sonicwall shows that the VPN is up and active, but I cannot ping the individual IP address from the remote site, nor can I ping any of the remote site IP addresses from the workstation IP in my local address object.

Any help is appreciated. Thanks!
0
Comment
Question by:howetechnical
  • 3
  • 2
7 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 37817920
Why don't you just configure the VPN declaration to include the whole subnet, and then block everything you don't want using a firewall rule?

Or if you really into the idea of tons of IPSEC tunnels, then just ditch your address object and configure them individually.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37817930
If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive.

I have only up to 15 IP addresses that need to be accessed from the outside location. What I had envisioned after writing this is to make them all in a sequence, then add them as a range into the address object so that we have only one tunnel and one address object. The problem is, the VPN shows it's running from the Sonicwall configuration, but I can't ping any of those devices from the outside location. Firewalls are off, too.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 37817976
"If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive."

No, it should be super-easy.  You already have the address object defined for the 15 IPs you want to allow.  Just add a rule to block the entire remote VPN subnet, and then add a rule above that (using your custom address object) that unblocks the 15 IPs you want to allow through.

"I have only up to 15 IP addresses that need to be accessed from the outside location"

You realize that's asking the sonicwall to setup 15 separate IPSEC tunnels, right?  It will almost certainly behave more normally if you just use one tunnel.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37818005
Ok, I get it. I wasn't thinking of adding one rule to block the entire offsite subnet in the firewall and putting one other to allow the local 15 IP's.

So basically, as far as the firewall rule goes, I block all TCP/UDP traffic to/from the remote subnet and then create another rule to allow all TCP traffic to/from the address object for my local IPs. Sound right?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 37818052
That is correct.  Just make sure the allow rule for your custom address object is *above* the rule that blocks everything else.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now