Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:

Sonicwall VPN to specific LAN IP address

Hi all,

I need to create a VPN rule on my Sonicwall NSA 2400 that allows for an outside network to have VPN connectivity to individual workstations on my LAN network. I don't want to open up a full subnet site-to-site rule for security reasons. I've created a network address object, assigned it to the VPN zone, type is Host, and I've specified the IP address of the workstation within the network. I then created the VPN rule like I have with all my other sites (site-to-site, IKE preshared key, etc etc) and specified my custom address object above under local networks. The Sonicwall shows that the VPN is up and active, but I cannot ping the individual IP address from the remote site, nor can I ping any of the remote site IP addresses from the workstation IP in my local address object.

Any help is appreciated. Thanks!
0
howetechnical
Asked:
howetechnical
  • 3
  • 2
1 Solution
 
The--CaptainCommented:
Why don't you just configure the VPN declaration to include the whole subnet, and then block everything you don't want using a firewall rule?

Or if you really into the idea of tons of IPSEC tunnels, then just ditch your address object and configure them individually.

Cheers,
-Jon
0
 
howetechnicalAuthor Commented:
If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive.

I have only up to 15 IP addresses that need to be accessed from the outside location. What I had envisioned after writing this is to make them all in a sequence, then add them as a range into the address object so that we have only one tunnel and one address object. The problem is, the VPN shows it's running from the Sonicwall configuration, but I can't ping any of those devices from the outside location. Firewalls are off, too.
0
 
The--CaptainCommented:
"If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive."

No, it should be super-easy.  You already have the address object defined for the 15 IPs you want to allow.  Just add a rule to block the entire remote VPN subnet, and then add a rule above that (using your custom address object) that unblocks the 15 IPs you want to allow through.

"I have only up to 15 IP addresses that need to be accessed from the outside location"

You realize that's asking the sonicwall to setup 15 separate IPSEC tunnels, right?  It will almost certainly behave more normally if you just use one tunnel.

Cheers,
-Jon
0
 
howetechnicalAuthor Commented:
Ok, I get it. I wasn't thinking of adding one rule to block the entire offsite subnet in the firewall and putting one other to allow the local 15 IP's.

So basically, as far as the firewall rule goes, I block all TCP/UDP traffic to/from the remote subnet and then create another rule to allow all TCP traffic to/from the address object for my local IPs. Sound right?
0
 
The--CaptainCommented:
That is correct.  Just make sure the allow rule for your custom address object is *above* the rule that blocks everything else.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now