Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sonicwall VPN to specific LAN IP address

Posted on 2012-04-05
7
Medium Priority
?
488 Views
Last Modified: 2014-06-14
Hi all,

I need to create a VPN rule on my Sonicwall NSA 2400 that allows for an outside network to have VPN connectivity to individual workstations on my LAN network. I don't want to open up a full subnet site-to-site rule for security reasons. I've created a network address object, assigned it to the VPN zone, type is Host, and I've specified the IP address of the workstation within the network. I then created the VPN rule like I have with all my other sites (site-to-site, IKE preshared key, etc etc) and specified my custom address object above under local networks. The Sonicwall shows that the VPN is up and active, but I cannot ping the individual IP address from the remote site, nor can I ping any of the remote site IP addresses from the workstation IP in my local address object.

Any help is appreciated. Thanks!
0
Comment
Question by:howetechnical
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 37817920
Why don't you just configure the VPN declaration to include the whole subnet, and then block everything you don't want using a firewall rule?

Or if you really into the idea of tons of IPSEC tunnels, then just ditch your address object and configure them individually.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37817930
If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive.

I have only up to 15 IP addresses that need to be accessed from the outside location. What I had envisioned after writing this is to make them all in a sequence, then add them as a range into the address object so that we have only one tunnel and one address object. The problem is, the VPN shows it's running from the Sonicwall configuration, but I can't ping any of those devices from the outside location. Firewalls are off, too.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 2000 total points
ID: 37817976
"If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive."

No, it should be super-easy.  You already have the address object defined for the 15 IPs you want to allow.  Just add a rule to block the entire remote VPN subnet, and then add a rule above that (using your custom address object) that unblocks the 15 IPs you want to allow through.

"I have only up to 15 IP addresses that need to be accessed from the outside location"

You realize that's asking the sonicwall to setup 15 separate IPSEC tunnels, right?  It will almost certainly behave more normally if you just use one tunnel.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37818005
Ok, I get it. I wasn't thinking of adding one rule to block the entire offsite subnet in the firewall and putting one other to allow the local 15 IP's.

So basically, as far as the firewall rule goes, I block all TCP/UDP traffic to/from the remote subnet and then create another rule to allow all TCP traffic to/from the address object for my local IPs. Sound right?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 37818052
That is correct.  Just make sure the allow rule for your custom address object is *above* the rule that blocks everything else.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question