Solved

Sonicwall VPN to specific LAN IP address

Posted on 2012-04-05
7
467 Views
Last Modified: 2014-06-14
Hi all,

I need to create a VPN rule on my Sonicwall NSA 2400 that allows for an outside network to have VPN connectivity to individual workstations on my LAN network. I don't want to open up a full subnet site-to-site rule for security reasons. I've created a network address object, assigned it to the VPN zone, type is Host, and I've specified the IP address of the workstation within the network. I then created the VPN rule like I have with all my other sites (site-to-site, IKE preshared key, etc etc) and specified my custom address object above under local networks. The Sonicwall shows that the VPN is up and active, but I cannot ping the individual IP address from the remote site, nor can I ping any of the remote site IP addresses from the workstation IP in my local address object.

Any help is appreciated. Thanks!
0
Comment
Question by:howetechnical
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 37817920
Why don't you just configure the VPN declaration to include the whole subnet, and then block everything you don't want using a firewall rule?

Or if you really into the idea of tons of IPSEC tunnels, then just ditch your address object and configure them individually.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37817930
If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive.

I have only up to 15 IP addresses that need to be accessed from the outside location. What I had envisioned after writing this is to make them all in a sequence, then add them as a range into the address object so that we have only one tunnel and one address object. The problem is, the VPN shows it's running from the Sonicwall configuration, but I can't ping any of those devices from the outside location. Firewalls are off, too.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 37817976
"If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive."

No, it should be super-easy.  You already have the address object defined for the 15 IPs you want to allow.  Just add a rule to block the entire remote VPN subnet, and then add a rule above that (using your custom address object) that unblocks the 15 IPs you want to allow through.

"I have only up to 15 IP addresses that need to be accessed from the outside location"

You realize that's asking the sonicwall to setup 15 separate IPSEC tunnels, right?  It will almost certainly behave more normally if you just use one tunnel.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37818005
Ok, I get it. I wasn't thinking of adding one rule to block the entire offsite subnet in the firewall and putting one other to allow the local 15 IP's.

So basically, as far as the firewall rule goes, I block all TCP/UDP traffic to/from the remote subnet and then create another rule to allow all TCP traffic to/from the address object for my local IPs. Sound right?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 37818052
That is correct.  Just make sure the allow rule for your custom address object is *above* the rule that blocks everything else.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Interface traffic report in FortiAnalyzer 1000D 4 47
Need a "SonicWall" Replacement 12 57
Receiving wifi on an underground station 22 174
Connectivity drops 9 80
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question