Solved

Sonicwall VPN to specific LAN IP address

Posted on 2012-04-05
7
445 Views
Last Modified: 2014-06-14
Hi all,

I need to create a VPN rule on my Sonicwall NSA 2400 that allows for an outside network to have VPN connectivity to individual workstations on my LAN network. I don't want to open up a full subnet site-to-site rule for security reasons. I've created a network address object, assigned it to the VPN zone, type is Host, and I've specified the IP address of the workstation within the network. I then created the VPN rule like I have with all my other sites (site-to-site, IKE preshared key, etc etc) and specified my custom address object above under local networks. The Sonicwall shows that the VPN is up and active, but I cannot ping the individual IP address from the remote site, nor can I ping any of the remote site IP addresses from the workstation IP in my local address object.

Any help is appreciated. Thanks!
0
Comment
Question by:howetechnical
  • 3
  • 2
7 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 37817920
Why don't you just configure the VPN declaration to include the whole subnet, and then block everything you don't want using a firewall rule?

Or if you really into the idea of tons of IPSEC tunnels, then just ditch your address object and configure them individually.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37817930
If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive.

I have only up to 15 IP addresses that need to be accessed from the outside location. What I had envisioned after writing this is to make them all in a sequence, then add them as a range into the address object so that we have only one tunnel and one address object. The problem is, the VPN shows it's running from the Sonicwall configuration, but I can't ping any of those devices from the outside location. Firewalls are off, too.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 37817976
"If I include the entire subnet into my VPN declaration, then I have to block about 150 of the 165 IP addresses through the firewall. Unless I'm mistaken, then it seems counter productive."

No, it should be super-easy.  You already have the address object defined for the 15 IPs you want to allow.  Just add a rule to block the entire remote VPN subnet, and then add a rule above that (using your custom address object) that unblocks the 15 IPs you want to allow through.

"I have only up to 15 IP addresses that need to be accessed from the outside location"

You realize that's asking the sonicwall to setup 15 separate IPSEC tunnels, right?  It will almost certainly behave more normally if you just use one tunnel.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:howetechnical
ID: 37818005
Ok, I get it. I wasn't thinking of adding one rule to block the entire offsite subnet in the firewall and putting one other to allow the local 15 IP's.

So basically, as far as the firewall rule goes, I block all TCP/UDP traffic to/from the remote subnet and then create another rule to allow all TCP traffic to/from the address object for my local IPs. Sound right?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 37818052
That is correct.  Just make sure the allow rule for your custom address object is *above* the rule that blocks everything else.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question