[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


SonicWall traffic routing through VPN

Posted on 2012-09-20
Medium Priority
Last Modified: 2012-11-24
Here's the situation:  At our remote retail locations we want to run prepaid phone cards through the point of sale (POS) register over their WAN connection for acceptance and authorization.  The software we have to use allows me to specify a port and an IP address to route to Prepaid card authorizer "STARBASE".  The connection to "STARBASE" must be via P2P circuit or VPN, and we won't have a P2P to them, just a single VPN.  "STARBASE" will only allow one VPN connection from a multi-store outlet chain.  Each store is connected to the central corporate office Sonicwall NSA via VPN connections to their Sonicwall TZ 2xx devices.  What I want to do is take TCP traffic from this retail zone using this specific port number at the store and route it through the corporate office Sonicwall to "STARBASE", and then return the authorization.  So in essence the POS software can connect to 62.x.x.x via their VPN to our corporate office and our VPN to "STARBASE".  I'm looking suggestions on how to best accomplish this.  More background:  each store has a dedicated internet access via cable or other broadband, as does the corporate office.  Our "WAN" is created by the VPN connections from the stores to the Corporate office via the Sonicwall devices.  The Sonicwall is only device at the location capable of routing traffic. Thanks!
Question by:HoneyFarms
  • 3
  • 2
LVL 20

Expert Comment

ID: 38422621
Some questions...

The step is how to positively identify this as a phone card transaction, and where it came from. Can you do that now?

1. When you run a phone card through the POS scanner on the register how will you identify this as a phone card, verses say a credit card? Do you have an application listening for this now?

2. Does the use of the POS scanner now return data to your corporate office?  Do you now route traffic from the register to the corporate office and then back to that specific register.

If you can explain how the pieces work now, or will work, I can help you.

Author Comment

ID: 38422709
Thanks for the reply.  Here are the answers to your questions:

The POS systems are part of a DMZ that segregate the machines which do credit card processing from the other store IP devices, and vice-versa.  The POS software initiates the request for the prepaid phone card authorization by sending the request to a local NIM (network interface module) also located at the store.  Requests for credit card authorizations or check approvals will go to other NIMS, and these prepaid cards are routed via the software to this particular NIM.  This NIM will then send that POS request out a specified port to a specified IP address (belonging to "STARBASE").  If I was allowed to create multiple VPN connections to "STARBASE" from each store, then I wouldn't have a problem, and I'd just open the specified port from the DMZ to WAN and recursive.  However, "STARBASE" can only receive the authorization requests via that single VPN connection from our corporate office.  So that firewall access rule would now be from the store DMZ to VPN Corporate Office.... and how I'd get that to "STARBASE" is where I'm stuck.

Today we push post sales data to the corporate office from the POS, but not authorizations.  Our other credit authorizations use vendor supplied software to route those requests via a secure VPN tunnel to the card authorizations via the store's WAN connection, and not the VPN, therefore they can drop the VPN connection to the office and still not lose the ability to process credit cards.

Hope that helps you craft a potential solution....
LVL 20

Expert Comment

ID: 38423034
So if I understand this, each store will have it's own NIM for phone cards. That NIM would typically go directly to the authorization site via a VPN connection, but since they will only let you have one, you must consolidate all store requests via Corporate.

Further, there is NO application or hardware at corporate that receives these store requests, but rather you must just pass them along through the vpn connection to STARBASE.

Is that all correct?

More questions....
1. Does each NIM in each store have it's own unique fixed ip address?
2. Are you using subnets, or vlans, or what?
3. What is the ip address range type (ex: 192.168.1.x then 192.168.2.x etc) for each store and how many are there?
4. Do you know if the STARBASE software has a way of telling you where the request for approval came from. For example,  say you have 10 stores all funneling requests to STARBASE via corporate, what will tell you which one came from which store? Can you tag a request with a location id?

The biggest problem I see at the moment is how to know where to send the approval back to, since I suspect that info will be lost. In a normal vpn connection, a return is sent to where it came from. In your case it is once removed (2 hops), with nothing I see that tells it where it came from, and gets it there.

Do you have any futher info regarding this issue?

Accepted Solution

HoneyFarms earned 0 total points
ID: 38613320
My apologies for delaying the close of this thread.  the program requirements changed and we're still re-scoping.

Author Closing Comment

ID: 38628137
My apologies for delaying the close of this thread.  the program requirements changed and we're still re-scoping.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 21 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question