SonicWall traffic routing through VPN

Posted on 2012-09-20
Last Modified: 2012-11-24
Here's the situation:  At our remote retail locations we want to run prepaid phone cards through the point of sale (POS) register over their WAN connection for acceptance and authorization.  The software we have to use allows me to specify a port and an IP address to route to Prepaid card authorizer "STARBASE".  The connection to "STARBASE" must be via P2P circuit or VPN, and we won't have a P2P to them, just a single VPN.  "STARBASE" will only allow one VPN connection from a multi-store outlet chain.  Each store is connected to the central corporate office Sonicwall NSA via VPN connections to their Sonicwall TZ 2xx devices.  What I want to do is take TCP traffic from this retail zone using this specific port number at the store and route it through the corporate office Sonicwall to "STARBASE", and then return the authorization.  So in essence the POS software can connect to 62.x.x.x via their VPN to our corporate office and our VPN to "STARBASE".  I'm looking suggestions on how to best accomplish this.  More background:  each store has a dedicated internet access via cable or other broadband, as does the corporate office.  Our "WAN" is created by the VPN connections from the stores to the Corporate office via the Sonicwall devices.  The Sonicwall is only device at the location capable of routing traffic. Thanks!
Question by:HoneyFarms
    LVL 20

    Expert Comment

    Some questions...

    The step is how to positively identify this as a phone card transaction, and where it came from. Can you do that now?

    1. When you run a phone card through the POS scanner on the register how will you identify this as a phone card, verses say a credit card? Do you have an application listening for this now?

    2. Does the use of the POS scanner now return data to your corporate office?  Do you now route traffic from the register to the corporate office and then back to that specific register.

    If you can explain how the pieces work now, or will work, I can help you.

    Author Comment

    Thanks for the reply.  Here are the answers to your questions:

    The POS systems are part of a DMZ that segregate the machines which do credit card processing from the other store IP devices, and vice-versa.  The POS software initiates the request for the prepaid phone card authorization by sending the request to a local NIM (network interface module) also located at the store.  Requests for credit card authorizations or check approvals will go to other NIMS, and these prepaid cards are routed via the software to this particular NIM.  This NIM will then send that POS request out a specified port to a specified IP address (belonging to "STARBASE").  If I was allowed to create multiple VPN connections to "STARBASE" from each store, then I wouldn't have a problem, and I'd just open the specified port from the DMZ to WAN and recursive.  However, "STARBASE" can only receive the authorization requests via that single VPN connection from our corporate office.  So that firewall access rule would now be from the store DMZ to VPN Corporate Office.... and how I'd get that to "STARBASE" is where I'm stuck.

    Today we push post sales data to the corporate office from the POS, but not authorizations.  Our other credit authorizations use vendor supplied software to route those requests via a secure VPN tunnel to the card authorizations via the store's WAN connection, and not the VPN, therefore they can drop the VPN connection to the office and still not lose the ability to process credit cards.

    Hope that helps you craft a potential solution....
    LVL 20

    Expert Comment

    So if I understand this, each store will have it's own NIM for phone cards. That NIM would typically go directly to the authorization site via a VPN connection, but since they will only let you have one, you must consolidate all store requests via Corporate.

    Further, there is NO application or hardware at corporate that receives these store requests, but rather you must just pass them along through the vpn connection to STARBASE.

    Is that all correct?

    More questions....
    1. Does each NIM in each store have it's own unique fixed ip address?
    2. Are you using subnets, or vlans, or what?
    3. What is the ip address range type (ex: 192.168.1.x then 192.168.2.x etc) for each store and how many are there?
    4. Do you know if the STARBASE software has a way of telling you where the request for approval came from. For example,  say you have 10 stores all funneling requests to STARBASE via corporate, what will tell you which one came from which store? Can you tag a request with a location id?

    The biggest problem I see at the moment is how to know where to send the approval back to, since I suspect that info will be lost. In a normal vpn connection, a return is sent to where it came from. In your case it is once removed (2 hops), with nothing I see that tells it where it came from, and gets it there.

    Do you have any futher info regarding this issue?

    Accepted Solution

    My apologies for delaying the close of this thread.  the program requirements changed and we're still re-scoping.

    Author Closing Comment

    My apologies for delaying the close of this thread.  the program requirements changed and we're still re-scoping.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now