Link to home
Start Free TrialLog in
Avatar of Ramtek Support
Ramtek SupportFlag for United States of America

asked on

Can't open port 2030 in Sonicwall Pro 2040

Experts,

I have a client who has an old Sonicwall Pro 2040 router I am trying to configure the source IP 172.28.0.10 port 2030 to destination IP 65.xx.xxx.xxx port 2030. But it will not let me. Any one know how to configure this router so that it will accept these parameters?

Thanks!
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Hi CervisTECH,

That firewall is EOL (End of Life) and should be replaced to effectively secure and provide the current-day functionality demands and threat climate.

Which way is this going WAN>LAN or LAN>WAN?

What error message are you getting when you try? Can you provide a screenshot of your Access Rules?

Thanks!
Avatar of Ramtek Support

ASKER

WAN to LAN   65.XXX. XXX. XXX to LAN Port 2030. And LAN 172.XXX. XXX. XXX to WAN port 2030.
Did you put ending addresses?

Again, What error message are you getting when you try? Can you provide a screenshot of your Access Rules?

Unless you are filtering outbound traffic there is no need to have LAN > WAN rule...you should have * > WAN Allow by default.
When I try to add a new vpn tunnel all I am getting is a blink VPN Policy window. Any ideas why this is happening?
Restart the SonicWALL and it should clear up that issue.

Let me know how it goes!
How can I dedicate a port for traffic for my vpn? Meaning I want to establish a S-2-S vpn connection to a vendor. But I want him to use port 2030 to send messages over to me in our system. But I don't see in the Sonicwall config how to do that.

Is this possible?
Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Model:       PRO 2040 Enhanced
 Firmware Version:       SonicOS Enhanced 3.1.0.14-49e
 ROM Version:       SonicROM 2.1.0.0

This is a EOL Router. Not sure if I can update firmware or not. Don't know how.
I have the VPN policy configured but how do I enable it? I am not able to get a green dot indicating that it has been enabled.

I checked the other side and they confirmed that the configuration is correct.
Thanks!
I uploaded the configuration for port # 2030 This is what I've done:

1. Name: Interface
2. Protocol: TCP(6) Is this the correct protocol I should be using?
3. Port Range: 2030 - 2050
4. Sub Type: None (greyed out)

After clicking Next:
1. Server Name
2. IP Address of my server: 172.168.0.10
3. Gave description of server

So after configuring this the send server (remote user) will be able to send to my server (172.168.0.10) on port 2030. Is this correct and am I leaving anything out?

Thanks!
Here is what I am getting from the other router:

Nov 20 10:44:28 "CDC-1" #19372: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 20 10:44:28 "CDC-1" #19372: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 20 10:44:28 "CDC-1" #19372: ignoring unknown Vendor ID payload [404bf439522ca3f6]
Nov 20 10:44:28 "CDC-1" #19372: received Vendor ID payload [XAUTH]
Nov 20 10:44:28 "CDC-1" #19372: ignoring unknown Vendor ID payload [da8e937880010000]
Nov 20 10:44:28 "CDC-1" #19372: received Vendor ID payload [Dead Peer Detection]
Nov 20 10:44:28 "CDC-1" #19372: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Nov 20 10:44:28 "CDC-1" #19372: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 20 10:44:28 "CDC-1" #19372: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 20 10:44:28 "CDC-1" #19372: Main mode peer ID is ID_IPV4_ADDR: '97.xxx.xxx.xx'
Nov 20 10:44:28 "CDC-1" #19372: I did not send a certificate because I do not have one.
Nov 20 10:44:28 "CDC-1" #19372: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 20 10:44:28 "CDC-1" #19372: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Nov 20 10:44:28 "CDC-1" #19373: IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
Nov 20 10:44:28 "CDC-1" #19373: no acceptable Proposal in IPsec SA
Nov 20 10:44:28 "CDC-1" #19373: sending encrypted notification NO_PROPOSAL_CHOSEN to 97.xxx.xxx.xx:500

From the logs, it seems the Sonicwall is refusing the connection due to strict flag.
Not sure why Sonicwall is refusing the connection.

Thanks!
Please understand that if you don't answer all my questions it will be impossible to guide you. From my comment (http:#a39657911) you answered the SonicOS version but did not comment to this...
A site-to-site VPN should not be changed from its default ports. If you want to open 2030 that is fine but it has nothing to do with VPN. Click on the Public Server Wizard and select Other... for the server and create a customer service for port 2030. That should do it.
The phases will fail if you arbitrarily change the VPN ports.

Here is how you upgrade your firmware & backup your settings:
1. Download the SonicOS Enhanced firmware image file from mysonicwall.com and save it to a location on your local computer.

2. On the System > Settings page, click the Export Settings button to save the current configuration to a file. You will be prompted to select the location on you hard drive to save the file.

3.  For good measure, click on the Create Backup Settings button to save the current firmware and settings within the SonicWALL appliance.

4. On the System > Settings page, click Upload New Firmware.

5. Browse to the location where you saved the SonicOS Enhanced firmware image file, select the file, and click Upload.

6. Click the Boot icon in the row for Uploaded Firmware - New!
Let me know how it goes!
It appears that the Phase 1 parameters configuration were mismatch.  I was using encryption 3DES and they were using AES128. Thanks for your help.... I wish I could give more points to you as you really helped me to figure out what I was doing wrong.

Thanks!
My pleasure!  I'm glad I could help and thanks for the points!