Solved

SonicWall SSL-VPN, no Internet connectivity for clients

Posted on 2013-11-16
10
8,267 Views
Last Modified: 2014-05-20
Hello,
    We have a SonicWall NSA220 and we are trying to route all internet traffic from laptops and iOS devices through the SSL-VPN. However, with tunnel all mode enabled, the internet on the client does not work. I originally had it configured with tunnel all mode disabled, but then the WAN IP shown on the client was not the WAN IP of the office network. How can I route all internet traffic through the SSL-VPN?

Thank you!
0
Comment
Question by:indigo6
  • 5
  • 4
10 Comments
 
LVL 12

Expert Comment

by:Infamus
ID: 39653833
Try this.

http://www.sonicwall.com/downloads/advanced_vpn.pdf

ctrl+f and search for "split tunnel".
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39654250
Hi indigo6,

SSL-VPN > WAN Traffic.
To pass traffic from SSL-VPN to WAN you should manually add an Access Rule SSL-VPN > WAN Allow.

Tunnel All mode.
Tunnel All mode routes all traffic to and from the remote user over the SSL-VPN NetExtender tunnel —including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:

IP Address    Subnet mask
0.0.0.0            0.0.0.0
0.0.0.0            128.0.0.0
128.0.0.0        128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL-VPN tunnel instead. For example, if a remote user has the IP address 10.0.67.64 on the 10.0.x.x network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

Tunnel All mode is configured on the SSL VPN > Client Routes page.

May I ask what the overall goal is here?
0
 

Author Comment

by:indigo6
ID: 39657718
Hi, thanks for your input. What I am trying to accomplish is more security for remote employees. When they are on the go, I want all their network traffic to pass through the SSLVPN. I have an access rule in the SSLVPN > WAN zone already (screenshot attached), but I still can't browse the internet from a remote client. The network just hangs.

Thanks!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:Diverse IT
ID: 39658706
There is no attachment.

Try disabling Windows firewall and retest.
0
 

Author Comment

by:indigo6
ID: 39673858
No go. :( Also, the iOS app doesn't seem to allow network access with tunnel all mode enabled.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39674674
Hmm, I haven't come across that. So are you looking into the app under routes and it's not showing that? If not, how did you determine that?
0
 

Author Comment

by:indigo6
ID: 39719667
I've attached a screenshot. Thanks!
photo.PNG
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39719806
Ah I see.

To allow your end users access to internet over the UTM-SSLVPN, you will need to allow “WAN RemoteAccess Networks” (a network address object whose value 0.0.0.0 acts like a default route), and the Tunnel All option must be selected on the Client Routes page.  The method below is appropriate when the administrator wants all of their NetExtender users to have their internet access provided through the SSL-VPN otherwise disable Tunnel All mode.  Be sure that you are not overwhelming the internet bandwidth at the location where the firewall is installed, as this traffic will be added to the other loads from inside the network.
Step 1: On the SonicWALL, go to SSL-VPN > Client Routes screen, enable the Tunnel All option in the drop down menu.

Step 2: On the Users > Local Groups screen, configure SSLVPN Services group and under tab “VPN Access,” add the object WAN RemoteAccess Networks.

Step 3: No custom rules are needed on the Firewall > Access Rules screen for this to work.  You can see auto-added rules in the section SSLVPN to WAN.
Make sense?
0
 

Author Closing Comment

by:indigo6
ID: 39762967
Sorry for not responding in a timely manner. This got put on the backburner for a while. However, it worked! Thanks! It's obscenely slow, but that's fine for now. Thanks!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39762983
Great glad I could help and thanks for the points!

If its exceptionally slow it isn't because of the setup...the setup is straightforward in fact all we are doing is setting routing here. To correct transmission issues take a look here and change your MTU value: http://www.experts-exchange.com/A_12615.html

Cheers!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
l2tp tunnel from pc to router 14 86
Palo Alto Networks: Packet Trace Simulator? 2 48
Palo Alto Networks - find the sec zone 3 49
ASA Tunnel 18 32
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question