Solved

Sonicwall NSA 2600 Client VPN

Posted on 2014-02-20
9
2,198 Views
Last Modified: 2014-02-25
I had SSL VPN set up and working but cant get the a budget to purchase more SSL licences so I am trying to set up VPN access using the SW global VPN client.

I have got my users connecting and getting an DHCP address from my internal server not the sonicwall.

I have set split tunnelling and created a user group called SWVPN that has VPN access to firewalled subnet. However when I am trying to access the internet internal or external I get page cannot be displayed.

Some of the config I have is -
relay address 0.0.0.0
Split Tunnelling
Require authentication of VPN clients by XAUTH (pointing to my VPN group)
Enable Windows Networking (NetBIOS) Broadcast
everything else is unticked.
default gateway set to my sonicwalls internal IP

From the SW logs I am seeing this

UTC 02/20/2014 11:44:40.704 Notice Network Access Web access request dropped 192.168.1.34, 58759, X1 192.168.1.212, 80, X0 HTTP    
2 UTC 02/20/2014 11:44:12.096 Notice Network Access TCP handshake violation detected; TCP connection dropped 192.168.1.34, 58738, X1 dan james 173.194.67.103, 80, X1, wi-in-f103.1e100.net Handshake Timeout    
3 UTC 02/20/2014 11:44:05.432 Notice Network Access UDP packet dropped 192.168.1.34, 137, X1 192.168.17.255, 137, X0 NetBios UDP    
4 UTC 02/20/2014 11:43:08.336 Notice Network Access UDP packet dropped 192.168.1.34, 137, X1 192.168.17.255, 137, X0 NetBios UDP    
5 UTC 02/20/2014 11:43:05.640 Notice Network Access TCP handshake violation detected; TCP connection dropped 192.168.1.34, 58723, X1 dan james 157.56.122.48, 443, X1 Handshake Timeout    
6 UTC 02/20/2014 11:42:02.208 Notice Network Access Web access request dropped 192.168.1.34, 58737, X1 192.168.1.212, 80, X0 HTTP    
7 UTC 02/20/2014 11:41:58.432 Notice Network Access UDP packet dropped 192.168.1.34, 50572, X1 192.168.1.200, 53, X0 DNS (Name Service) UDP
0
Comment
Question by:CaptainGiblets
  • 5
  • 4
9 Comments
 
LVL 10

Expert Comment

by:convergint
ID: 39874145
You need to change the default gateway on the WAN GroupVPN policy back to 0.0.0.0 as you don't need that when you are running a split tunnel configuration.

I'm assuming that you are able to get the clients to connect fine with the VPN client and that you are licensed for that as well?
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 39874274
they connect fine just cant do anything, I tried 0.0.0.0 on split and everything and it does the same.
0
 
LVL 10

Expert Comment

by:convergint
ID: 39874372
Once they connect, are they able to ping the Sonicwall LAN gateway itself?  And I'm assuming that their local LAN subnets do not conflict with your corporate LAN?

If their local LAN is 192.168.1.x and your Sonicwall LAN is also 192.168.1.x then things will not work.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 39876405
Well currently I have a DHCP server on my LAN which gives the address to all the clients etc.

How can I enable it on my sonicwall without it interfering with my clients and only providing addresses to my vpn clients on a different subnet?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 10

Accepted Solution

by:
convergint earned 500 total points
ID: 39881043
In the VPN > DHCP over VPN settings you can configure the DHCP to only use the internal DHCP for the Global VPN Client.

This is the KB article on how to do it but it does not mention the NSA 2600 but I'd assume it would work still.

https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8024&SearchType=advanced&referrer=&status=&rfield=&sortmethod=rel&rpp=25&usertype=Consumer&formaction=search&keyword=many+wan+ip&vsn=&subcats=&start=26&match=and&catid=&submitbutton=Go
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 39882125
Trying to do this and I am stuck at Acquiring IP

Created a VLAN on X0 with IP of 192.168.18.1, then went and set use DHCP for VPN with a scope of 192.168.18.100 to 18.110 with an interface of X0:V1

In VPN DHCP settings I set the relay 192.168.18.1 and also tried it as 0.0.0.0

The logs show -  02/24/2014 11:04:59.720 Info DHCP Relay DHCP DISCOVER received from remote device 0.0.0.0, 68, X1 255.255.255.255, 67 MAC=00:60:73:C0:D6:0C HostName: MR-K
EAD1  

When hovering over local VPN settings for user it says 0.0.0.0 0.0.0.0

However I have allowed access for users via AD in a group called SW_VPN which I am a part of and I have given the group access to the X0 subnet and the X0:V1 vlan.
0
 
LVL 10

Expert Comment

by:convergint
ID: 39883011
I just tested this on our Sonicwall and you need to set the relay with 192.168.18.100, not 192.168.18.1.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 39883024
I don't understand why it would be 18.100? as that is only the start of the DHCP scope. Its not actually a device or anything?
0
 
LVL 10

Expert Comment

by:convergint
ID: 39883349
In the Sonicwall KB I posted above, it states that the relay address needs to be within the DHCP scope.  I don't understand the technical details of why, but all I know is that it worked perfectly fine with our NSA 2400 following those instructions and also setting up a X0:V1 like yours.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 116
Pfsense & Black list. 2 106
Cisco ASA 5516-X Configuration 4 68
ASA Deny No Connection PSH ACK, Traffic is dropped 10 66
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now