Route access to single IP address through site-to-site VPN

I have our SonicWall connected to a vendor via a VPN policy. There is a specific IP for an application on their end we need to access from our network. How do set it up where when a user access that IP address the SonicWall routes it down the VPN to the remote vendor?
USGLOBALAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Santosh GuptaCommented:
Hi,

Site to site VPN should always enabled. whenever you want you can access the application. see the url to configure site to site VPN
http://help.mysonicwall.com/sw/eng/305/ui2/23200/VPN/VPN_Policy_Config_Site2Site.htm
0
USGLOBALAuthor Commented:
The VPN is already configured but I cannot access the application IP address through the VPN. I need to force all traffic to that IP address through the VPN
0
Mandeep KhalsaCommented:
You cannot have the same IP scheme on both sides of the VPN connection. So the IP address you are trying to access on the vendor network cannot exist on your network. Therefore all communication will always route to the VPN when trying to access the particular IP address.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

USGLOBALAuthor Commented:
Understood, but we are not able to access the application. Our networks are on 2 separate IP schemes. I am unable to PING the IP of the application from the Sonicwall as well. When a TRACERT is run from the SonicWall it attempts to route the traffic out one of the WAN interfaces not down the VPN.
0
Santosh GuptaCommented:
Try on windows machine and see if it works.


    route ADD xxx.xxx.xxx.xxx MASK xxx.xxx.xxx.xxx  xxx.xxx.xxx.xxx

    Means:

    route ADD “network” MASK “subnet mask”  “gateway ip”

Example: route ADD 10.10.10.0 MASK 255.255.255.0 192.168.1.12
0
Mandeep KhalsaCommented:
In that case your Sonicwall settings are not correct. Do you have any firewall rules listed for LAN -> VPN?
0
USGLOBALAuthor Commented:
Yes there is one FW Rule that was auto added for the IP address we need to access on the remote host.
0
USGLOBALAuthor Commented:
The rule is set to "ALLOW".
0
Mandeep KhalsaCommented:
Make sure that on your VPN settings advanced tab you have the following items checked.

 Sonicwall Settings
0
USGLOBALAuthor Commented:
"Enable Windows Networking" does not apply since this is a single host. The SonicWall threw an error to that effect.

Attempted to PING and TRACERT both failed. TRACERT still looks as if it is not directing it down the VPN
0
USGLOBALAuthor Commented:
Here is the error
2-27-2014-1-57-29-PM.jpg
0
Mandeep KhalsaCommented:
Under VPN settings - Network what do you have listed for Local and Remote Networks? IP schemes please.
0
USGLOBALAuthor Commented:
Local networks references a group which contains our local LAN (LAN Subnets)
192.168.55.0 255.255.255.0

Remote Networks references an address object HOST
170.119.190.254 255.255.255.255
0
Mandeep KhalsaCommented:
That remote host IP is a WAN IP address not a LAN IP and that is why your network is trying to go over the WAN. That IP address should be changed to the internal IP address of the server you are trying to reach. It will be in the range of 10.x.x.x or 192.168.x.x or 172.16.x.x through 172.31.x.x ranges.
0
USGLOBALAuthor Commented:
Unfortunately we cannot. It is a service that we are being given access to. This service requires that it be accessed only through a dedicated line that our vendor has. This VPN connection is so that we can access that application as if we were on the vendors network.
0
Mandeep KhalsaCommented:
A VPN connection has to be created with 2 static IP address that are accessible from the WAN. So in your case lets say your address is A.B.C.D and theirs is E.F.G.H

Both of those IP addresses will be pingable from anywhere in the world. These IP address will form the endpoints for your VPN connection. Once that connection is established, you can further block it down by saying that the VPN only has access to so much of the internal network which is what the network setting on your Sonicwall VPN setup is doing.

In your settings you are saying that your whole local network is able to access the remote host (a single IP address). Normally this IP address has to be internal for the traffic to route via VPN tunnel.

Since you can't do that, try this. Go under Network - Routing on your sonicwall and create a route where the source is LAN, and destination is the IP address in question, for any service, leave gateway as 0.0.0.0 and for interface select or create the VPN tunnel interface. That should force the traffic via the VPN connection.
0
USGLOBALAuthor Commented:
Should I change the current VPN from "Site to Site" to VPN Tunnel" or create a new VPN interface?
0
Mandeep KhalsaCommented:
Try it with a new interface so you can see if this works or not.
0
USGLOBALAuthor Commented:
Created a new interface through the menu and it still did not work. I am also unable to find the interface that was created? Odd...
2-27-2014-3-03-58-PM.jpg
0
Mandeep KhalsaCommented:
Isn't the last item what you are looking for? drop_tunnellf?
0
USGLOBALAuthor Commented:
No. I named it specifically so i could identify it. I don't know where that one came from.
0
Mandeep KhalsaCommented:
Try this, Go to VPN and create a new VPN connection and instead of using the Site to Site option, use VPN Tunnel. Try it that way and see if that gets the communication going. If at all possible, start with a clean slate and reset the Sonicwall before you begin. You will have to create the route as well once you have the tunnel setup.
0
USGLOBALAuthor Commented:
Unfortunately I am unable to reset the Sonicwall. I have created the vpn tunnel and the route but still no joy. The company at the other end stated that the connection was down and could be "awakened" by a successful data connection or PING.

BTW we are connecting our Sonicwall NSA 3500 with a Cisco ASR 1002.
0
Mandeep KhalsaCommented:
Do you have any Sonicwall's on hand to test this out with? A TZ series will work as well.
0
USGLOBALAuthor Commented:
I do at my remote office at home. A TZ215W. It is not currently connected to our office here though.
0
Mandeep KhalsaCommented:
Is the vendor tying you down with access from your Office IP address only? If not then you can practically create a VPN tunnel from any IP address with the credentials and the destination IP you have to test the scenario.
0
USGLOBALAuthor Commented:
Yes they are tying us down to our internet facing IP addresses. I will have to bring the TZ215W from the house on Monday.
0
USGLOBALAuthor Commented:
Why would the Route Policy I have configured for this connect be greyed out? Is it due to the 0.0.0.0 Gateway reference? Because it is the only thing that is not editable when I try to edit the policy.
0
Mandeep KhalsaCommented:
I am not sure about the answer to your question. However I do have other question for you. Assuming that the VPN was working fine, how would you access the vendor server? Through a webpage via a IP address or domain name? With your site to site VPN up and running when you try to resolve the address you are going to, what do you get?
0
USGLOBALAuthor Commented:
It is a terminal application that connects to a mainframe. It makes that connection via an IP address.
The vendor tells me the VPN is down because there was no traffic. He stated that it would "Wake Up" once there was traffic addressed to this interface. I asked him if he could wake up the connection manually just to make sure I was dealing with a known good connection and he said he could not.

I have since changed the VPN connection from Site-to-Site to Tunnel since that was the only way I could route that IP address. Unless the VPN is a tunnel it will not show as an interface. After all that the IP still will not PING. I have had a steady PING on that IP while I've been changing the configuration. Still no joy.
0
USGLOBALAuthor Commented:
Is there a flow chart that visualizes for me how the Sonicwall handles IP traffic?
0
Mandeep KhalsaCommented:
If your VPN is up and running Sonicwall will show you a green dot next to the VPN configuration. Check to see if that green dot is appearing when you have a steady ping going. It should have one if everything is working well at that point.

On the Tunnel does it give you the option for "keep alive"?
0
USGLOBALAuthor Commented:
No green dot and the tunnel is set to keep alive. So with that said would it be safe to assume that the VPN tunnel is not working?
0
Mandeep KhalsaCommented:
Yes that would be a correct assumption. The IP of the server you are tunneling to is accessible via the WAN and therefore it is pingable even when it is not connected.

Double check the settings with the vendor to make sure that they are correct and no typos have been made.
0
USGLOBALAuthor Commented:
Ok, I worked with the vendor and I was attempting a "Tunnel" and not a "Site-to-Site". Once I corrected that the VPN showed Green. Now since the connection is Site-to-Site how do I point the traffic for that specific IP down that VPN connection.
0
Mandeep KhalsaCommented:
With your site to site VPN running you are unable to access the application? Are you able to ping the server?

Capture some packets on the Sonicwall to see what is happening. Filter it by the IP address of the destination server and if need be you can always upload it here.
0
USGLOBALAuthor Commented:
All the packets are being dropped.

ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 52968
Value:[0]
DROPPED, Drop Code: 39(Enforced firewall rule), Module Id: 25(network), (Ref.Id: _5358_uyHtJcpfngKrRmv) 1:2)
0
Mandeep KhalsaCommented:
What are the source and destination IP's from these dropped packets? And do you have any firewall or routing rules in place for either of those two (source and destination) IP's in place?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SalientITCommented:
Hi, what was the solution to this problem? I have a similar situation where a customer requires connection to their app only from one IP (our HQ) but people at another site B now also want to use this app. So I set up a VPN Tunnel from B to HQ and added a static route on the Sonicwall at site B telling it to send traffic to customer's IP down the tunnel interface but nothing happens. I ran 'Find Network Path' on Site B sonicwall it the results is:
74.208.155.93 is located on the TI3
It is not behind a router
Its Ethernet address was not found

TI3 is the tunnel interface. LAN to LAN traffic over the tunnel between the two sites works fine. It's almost like the HQ Sonicwall doesn't know what to do with the packets.
0
USGLOBALAuthor Commented:
never got an answer...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.