Solved

Route access to single IP address through site-to-site VPN

Posted on 2014-02-27
40
1,992 Views
Last Modified: 2015-11-16
I have our SonicWall connected to a vendor via a VPN policy. There is a specific IP for an application on their end we need to access from our network. How do set it up where when a user access that IP address the SonicWall routes it down the VPN to the remote vendor?
0
Comment
Question by:USGLOBAL
  • 21
  • 16
  • 2
  • +1
40 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39892665
Hi,

Site to site VPN should always enabled. whenever you want you can access the application. see the url to configure site to site VPN
http://help.mysonicwall.com/sw/eng/305/ui2/23200/VPN/VPN_Policy_Config_Site2Site.htm
0
 

Author Comment

by:USGLOBAL
ID: 39892678
The VPN is already configured but I cannot access the application IP address through the VPN. I need to force all traffic to that IP address through the VPN
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39892683
You cannot have the same IP scheme on both sides of the VPN connection. So the IP address you are trying to access on the vendor network cannot exist on your network. Therefore all communication will always route to the VPN when trying to access the particular IP address.
0
 

Author Comment

by:USGLOBAL
ID: 39892705
Understood, but we are not able to access the application. Our networks are on 2 separate IP schemes. I am unable to PING the IP of the application from the Sonicwall as well. When a TRACERT is run from the SonicWall it attempts to route the traffic out one of the WAN interfaces not down the VPN.
0
 
LVL 13

Assisted Solution

by:Santosh Gupta
Santosh Gupta earned 50 total points
ID: 39892734
Try on windows machine and see if it works.


    route ADD xxx.xxx.xxx.xxx MASK xxx.xxx.xxx.xxx  xxx.xxx.xxx.xxx

    Means:

    route ADD “network” MASK “subnet mask”  “gateway ip”

Example: route ADD 10.10.10.0 MASK 255.255.255.0 192.168.1.12
0
 
LVL 8

Assisted Solution

by:Mandeep Khalsa
Mandeep Khalsa earned 450 total points
ID: 39892737
In that case your Sonicwall settings are not correct. Do you have any firewall rules listed for LAN -> VPN?
0
 

Author Comment

by:USGLOBAL
ID: 39892757
Yes there is one FW Rule that was auto added for the IP address we need to access on the remote host.
0
 

Author Comment

by:USGLOBAL
ID: 39892764
The rule is set to "ALLOW".
0
 
LVL 8

Assisted Solution

by:Mandeep Khalsa
Mandeep Khalsa earned 450 total points
ID: 39892797
Make sure that on your VPN settings advanced tab you have the following items checked.

 Sonicwall Settings
0
 

Author Comment

by:USGLOBAL
ID: 39892851
"Enable Windows Networking" does not apply since this is a single host. The SonicWall threw an error to that effect.

Attempted to PING and TRACERT both failed. TRACERT still looks as if it is not directing it down the VPN
0
 

Author Comment

by:USGLOBAL
ID: 39892857
Here is the error
2-27-2014-1-57-29-PM.jpg
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39892868
Under VPN settings - Network what do you have listed for Local and Remote Networks? IP schemes please.
0
 

Author Comment

by:USGLOBAL
ID: 39892908
Local networks references a group which contains our local LAN (LAN Subnets)
192.168.55.0 255.255.255.0

Remote Networks references an address object HOST
170.119.190.254 255.255.255.255
0
 
LVL 8

Assisted Solution

by:Mandeep Khalsa
Mandeep Khalsa earned 450 total points
ID: 39892919
That remote host IP is a WAN IP address not a LAN IP and that is why your network is trying to go over the WAN. That IP address should be changed to the internal IP address of the server you are trying to reach. It will be in the range of 10.x.x.x or 192.168.x.x or 172.16.x.x through 172.31.x.x ranges.
0
 

Author Comment

by:USGLOBAL
ID: 39892943
Unfortunately we cannot. It is a service that we are being given access to. This service requires that it be accessed only through a dedicated line that our vendor has. This VPN connection is so that we can access that application as if we were on the vendors network.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39892984
A VPN connection has to be created with 2 static IP address that are accessible from the WAN. So in your case lets say your address is A.B.C.D and theirs is E.F.G.H

Both of those IP addresses will be pingable from anywhere in the world. These IP address will form the endpoints for your VPN connection. Once that connection is established, you can further block it down by saying that the VPN only has access to so much of the internal network which is what the network setting on your Sonicwall VPN setup is doing.

In your settings you are saying that your whole local network is able to access the remote host (a single IP address). Normally this IP address has to be internal for the traffic to route via VPN tunnel.

Since you can't do that, try this. Go under Network - Routing on your sonicwall and create a route where the source is LAN, and destination is the IP address in question, for any service, leave gateway as 0.0.0.0 and for interface select or create the VPN tunnel interface. That should force the traffic via the VPN connection.
0
 

Author Comment

by:USGLOBAL
ID: 39893011
Should I change the current VPN from "Site to Site" to VPN Tunnel" or create a new VPN interface?
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39893024
Try it with a new interface so you can see if this works or not.
0
 

Author Comment

by:USGLOBAL
ID: 39893295
Created a new interface through the menu and it still did not work. I am also unable to find the interface that was created? Odd...
2-27-2014-3-03-58-PM.jpg
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39893378
Isn't the last item what you are looking for? drop_tunnellf?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:USGLOBAL
ID: 39893662
No. I named it specifically so i could identify it. I don't know where that one came from.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39895166
Try this, Go to VPN and create a new VPN connection and instead of using the Site to Site option, use VPN Tunnel. Try it that way and see if that gets the communication going. If at all possible, start with a clean slate and reset the Sonicwall before you begin. You will have to create the route as well once you have the tunnel setup.
0
 

Author Comment

by:USGLOBAL
ID: 39895255
Unfortunately I am unable to reset the Sonicwall. I have created the vpn tunnel and the route but still no joy. The company at the other end stated that the connection was down and could be "awakened" by a successful data connection or PING.

BTW we are connecting our Sonicwall NSA 3500 with a Cisco ASR 1002.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39895341
Do you have any Sonicwall's on hand to test this out with? A TZ series will work as well.
0
 

Author Comment

by:USGLOBAL
ID: 39895383
I do at my remote office at home. A TZ215W. It is not currently connected to our office here though.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39895508
Is the vendor tying you down with access from your Office IP address only? If not then you can practically create a VPN tunnel from any IP address with the credentials and the destination IP you have to test the scenario.
0
 

Author Comment

by:USGLOBAL
ID: 39895533
Yes they are tying us down to our internet facing IP addresses. I will have to bring the TZ215W from the house on Monday.
0
 

Author Comment

by:USGLOBAL
ID: 39895624
Why would the Route Policy I have configured for this connect be greyed out? Is it due to the 0.0.0.0 Gateway reference? Because it is the only thing that is not editable when I try to edit the policy.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39895734
I am not sure about the answer to your question. However I do have other question for you. Assuming that the VPN was working fine, how would you access the vendor server? Through a webpage via a IP address or domain name? With your site to site VPN up and running when you try to resolve the address you are going to, what do you get?
0
 

Author Comment

by:USGLOBAL
ID: 39895782
It is a terminal application that connects to a mainframe. It makes that connection via an IP address.
The vendor tells me the VPN is down because there was no traffic. He stated that it would "Wake Up" once there was traffic addressed to this interface. I asked him if he could wake up the connection manually just to make sure I was dealing with a known good connection and he said he could not.

I have since changed the VPN connection from Site-to-Site to Tunnel since that was the only way I could route that IP address. Unless the VPN is a tunnel it will not show as an interface. After all that the IP still will not PING. I have had a steady PING on that IP while I've been changing the configuration. Still no joy.
0
 

Author Comment

by:USGLOBAL
ID: 39896077
Is there a flow chart that visualizes for me how the Sonicwall handles IP traffic?
0
 
LVL 8

Assisted Solution

by:Mandeep Khalsa
Mandeep Khalsa earned 450 total points
ID: 39896249
If your VPN is up and running Sonicwall will show you a green dot next to the VPN configuration. Check to see if that green dot is appearing when you have a steady ping going. It should have one if everything is working well at that point.

On the Tunnel does it give you the option for "keep alive"?
0
 

Author Comment

by:USGLOBAL
ID: 39896253
No green dot and the tunnel is set to keep alive. So with that said would it be safe to assume that the VPN tunnel is not working?
0
 
LVL 8

Assisted Solution

by:Mandeep Khalsa
Mandeep Khalsa earned 450 total points
ID: 39897210
Yes that would be a correct assumption. The IP of the server you are tunneling to is accessible via the WAN and therefore it is pingable even when it is not connected.

Double check the settings with the vendor to make sure that they are correct and no typos have been made.
0
 

Author Comment

by:USGLOBAL
ID: 39901078
Ok, I worked with the vendor and I was attempting a "Tunnel" and not a "Site-to-Site". Once I corrected that the VPN showed Green. Now since the connection is Site-to-Site how do I point the traffic for that specific IP down that VPN connection.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39901100
With your site to site VPN running you are unable to access the application? Are you able to ping the server?

Capture some packets on the Sonicwall to see what is happening. Filter it by the IP address of the destination server and if need be you can always upload it here.
0
 

Author Comment

by:USGLOBAL
ID: 39901129
All the packets are being dropped.

ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 52968
Value:[0]
DROPPED, Drop Code: 39(Enforced firewall rule), Module Id: 25(network), (Ref.Id: _5358_uyHtJcpfngKrRmv) 1:2)
0
 
LVL 8

Accepted Solution

by:
Mandeep Khalsa earned 450 total points
ID: 39901255
What are the source and destination IP's from these dropped packets? And do you have any firewall or routing rules in place for either of those two (source and destination) IP's in place?
0
 

Expert Comment

by:SalientIT
ID: 41233406
Hi, what was the solution to this problem? I have a similar situation where a customer requires connection to their app only from one IP (our HQ) but people at another site B now also want to use this app. So I set up a VPN Tunnel from B to HQ and added a static route on the Sonicwall at site B telling it to send traffic to customer's IP down the tunnel interface but nothing happens. I ran 'Find Network Path' on Site B sonicwall it the results is:
74.208.155.93 is located on the TI3
It is not behind a router
Its Ethernet address was not found

TI3 is the tunnel interface. LAN to LAN traffic over the tunnel between the two sites works fine. It's almost like the HQ Sonicwall doesn't know what to do with the packets.
0
 

Author Comment

by:USGLOBAL
ID: 41259206
never got an answer...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now