If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.
Course Of The Month
4 days, 14 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Route IP address through Sonicwall VPN
Posted on 2014-04-11
I have two offices with Sonicwall TZ205s and a VPN tunnel between them. At one office, the ISP is blocking us from authenticating to a specific IP address. The other office can get to it fine. Is there a way to route all calls to a specific WAN address through the VPN and use the internet connection on the other side?
Thank in advance.
Thank in advance.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5-
5
11 Comments
Active 2 days ago
yes : use policy based routing.
condition is the destination address you cannot reach
target is the lan address of the firewall on the other side of the tunnel
i don't remember if you need to specify the interface as well but it should be clear once you are creating the rule
condition is the destination address you cannot reach
target is the lan address of the firewall on the other side of the tunnel
i don't remember if you need to specify the interface as well but it should be clear once you are creating the rule
Active today
You can within the SITE TO SITE VPN TUNNEL specification include the IP in question
i.e.
SITE1 allowed access LAN1
SITE2 DENIED ACCESS LAN2
your VPN policy will be to include the IP_inquestion in the SITE2 VPN setting
site2
remote LAN: LAN1 and IP_inquestion
If your VPN setup includes dynamic routing protocol updates, all you would need to do in this case, is advertise the IP/32 to the SITE2 VPN.
The remaining question is whether your Sonicwall VPN will allow the request that came in via the VPN to leave the outside interface.
i.e.
SITE1 allowed access LAN1
SITE2 DENIED ACCESS LAN2
your VPN policy will be to include the IP_inquestion in the SITE2 VPN setting
site2
remote LAN: LAN1 and IP_inquestion
If your VPN setup includes dynamic routing protocol updates, all you would need to do in this case, is advertise the IP/32 to the SITE2 VPN.
The remaining question is whether your Sonicwall VPN will allow the request that came in via the VPN to leave the outside interface.
skullnobrains, I tried the routing method, but it doesn't give me access. I've setup the route from the Site 2(cannot authenticate) LAN to the IP with the gateway as the router on the other side (Site 1). Do i need to add anything to the router on Site 1?
Thanks.
arnold, I tried to setup the VPN as suggested, but I'm not sure I've got the parameters correct on both sides. Site 1 can access the IP address, Site 2 cannot. Since Site 2 can see the IP, but not authenticate to it, I assume I have to add a firewall rule denying access from Site 2 LAN to WAN for the IP. I also added a rule allowing Site 2 LAN to VPN for the IP. I added the IP to the remote network on the Site 2 side of the VPN. I also added a firewall rule allowing VPN to WAN for the IP on the Site 1 side. With these settings, I can't ping the IP from Site 2. Am I missing something?
Thanks.
Thanks.
arnold, I tried to setup the VPN as suggested, but I'm not sure I've got the parameters correct on both sides. Site 1 can access the IP address, Site 2 cannot. Since Site 2 can see the IP, but not authenticate to it, I assume I have to add a firewall rule denying access from Site 2 LAN to WAN for the IP. I also added a rule allowing Site 2 LAN to VPN for the IP. I added the IP to the remote network on the Site 2 side of the VPN. I also added a firewall rule allowing VPN to WAN for the IP on the Site 1 side. With these settings, I can't ping the IP from Site 2. Am I missing something?
Thanks.
Active 2 days ago
what you setup is a little unclear to me.
you need the gateway to be the lan address of the other side of the vpn
you can list existing routes on your firewall. the existing routes that are used to reach the network at site1 should serve as a model if your VPN works
assuming that you can normally ping machines from one side of the vpn to the other, nothing should be needed to be set on site 1 in terms of routes. but you may need a firewall rule allowing the corresponding traffic, and you need to apply nat if the site is external to your LAN. it is likely that your firewall is setup to only allow internet access to hosts on site1
for debugging routes, ping is pretty useful : ping the router from a regular host to start with and move on
you need the gateway to be the lan address of the other side of the vpn
you can list existing routes on your firewall. the existing routes that are used to reach the network at site1 should serve as a model if your VPN works
assuming that you can normally ping machines from one side of the vpn to the other, nothing should be needed to be set on site 1 in terms of routes. but you may need a firewall rule allowing the corresponding traffic, and you need to apply nat if the site is external to your LAN. it is likely that your firewall is setup to only allow internet access to hosts on site1
for debugging routes, ping is pretty useful : ping the router from a regular host to start with and move on
Actual numbers:
Side that can't authenticate: 10.1.1.xxx with router at 10.1.1.250.
VPN established to site that can authenticate 10.1.2.xxx through 10.1.2.250
IP address with the issue is 216.194.164.150
On 10.1.1 side, route added:
Source: LAN Primary Subnet (10.1.1.0)
Destination: 216.194.164.150
Gateway: 10.1.2.250
Interface: WAN
On the 10.1.2 side Access rule added:
Action: Allow
From Zone: VPN
To Zone: WAN
Service: Any
Source: 10.1.1.XXX
Destination: 216.194.164.150
Still can't ping from 10.1.1 side.
Side that can't authenticate: 10.1.1.xxx with router at 10.1.1.250.
VPN established to site that can authenticate 10.1.2.xxx through 10.1.2.250
IP address with the issue is 216.194.164.150
On 10.1.1 side, route added:
Source: LAN Primary Subnet (10.1.1.0)
Destination: 216.194.164.150
Gateway: 10.1.2.250
Interface: WAN
On the 10.1.2 side Access rule added:
Action: Allow
From Zone: VPN
To Zone: WAN
Service: Any
Source: 10.1.1.XXX
Destination: 216.194.164.150
Still can't ping from 10.1.1 side.
Active 2 days ago
the server at 216.194.164.150 does respond to pings, but i was not really expecting end-to-end pinging to work straightaway
the route looks good, and unless you forgot nat, the rule as well.
can you confirm that you can ping 10.1.2.250 from your source machine ? (this should be the case if the VPN works properly)
can you confirm that on your side, you have a rule that allows that traffic. it seems possible that you only allow traffic through the VPN when it is targeted to the 10.1.2.x network
if yes to both of the above, can you run a packet sniffer on 10.1.2.250 ? do you see packets reaching through the VPN when you try to connect to the web site ? do you see those same packets leaving through the wan interface ? what about return packets ?
the route looks good, and unless you forgot nat, the rule as well.
can you confirm that you can ping 10.1.2.250 from your source machine ? (this should be the case if the VPN works properly)
can you confirm that on your side, you have a rule that allows that traffic. it seems possible that you only allow traffic through the VPN when it is targeted to the 10.1.2.x network
if yes to both of the above, can you run a packet sniffer on 10.1.2.250 ? do you see packets reaching through the VPN when you try to connect to the web site ? do you see those same packets leaving through the wan interface ? what about return packets ?
I have only default/automatically generated NAT entries. Sould there be something else?
I can ping 10.1.2.250 from the source.
i have a Side2Subnet-VPN to Any-WAN rule on the destination side so it should allow traffic coming through the VPN to access outside IPs.
I'm getting no packets on the 10.1.2.250 side. I think they are being stopped before they even get to the VPN.
I can ping 10.1.2.250 from the source.
i have a Side2Subnet-VPN to Any-WAN rule on the destination side so it should allow traffic coming through the VPN to access outside IPs.
I'm getting no packets on the 10.1.2.250 side. I think they are being stopped before they even get to the VPN.
Active 2 days ago
if you can ping but http packets don't reach, you probably don't have a rule that allows routing http traffic over the VPN on side1. you can confirm this by sniffing inbound and vpn interface on side1.
Well after all of that, i finally did some testing onsite at the location with the problem. Turns out the sonicwall itself was blocking the IP address. No idea how or why. No changes were made when it went down and we're not subscribed to any blacklisting service. I'm now using an older sonicwall on an extra WAN IP address and sending internet traffic there. I'm thinking that the sonicwall is not allowing that IP address though its own VPN as well as through the WAN.
Any way, thanks for all of your help.
Any way, thanks for all of your help.
Featured Post
Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| Trying to set up a VLAN with port range. When I connect laptop outside of that port range, can still ping that network I set up?! | 9 | 88 | |
| Linksys e2500 wireless router - should I upgrade | 6 | 88 | |
| Router Question | 12 | 88 | |
| Failover for DMVPN | 3 | 59 |
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Hello ,
This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router .
The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month4 days, 14 hours left to enroll
739 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.