Sonicwall SRA/NSA3500 routing.

Hello,

I currently have an SRA 4600 configured in tandem in one-armed mode on an interface of an NSA-3500. The purpose is for remote users to connect to single internal IP address. Everything has been working so far, where I create a user on the SRA, download Mobile Connect on a client, put in the IP address, uname and password, and everything works fine. The client connects to my internal network (configured on the SRA for access to a single IP and port  - for my specific purpose).

Now, I need to be able to connect from a machine on my internal network to one of the remote machines through the SSL-VPN tunnel that is already established.

From the SRA, I’m able to ping the remote machine’s IP (that makes total sense since it’s connected), and also the IP address of the machine on the LAN (on a different subnet - through the NSA 3500) from where I want to initiate the traffic.

I’ve tried numerous configurations and have had no success thus far pinging the remote machine from the LAN. I thought for sure that I needed a new route added to the NSA 3500… but what I added didn’t work.

I’m not sure if is it a zone issue, firewall issue, interface issue etc. What I currently have is:

NSA3500 -
Interfaces
X0 - LAN 192.168.179.1/255.255.252.0
X5 - SRA 192.168.200.2/255.255.255.0

Zones
LAN Trusted X0,X2    (X2 is a different interface for a MAN connection)
SRA Public X5

Routing
[Source] Any [Destination] X5 Subnet (192.168.200.0) [Service] Any [Gateway] 0.0.0.0 [Interface] X5


SRA 4600
Interface
X0 192.168.200.1/255.255.255.0

Default Route
192.168.200.2 X0

Thanks in advance for any suggestions….
hypervisorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi hypervisor (nice handle!),

So to clarify your your deployment you want to setup an SSL-VPN on the LAN not the DMZ, correct?

If so, you should have an SSLVPN zone setup. Keep in mind that your subnet should be able to accommodate for both DHCP pools (SSLVPN and LAN nodes). You also should have created Access Rules, and Objects for the SSLVPN via the Public Server Wizard for port 80 and 443.

You should be testing this on the WAN connection outside of your corporate network.

When you say you can't ping from the LAN I assume you are pinging from another device aside from the SonicWALL in the LAN, correct?

Obviously make sure that remote computer can accept ping and responses in its OS firewall.

What happens if you ping from the SonicWALL?

For the Zones to communicate with each other you have to create Access Rules as such SSLVPN > LAN, LAN >SSLVPN that both allow traffic on any service.

You also may need to enable Ping on each Interface in the Interfaces section.

Let me know how it goes!
hypervisorAuthor Commented:
Hi diverseit (nice handle as well),

The clarification is not correct. I'll do my best to "re-clarify."

The Sonicwall SRA 4600 already provisions SSL-VPNs for us, and is connected directly to the Sonicwall NSA3500. The SRA is not on the DMZ, the NSA 3500 is. When a remote user tries to connect, the SRA authenticates the account, and restricts access to the LAN using whatever rules I've created in the SRA. The user access works fine. The issue is trying to go the other way, meaning, initiating traffic, or some type of command, from the LAN side back to the user client at the remote location.

I do have a LAN > SRA access rule any, any,all in place.
Blue Street TechLast KnightCommented:
OK, I was trying to better understand your topology and was alluding to the three SonicWALL recommended SRA deployment scenarios: a) SSL-VPN on a New DMZ, SSL-VPN on an existing DMZ, or c) SSL-VPN on the LAN (which is what sounds like your scenario).

Is Ping enable on each Interface in the Interfaces section?

What happens if you ping from the SonicWALL (Diagnostics > Ping) to a selected device that is connected to the SRA?
hypervisorAuthor Commented:
THE SRA is deployed: "in tandem in one-armed mode over the DMZ or Opt interface on an accompanying gateway appliance, for example, a Dell SonicWALL network security appliance, such as a NSA 4500."

"This method of deployment offers additional layers of security control plus the ability to use Dell SonicWALL’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti- Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic. Dell SonicWALL recommends one-armed mode deployments over two- armed for the ease-of-deployment and for use in conjunction with UTM GAV/IPS for clean VPN."

More simply - It's only physical connection is to a port on an NSA 3500, and it has it's own interface, and Zone

I have a remote machine currently logged into the SRA. The address given for the connection (not it's local address - the address is given by the the SRA) is 192.168.200.101. I can ping that address from the System > Diagnostics on BOTH the NSA 3500 and the SRA.

I cannot successfully ping 192.168.200.101 from a device on the LAN (XO interface on the NSA 3500)
Benjamin Van DitmarsSr Network EngineerCommented:
did you add in youre sra a client route ? you need to add a route to youre lan network.
then add acl's from lan to sra and sra to lan

but i think the missing route is the problem. i was there before.

login to the sra
go to netextender -> client routes and add 192.168.179.0 255.255.252.0
and youre connected client will know that he has to tunnel the network.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.