April33
asked on
SSL-VPN to IPSEC VPN Tunnel End Point
I currently have an IPSEC Site to Site VPN tunnel built between a Sonicwall and a Cisco ASA Appliance. This is working perfectly.
Now, I need a remote User to connected to the Sonicwall via SSL-VPN and then access a server on the other end of the IPSEC Site to Site VPN connection.
I created the SSL VPN User and built the SSL-VPN access on the Sonicwall. The User can connected to the Sonicwall over SSL-VPN and access resources at that site only.... and not the remote site. It is not passing thru the IPSEC VPN Tunnel.
How to I get the SSL VPN User to access the server at the remote site over the IPSEC VPN Tunnel?
Thanks.
Now, I need a remote User to connected to the Sonicwall via SSL-VPN and then access a server on the other end of the IPSEC Site to Site VPN connection.
I created the SSL VPN User and built the SSL-VPN access on the Sonicwall. The User can connected to the Sonicwall over SSL-VPN and access resources at that site only.... and not the remote site. It is not passing thru the IPSEC VPN Tunnel.
How to I get the SSL VPN User to access the server at the remote site over the IPSEC VPN Tunnel?
Thanks.
ASKER
Hi diverseit. thx for the quick response!
We have a Sonicwall TZ 205W - firmware version 5.9.1.1-39o
The Cisco is in another country and managed by a provider that is difficult communicate with.... But I like the idea of cutting out the middle man (Sonicwall) and going straight to the Cisco. Simplicity is usually the best way!
If I can not get this working using the Sonicwall I will try to contact the Cisco keepers.
We have a Sonicwall TZ 205W - firmware version 5.9.1.1-39o
The Cisco is in another country and managed by a provider that is difficult communicate with.... But I like the idea of cutting out the middle man (Sonicwall) and going straight to the Cisco. Simplicity is usually the best way!
If I can not get this working using the Sonicwall I will try to contact the Cisco keepers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Client Routes menu does not show a Create New. I only have the typical List. I selected "LAN Subnets" and a NAT rules used to reach the remote server called "SaaS" (172.29.5.x (SaaS) - 10.3.168.0/24 (Trans-SaaS)- 10.10.10.0/24 ) (LAN Primary Subnet).
I did this: Go to Firewall> Access Rules and verify that VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN.
Still did not work?
Any other suggestions?
I did this: Go to Firewall> Access Rules and verify that VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN.
Still did not work?
Any other suggestions?
By selecting LAN Subnets you only granted access for that user to the SonicWALL LANs. These are Address Objects not NAT Policies that I am referring to. You should just select whatever the Object is called in the S2S VPN policy for the remote network (Cisco side).
If for some reason you need to create another Object and it will not allow you, just go in Network > Address Objects and create it there then that will populate in in the list.
If for some reason you need to create another Object and it will not allow you, just go in Network > Address Objects and create it there then that will populate in in the list.
ASKER
OK, thanks!
Can you send some pics of your s2s VPN policy?
Is 172.29.5.0/24 and 10.3.168.0/24 both on the Cisco network? Which object is set for the remote network in the s2s VPN Policy?
Can you send some pics of your s2s VPN policy?
Is 172.29.5.0/24 and 10.3.168.0/24 both on the Cisco network? Which object is set for the remote network in the s2s VPN Policy?
ASKER
Yes both of those IP ranges are on the Cisco Network.
Is the s2s policy you mentioned the IPSEC VPN one or something else?
Is the s2s policy you mentioned the IPSEC VPN one or something else?
ASKER
Never mind, I just realized you mean Site 2 Site......
On a side note...you might want to upgrade your security of the tunnel to AES-256/HMAC SHA1 (IKEv2). What your using is not considered secure any longer. You'll have to play with it a bit and it may not be compatible with Cisco...but if you have someone on the other send to help you it would be advantageous at a later time to do so.
Anyway, back to the issue at hand. Have you tried disabling the NAT policy in the tunnel and testing this?
Anyway, back to the issue at hand. Have you tried disabling the NAT policy in the tunnel and testing this?
ASKER
I can't disable the NAT policy in the tunnel. That is a requirement from the Cisco managers on the remote side. I believe it is needed to access their remote SaaS server.
The S2S tunnel is working and I don't want to rock that boat. I just need the SSL-VPN Users to access the Server at the end of the S2S tunnel.
The S2S tunnel is working and I don't want to rock that boat. I just need the SSL-VPN Users to access the Server at the end of the S2S tunnel.
ASKER
I built a Global Client VPN and using it I was able to access the Remote Server without any problems.
I would however still like to be able to use the SSL-VPN to access the Remote Server.
Any suggestions?
I would however still like to be able to use the SSL-VPN to access the Remote Server.
Any suggestions?
Why not just remove the complexity and provide VPN access to this user from the Cisco side?
What's the SonicWALL model and its firmware version?
If you still need to provide this access I provide them shortly...