Avatar of April33
April33
 asked on

SSL-VPN to IPSEC VPN Tunnel End Point

I currently have an IPSEC Site to Site VPN tunnel built between a Sonicwall and a Cisco ASA Appliance.  This is working perfectly.  

Now, I need a remote User to connected to the Sonicwall via SSL-VPN and then access a server on the other end of the IPSEC Site to Site VPN connection.

I created the SSL VPN User and built the SSL-VPN access on the Sonicwall.  The User can connected to the Sonicwall over SSL-VPN and access resources at that site only.... and not the remote site.  It is not passing thru the IPSEC VPN Tunnel.

How to I get the SSL VPN User to access the server at the remote site over the IPSEC VPN Tunnel?

Thanks.
VPNInternet Protocol SecurityNetworking Hardware-OtherHardware FirewallsNetworking

Avatar of undefined
Last Comment
April33

8/22/2022 - Mon
Blue Street Tech

Hi April33,
Why not just remove the complexity and provide VPN access to this user from the Cisco side?
What's the SonicWALL model and its firmware version?

If you still need to provide this access I provide them shortly...
April33

ASKER
Hi diverseit. thx for the quick response!

We have a Sonicwall TZ 205W  - firmware version 5.9.1.1-39o

The Cisco is in another country and managed by a provider that is difficult communicate with....  But I like the idea of cutting out the middle man (Sonicwall) and going straight to the Cisco.  Simplicity is usually the best way!

If I can not get this working using the Sonicwall I will try to contact the Cisco keepers.
ASKER CERTIFIED SOLUTION
Blue Street Tech

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
April33

ASKER
The Client Routes menu does not show a Create New.  I only have the typical List.  I selected "LAN Subnets" and a NAT rules used to reach the remote server called "SaaS" (172.29.5.x (SaaS) - 10.3.168.0/24 (Trans-SaaS)- 10.10.10.0/24 ) (LAN Primary Subnet).

I did this: Go to Firewall> Access Rules and verify that  VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN.

Still did not work?

Any other suggestions?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Blue Street Tech

By selecting LAN Subnets you only granted access for that user to the SonicWALL LANs. These are Address Objects not NAT Policies that I am referring to. You should just select whatever the Object is called in the S2S VPN policy for the remote network (Cisco side).

If for some reason you need to create another Object and it will not allow you, just go in Network > Address Objects and create it there then that will populate in in the list.
April33

ASKER
I tried selecting on remote network Access Object for the Cisco Side in the Client Access of the SSL-VPN.  I still can not ping or connect to the remote server over the SSL-VPN?

Here are some PICs that might shed some light on my current setup.

SSL1SSL2Address Object1Address Object2Firewall 1Firewall 2
Blue Street Tech

OK, thanks!

Can you send some pics of your s2s VPN policy?

Is 172.29.5.0/24 and 10.3.168.0/24 both on the Cisco network? Which object is set for the remote network in the s2s VPN Policy?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
April33

ASKER
Yes both of those IP ranges are on the Cisco Network.

Is the s2s policy you mentioned the IPSEC VPN one or something else?
April33

ASKER
Never mind, I just realized you mean Site 2 Site......
April33

ASKER
Here you go...

S2SS2S1S2S2S2S3
Your help has saved me hundreds of hours of internet surfing.
fblack61
Blue Street Tech

On a side note...you might want to upgrade your security of the tunnel to AES-256/HMAC SHA1 (IKEv2). What your using is not considered secure any longer. You'll have to play with it a bit and it may not be compatible with Cisco...but if you have someone on the other send to help you it would be advantageous at a later time to do so.

Anyway, back to the issue at hand. Have you tried disabling the NAT policy in the tunnel and testing this?
April33

ASKER
I can't disable the NAT policy in the tunnel.  That is a requirement from the Cisco managers on the  remote side.  I believe it is needed to access their remote SaaS server.

The S2S tunnel is working and I don't want to rock that boat.  I just need the SSL-VPN Users to access the Server at the end of the S2S tunnel.
April33

ASKER
I built a Global Client VPN and using it I was able to access the Remote Server without any problems.

I would however still like to be able to use the SSL-VPN to access the Remote Server.  

Any suggestions?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.