SSL-VPN to IPSEC VPN Tunnel End Point

I currently have an IPSEC Site to Site VPN tunnel built between a Sonicwall and a Cisco ASA Appliance.  This is working perfectly.  

Now, I need a remote User to connected to the Sonicwall via SSL-VPN and then access a server on the other end of the IPSEC Site to Site VPN connection.

I created the SSL VPN User and built the SSL-VPN access on the Sonicwall.  The User can connected to the Sonicwall over SSL-VPN and access resources at that site only.... and not the remote site.  It is not passing thru the IPSEC VPN Tunnel.

How to I get the SSL VPN User to access the server at the remote site over the IPSEC VPN Tunnel?

Thanks.
LVL 1
April33Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi April33,
Why not just remove the complexity and provide VPN access to this user from the Cisco side?
What's the SonicWALL model and its firmware version?

If you still need to provide this access I provide them shortly...
April33Author Commented:
Hi diverseit. thx for the quick response!

We have a Sonicwall TZ 205W  - firmware version 5.9.1.1-39o

The Cisco is in another country and managed by a provider that is difficult communicate with....  But I like the idea of cutting out the middle man (Sonicwall) and going straight to the Cisco.  Simplicity is usually the best way!

If I can not get this working using the Sonicwall I will try to contact the Cisco keepers.
Blue Street TechLast KnightCommented:
So if you need to accomplish this you can through Client Routes.

The SSL VPN > Client Routes page allows you to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.  NOTE:  you don't have to add any client routes for the network on which the SSLVPN Client addresses are configured.  That is done automatically for you.

Adding Client Routes
The Add Client Routes pulldown menu is used to configure access to network resources for SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page.

Go to Firewall> Access Rules and verify that  VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN. Disconnect the Netextender Client session, reconnect & try to access (ping) the remote site resource. The client will be able to access the resources without any issues.

Let me know how it goes!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

April33Author Commented:
The Client Routes menu does not show a Create New.  I only have the typical List.  I selected "LAN Subnets" and a NAT rules used to reach the remote server called "SaaS" (172.29.5.x (SaaS) - 10.3.168.0/24 (Trans-SaaS)- 10.10.10.0/24 ) (LAN Primary Subnet).

I did this: Go to Firewall> Access Rules and verify that  VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN.

Still did not work?

Any other suggestions?
Blue Street TechLast KnightCommented:
By selecting LAN Subnets you only granted access for that user to the SonicWALL LANs. These are Address Objects not NAT Policies that I am referring to. You should just select whatever the Object is called in the S2S VPN policy for the remote network (Cisco side).

If for some reason you need to create another Object and it will not allow you, just go in Network > Address Objects and create it there then that will populate in in the list.
April33Author Commented:
I tried selecting on remote network Access Object for the Cisco Side in the Client Access of the SSL-VPN.  I still can not ping or connect to the remote server over the SSL-VPN?

Here are some PICs that might shed some light on my current setup.

SSL1SSL2Address Object1Address Object2Firewall 1Firewall 2
Blue Street TechLast KnightCommented:
OK, thanks!

Can you send some pics of your s2s VPN policy?

Is 172.29.5.0/24 and 10.3.168.0/24 both on the Cisco network? Which object is set for the remote network in the s2s VPN Policy?
April33Author Commented:
Yes both of those IP ranges are on the Cisco Network.

Is the s2s policy you mentioned the IPSEC VPN one or something else?
April33Author Commented:
Never mind, I just realized you mean Site 2 Site......
April33Author Commented:
Here you go...

S2SS2S1S2S2S2S3
Blue Street TechLast KnightCommented:
On a side note...you might want to upgrade your security of the tunnel to AES-256/HMAC SHA1 (IKEv2). What your using is not considered secure any longer. You'll have to play with it a bit and it may not be compatible with Cisco...but if you have someone on the other send to help you it would be advantageous at a later time to do so.

Anyway, back to the issue at hand. Have you tried disabling the NAT policy in the tunnel and testing this?
April33Author Commented:
I can't disable the NAT policy in the tunnel.  That is a requirement from the Cisco managers on the  remote side.  I believe it is needed to access their remote SaaS server.

The S2S tunnel is working and I don't want to rock that boat.  I just need the SSL-VPN Users to access the Server at the end of the S2S tunnel.
April33Author Commented:
I built a Global Client VPN and using it I was able to access the Remote Server without any problems.

I would however still like to be able to use the SSL-VPN to access the Remote Server.  

Any suggestions?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.