I currently have an IPSEC Site to Site VPN tunnel built between a Sonicwall and a Cisco ASA Appliance. This is working perfectly.
Now, I need a remote User to connected to the Sonicwall via SSL-VPN and then access a server on the other end of the IPSEC Site to Site VPN connection.
I created the SSL VPN User and built the SSL-VPN access on the Sonicwall. The User can connected to the Sonicwall over SSL-VPN and access resources at that site only.... and not the remote site. It is not passing thru the IPSEC VPN Tunnel.
How to I get the SSL VPN User to access the server at the remote site over the IPSEC VPN Tunnel?
Hi April33,
Why not just remove the complexity and provide VPN access to this user from the Cisco side?
What's the SonicWALL model and its firmware version?
If you still need to provide this access I provide them shortly...
April33
ASKER
Hi diverseit. thx for the quick response!
We have a Sonicwall TZ 205W - firmware version 5.9.1.1-39o
The Cisco is in another country and managed by a provider that is difficult communicate with.... But I like the idea of cutting out the middle man (Sonicwall) and going straight to the Cisco. Simplicity is usually the best way!
If I can not get this working using the Sonicwall I will try to contact the Cisco keepers.
The Client Routes menu does not show a Create New. I only have the typical List. I selected "LAN Subnets" and a NAT rules used to reach the remote server called "SaaS" (172.29.5.x (SaaS) - 10.3.168.0/24 (Trans-SaaS)- 10.10.10.0/24 ) (LAN Primary Subnet).
I did this: Go to Firewall> Access Rules and verify that VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN.
By selecting LAN Subnets you only granted access for that user to the SonicWALL LANs. These are Address Objects not NAT Policies that I am referring to. You should just select whatever the Object is called in the S2S VPN policy for the remote network (Cisco side).
If for some reason you need to create another Object and it will not allow you, just go in Network > Address Objects and create it there then that will populate in in the list.
April33
ASKER
I tried selecting on remote network Access Object for the Cisco Side in the Client Access of the SSL-VPN. I still can not ping or connect to the remote server over the SSL-VPN?
Here are some PICs that might shed some light on my current setup.
Blue Street Tech
OK, thanks!
Can you send some pics of your s2s VPN policy?
Is 172.29.5.0/24 and 10.3.168.0/24 both on the Cisco network? Which object is set for the remote network in the s2s VPN Policy?
On a side note...you might want to upgrade your security of the tunnel to AES-256/HMAC SHA1 (IKEv2). What your using is not considered secure any longer. You'll have to play with it a bit and it may not be compatible with Cisco...but if you have someone on the other send to help you it would be advantageous at a later time to do so.
Anyway, back to the issue at hand. Have you tried disabling the NAT policy in the tunnel and testing this?
April33
ASKER
I can't disable the NAT policy in the tunnel. That is a requirement from the Cisco managers on the remote side. I believe it is needed to access their remote SaaS server.
The S2S tunnel is working and I don't want to rock that boat. I just need the SSL-VPN Users to access the Server at the end of the S2S tunnel.
April33
ASKER
I built a Global Client VPN and using it I was able to access the Remote Server without any problems.
I would however still like to be able to use the SSL-VPN to access the Remote Server.
Why not just remove the complexity and provide VPN access to this user from the Cisco side?
What's the SonicWALL model and its firmware version?
If you still need to provide this access I provide them shortly...