Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!
SSL-VPN to IPSEC VPN Tunnel End Point
I currently have an IPSEC Site to Site VPN tunnel built between a Sonicwall and a Cisco ASA Appliance. This is working perfectly.
Now, I need a remote User to connected to the Sonicwall via SSL-VPN and then access a server on the other end of the IPSEC Site to Site VPN connection.
I created the SSL VPN User and built the SSL-VPN access on the Sonicwall. The User can connected to the Sonicwall over SSL-VPN and access resources at that site only.... and not the remote site. It is not passing thru the IPSEC VPN Tunnel.
How to I get the SSL VPN User to access the server at the remote site over the IPSEC VPN Tunnel?
Thanks.
Now, I need a remote User to connected to the Sonicwall via SSL-VPN and then access a server on the other end of the IPSEC Site to Site VPN connection.
I created the SSL VPN User and built the SSL-VPN access on the Sonicwall. The User can connected to the Sonicwall over SSL-VPN and access resources at that site only.... and not the remote site. It is not passing thru the IPSEC VPN Tunnel.
How to I get the SSL VPN User to access the server at the remote site over the IPSEC VPN Tunnel?
Thanks.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Hi diverseit. thx for the quick response!
We have a Sonicwall TZ 205W - firmware version 5.9.1.1-39o
The Cisco is in another country and managed by a provider that is difficult communicate with.... But I like the idea of cutting out the middle man (Sonicwall) and going straight to the Cisco. Simplicity is usually the best way!
If I can not get this working using the Sonicwall I will try to contact the Cisco keepers.
We have a Sonicwall TZ 205W - firmware version 5.9.1.1-39o
The Cisco is in another country and managed by a provider that is difficult communicate with.... But I like the idea of cutting out the middle man (Sonicwall) and going straight to the Cisco. Simplicity is usually the best way!
If I can not get this working using the Sonicwall I will try to contact the Cisco keepers.
So if you need to accomplish this you can through Client Routes.
The SSL VPN > Client Routes page allows you to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection. NOTE: you don't have to add any client routes for the network on which the SSLVPN Client addresses are configured. That is done automatically for you.
Adding Client Routes
The Add Client Routes pulldown menu is used to configure access to network resources for SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page.
Go to Firewall> Access Rules and verify that VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN. Disconnect the Netextender Client session, reconnect & try to access (ping) the remote site resource. The client will be able to access the resources without any issues.
Let me know how it goes!
The SSL VPN > Client Routes page allows you to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection. NOTE: you don't have to add any client routes for the network on which the SSLVPN Client addresses are configured. That is done automatically for you.
Adding Client Routes
The Add Client Routes pulldown menu is used to configure access to network resources for SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page.
Go to Firewall> Access Rules and verify that VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN. Disconnect the Netextender Client session, reconnect & try to access (ping) the remote site resource. The client will be able to access the resources without any issues.
Let me know how it goes!
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
The Client Routes menu does not show a Create New. I only have the typical List. I selected "LAN Subnets" and a NAT rules used to reach the remote server called "SaaS" (172.29.5.x (SaaS) - 10.3.168.0/24 (Trans-SaaS)- 10.10.10.0/24 ) (LAN Primary Subnet).
I did this: Go to Firewall> Access Rules and verify that VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN.
Still did not work?
Any other suggestions?
I did this: Go to Firewall> Access Rules and verify that VPN > SSLVPN, Any, Any, Allow is present and the same rule is present for SSLVPN > VPN.
Still did not work?
Any other suggestions?
By selecting LAN Subnets you only granted access for that user to the SonicWALL LANs. These are Address Objects not NAT Policies that I am referring to. You should just select whatever the Object is called in the S2S VPN policy for the remote network (Cisco side).
If for some reason you need to create another Object and it will not allow you, just go in Network > Address Objects and create it there then that will populate in in the list.
If for some reason you need to create another Object and it will not allow you, just go in Network > Address Objects and create it there then that will populate in in the list.
I tried selecting on remote network Access Object for the Cisco Side in the Client Access of the SSL-VPN. I still can not ping or connect to the remote server over the SSL-VPN?
Here are some PICs that might shed some light on my current setup.
Here are some PICs that might shed some light on my current setup.
OK, thanks!
Can you send some pics of your s2s VPN policy?
Is 172.29.5.0/24 and 10.3.168.0/24 both on the Cisco network? Which object is set for the remote network in the s2s VPN Policy?
Can you send some pics of your s2s VPN policy?
Is 172.29.5.0/24 and 10.3.168.0/24 both on the Cisco network? Which object is set for the remote network in the s2s VPN Policy?
Yes both of those IP ranges are on the Cisco Network.
Is the s2s policy you mentioned the IPSEC VPN one or something else?
Is the s2s policy you mentioned the IPSEC VPN one or something else?
On a side note...you might want to upgrade your security of the tunnel to AES-256/HMAC SHA1 (IKEv2). What your using is not considered secure any longer. You'll have to play with it a bit and it may not be compatible with Cisco...but if you have someone on the other send to help you it would be advantageous at a later time to do so.
Anyway, back to the issue at hand. Have you tried disabling the NAT policy in the tunnel and testing this?
Anyway, back to the issue at hand. Have you tried disabling the NAT policy in the tunnel and testing this?
I can't disable the NAT policy in the tunnel. That is a requirement from the Cisco managers on the remote side. I believe it is needed to access their remote SaaS server.
The S2S tunnel is working and I don't want to rock that boat. I just need the SSL-VPN Users to access the Server at the end of the S2S tunnel.
The S2S tunnel is working and I don't want to rock that boat. I just need the SSL-VPN Users to access the Server at the end of the S2S tunnel.
I built a Global Client VPN and using it I was able to access the Remote Server without any problems.
I would however still like to be able to use the SSL-VPN to access the Remote Server.
Any suggestions?
I would however still like to be able to use the SSL-VPN to access the Remote Server.
Any suggestions?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Why not just remove the complexity and provide VPN access to this user from the Cisco side?
What's the SonicWALL model and its firmware version?
If you still need to provide this access I provide them shortly...