DNS over SSL VPN on a sonicwall NSA2600
I have tried contacting sonicwall support but they are useless so hopefully somebody here can give me a hand.
I have IPSEC VPN working fine, i also have SSL VPN set up.
IPSEC goes to an address of 192.168.20.2-192.168.20.10
my SSL VPN has IP addresses 192.168.22.100-192.168.22.
I log on as the same user for both connections, both zones have full access to and from the zone my servers are in.
When i perform a DNS request on the SSL VPN i can see the packet being forwarded, however i dont get a reply.
I think it has something to do with SSL VPN not having a default gateway where where the IPSEC does, i may be completely off here but sonicwall has decided its not there problem despite us having a support contract. Hopefully somebody can point me in the right direction.
I have IPSEC VPN working fine, i also have SSL VPN set up.
IPSEC goes to an address of 192.168.20.2-192.168.20.10
my SSL VPN has IP addresses 192.168.22.100-192.168.22.
I log on as the same user for both connections, both zones have full access to and from the zone my servers are in.
When i perform a DNS request on the SSL VPN i can see the packet being forwarded, however i dont get a reply.
I think it has something to do with SSL VPN not having a default gateway where where the IPSEC does, i may be completely off here but sonicwall has decided its not there problem despite us having a support contract. Hopefully somebody can point me in the right direction.
Carl Dula
On the SSL VPN under Client Settings do you have an entry for DNS Server 1 and 2?
ASKER
Yep, and they show in the mobile connect app once connected. The requests send as I can see the packets leave my device and go to my DNS server, but they time out, this is why I thought it was something to do with a lack of default gateway.
I am assuming you also have an entry for DNS Domain? If not, enter one.
Try enabling NetBIOS over SSLVPN and see if that makes any difference.
Try enabling NetBIOS over SSLVPN and see if that makes any difference.
ASKER
Tried, makes no difference.
All my DNS servers are on subnet 30. I have enabled all traffic to and from 30 to 22.
All my DNS servers are on subnet 30. I have enabled all traffic to and from 30 to 22.
I suspect this has something to do with the way you have Tunnel All Mode set.
I suggest you go to SSLVPN -> Client Routes, and click HELP. Then read the section on Tunnel All mode.
I suggest you go to SSLVPN -> Client Routes, and click HELP. Then read the section on Tunnel All mode.
ASKER
Tunnel all mode is enabled, the request is being sent to my DNS server, but I am not getting a reply.
From the dns server, can you ping the ip address of the remote pc that is connected via the SSLVPN?
Questions:
Can you ping the DNS server across the VPN from your laptop?
Can you ping tyour laptop across the VPN from he DNS server?
Does your Laptop DNS settings include the DNS server as the primary DNS provider?
Can you manually do an NSLOOKUP and select the server and properly resolve an internal and external name?
If you can ping the DNS server across the VPN from your laptop, and you can ping your laptop across the VPN from the DNS server, and your Laptop DNS settings include the DNS server as the primary DNS provider, then you have a firewall rule or NAT issue.
Check the FW rules LAN to VPN. are there ay rules that block DNS?
Check the FW rules VPN to LAN are there ay rules that block DNS?
Check the NAT rules. Are tehre any rules that NAT the DNS ports to another destination or port?
Lastly, try backing up the sonicwall settings and upgrading the firmware.
Thanks.
Can you ping the DNS server across the VPN from your laptop?
Can you ping tyour laptop across the VPN from he DNS server?
Does your Laptop DNS settings include the DNS server as the primary DNS provider?
Can you manually do an NSLOOKUP and select the server and properly resolve an internal and external name?
If you can ping the DNS server across the VPN from your laptop, and you can ping your laptop across the VPN from the DNS server, and your Laptop DNS settings include the DNS server as the primary DNS provider, then you have a firewall rule or NAT issue.
Check the FW rules LAN to VPN. are there ay rules that block DNS?
Check the FW rules VPN to LAN are there ay rules that block DNS?
Check the NAT rules. Are tehre any rules that NAT the DNS ports to another destination or port?
Lastly, try backing up the sonicwall settings and upgrading the firmware.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ahhh. Right. I had assumed that the laptop was a member of the same domain as the DNS server. Yes, unmatched DNS suffix issues would do that.
Thanks.
Thanks.
ASKER
It's a phone but any machine can query the dns server as long as it uses the fqdn and it can get a connection. Which the phone was so if I pinged server.domain.local but didn't put domain.local in the dns suffix list it would send the request to the dns server but ignore any reply. If I Sid the same on a laptop that was not a member of the domain it would work fine
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: CaptainGiblets (https:#a40999744)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
frankhelk
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: CaptainGiblets (https:#a40999744)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
frankhelk
Experts-Exchange Cleanup Volunteer