Link to home
Start Free TrialLog in
Avatar of Philip Goldwasser
Philip Goldwasser

asked on

Routing Issues

I am posting this in the Sonicwall forum because all of my routers are Sonicwall, but I don't know if it is specific to Sonicwall.

I have three sites, A, B, and C.  Site A is our main site.  At site A we have a router that was placed there by the state for our connectivity to some of their services (we are a non profit with many state contracts).  So far so good.  All three sites are connected via VPN using tunnel mode.  Site A connects to both B and C and then B and C connect to each other a well for redundancy.

Everyone at Site A can connect to the state web apps.  Everyone at site B can connect to the state web apps, but no one at site C can connect.  I have created address objects (on each router) for the state web apps and an address object group for all of them together.  I created a route at Site A to send all traffic for that address group to go to the state router (which has as its LAN address, an IP on our network).

At Site B, there is a route that says all traffic for the state services goes to the VPN tunnel to site A.  This works perfectly.  At site C the same route is set, but again, no one at site C can access the state web apps.

Using the packet monitor at Site A, I was able to see the traffic from site C.  I set the monitor filter to monitor for the destination IP of the state web app and told it to show only forwarded packets.  Then from site C I tried to reach the web app.  I did see forwarded packets on the site A router.

I am at a loss as to where to look to figure this out, but my assumption is that it is a routing problem.  The people at the state say that they are not blocking any traffic that comes through their router.

I ran the packet monitor and here are some results:

This is on site A.  I set the monitor filter for source IP (the ip address at site c where I am trying to access the state web app) and destination ip is the ip address of the state web app.  As soon as I start the monitor, even before trying to reach the website, get the following in the packet monitor:

1 02/06/2018 19:50:23.656 X0*(i) -- -- -- LLC(0x27) -- -- Received 60[60]
2 02/06/2018 19:50:24.096 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 118[118]
3 02/06/2018 19:50:24.352 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 134[134]
4 02/06/2018 19:50:24.656 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 454[454]
5 02/06/2018 19:50:25.048 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 118[118]

This all repeats.

Here is the two lines with the ip addresses:

56 02/06/2018 19:50:31.272 X1*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 CONSUMED 66[66]
57 02/06/2018 19:50:31.272 -- X0* 192.168.251.3 10.243.130.36 IP TCP 51153,443 FORWARDED 66[66]

These two lines repeat a number of times as well in 1653 lines in the packet monitor.

At the same time I had the packet monitor running at site C.  Here it was just filtering for the destination ip address since it is the only computer trying to get to this web app.  Here is the outcome from the same time stamp:

13933 02/06/2018 19:50:31.352 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 Received 66[66]
13934 02/06/2018 19:50:32.352 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 Received 66[66]
13935 02/06/2018 19:50:34.352 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 Received 62[62]
13936 02/06/2018 19:50:38.368 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51154,443 Received 66[66]
13937 02/06/2018 19:50:39.384 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51154,443 Received 66[66]
13938 02/06/2018 19:50:41.400 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51154,443 Received 62[62]

Any help will be greatly appreciated!
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Hi Philip,

Remove all the custom routes you created for this.

Consumed packets would be "consumed" by internal sources within the firewall. In the remote sites (Site B & C), make sure your Address Object/s for the state web app are set to the VPN Zone. Also, make sure you have added the Site A network as an Address Object. Then create an Address Group, which includes both the Site A network and the web app Address Objects (both have to be set to the VPN Zone). In the existing VPN policy to the Site A, in the Network tab, for the Remote Network, select the Address Group created above.

In Site A, create an Address Object for the web app's Public IP or Private IP address (whichever is used). This Address Object will need to be in the WAN or LAN Zone respectively.Then create a new Address Group, include the Address Object we created above and also add the existing Address Object for the Remote Office network/s. So this Address Group will consist of the remote network and the web app's ip address. In the existing VPN policy to the Remote Office, in the Network tab, for the Local Network, select the Address Group created above. Configure a NAT policy in Site A's firewall to translate traffic coming from the Remote office network to WAN IP going to the web app.

Once the above setup is done, from the Remote Office site visit the web app added in the VPN config. If running packet capture in Remote Office firewall and Site A's firewall, you will notice the traffic getting routed through Site A's firewall to the web app IP address.

Let me know how it goes!
Avatar of Philip Goldwasser
Philip Goldwasser

ASKER

I started to do what you suggest, but when I go to the VPN policy, there is no network tab as the VPN is setup as a tunnel interface.  This was done specifically to allow us to route through the VPN.  In your scenario is seems that I may not need to do any routing through the VPN so I can  reconfigure the VPN to be a standard site to site VPN.  Do you concurr?  The only reason we need routing over the VPN is for the state web apps.
And BTW, this has been working from site B for years, so I do not know why I cannot get it to work this way from site C.
Also, I am concerned about the NAT policy at site A.  I also need full connectivity between all sites for local server access.  This NAT policy would need to only allow traffic from a remote site to the state web app.
I missed that this was a Tunnel Interface VPN...I'm so used to seeing S2S (Site-to-Site) VPNs I overlooked it. My apologies. So, what I provided you was strictly for a S2S VPN; since you have a Route-Based VPN aka Tunnel Interface VPN routes obviously make more sense and was also the reason the network topology configuration is removed from the VPN policy config (as you noted).
OK, but this does not explain why it works from one remote site and not the other, or how to get it to work from that other site.
Again, I'd still double-check and make sure the Address Objects in Site C are set to VPN Zone.
They are all set to VPN zone.
ASKER CERTIFIED SOLUTION
Avatar of Philip Goldwasser
Philip Goldwasser

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry, I was not more attentive...my workload exceeded my free time today. I'm glad you got it sorted out! :)
I was able to solve on my own