Mark Armer
asked on
Site-to-Site VPN access to MPLS
We have 4 locations, each with a Sonicwall.
3 of the locations are connected with an MPLS network, the 4th tiny office (Site D) is connected to our main site (Site A) via a site to site VPN.
Site's A (Main), B (Remote 1) and C (Remote 2) communicate over MPLS reliably as expected, Site A & D communicate perfectly over the site to site VPN, however, I have so far been unable to get Site D to communicate with sites B or C and, Sites B & C are unable to communicate with Site D.
I've been bashing my head against a wall on this for a couple of days now - Could someone with Sonicwall experience please help me figure this out.
Thank You very much in advance.
3 of the locations are connected with an MPLS network, the 4th tiny office (Site D) is connected to our main site (Site A) via a site to site VPN.
Site's A (Main), B (Remote 1) and C (Remote 2) communicate over MPLS reliably as expected, Site A & D communicate perfectly over the site to site VPN, however, I have so far been unable to get Site D to communicate with sites B or C and, Sites B & C are unable to communicate with Site D.
I've been bashing my head against a wall on this for a couple of days now - Could someone with Sonicwall experience please help me figure this out.
Thank You very much in advance.
atlas_shuddered
Is your traffic over the MPLS being VPNed as well or is it open?
ASKER
Our MPLS is 'Verizon IP VPN'
Okay, from the remote sites B and C, can you see routes for site D or a default route which comes back through to Site A?
ASKER
Right now I'm basically starting with a clean slate as I am new to Sonicwalls and figured I'd screwed it up so deleted everything and am ready to start over when i can get some help with the Sonicwalls. Verizon confirmed on their side that if I can get traffic onto their circuit they have everything setup so it will route correctly on their end, I just need to figure out what to do with each Sonicwall to make it send data to the right place.
Our setup is that our sonicwalls all have a .10 address (eg 10.1.14.10, 10.1.15.10 etc) and the Verizon Routers are all .1, so each of the sonicwalls have a static route which sends the traffic for other sites over the mpls to 10.1.14.1, 10.1.15.1 etc..). Beyond that, all settings have been removed as I got myself completely muddled up with the what I may need for Nat Rules/Firewall Rules/Static routes and basically ended up with a huge mess that didn't work.
Our setup is that our sonicwalls all have a .10 address (eg 10.1.14.10, 10.1.15.10 etc) and the Verizon Routers are all .1, so each of the sonicwalls have a static route which sends the traffic for other sites over the mpls to 10.1.14.1, 10.1.15.1 etc..). Beyond that, all settings have been removed as I got myself completely muddled up with the what I may need for Nat Rules/Firewall Rules/Static routes and basically ended up with a huge mess that didn't work.
If Site A is able to talk to all sites, then you need at site B and C, you need to add a route to D's network through site A. At site D's firewall, you need to add a routes for site B and C to Site A. Being it's VPN, you either point the route them through a tunnel interface or add them to an existing phase 2 policy.
Again, have you confirmed that traffic from Sites B and C have a route back to Site D and vice versa? Your comment above indicates that all the individual links work fine, it's when you have to cross A to get between D and B/C. If this is the case, it would indicate that you have a routing issue.
Instead of taking Verizon's word for it have them perform the following test:
At site B, run a traceroute for Site D. Review the path for accuracy.
At site C, do the same.
If these clear, you will need to confirm at Site A and D that traffic from/to Sites B and C is actually permitted to traverse the VPN.
Instead of taking Verizon's word for it have them perform the following test:
At site B, run a traceroute for Site D. Review the path for accuracy.
At site C, do the same.
If these clear, you will need to confirm at Site A and D that traffic from/to Sites B and C is actually permitted to traverse the VPN.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.