Connect to SSLVPN Through VLAN
diondp Newbie ✭
edited June 2021 in Firewall Management and Analytics
Hi There, i have a running config with SSLVPN which runs from WAN side without issues...
I would like for our employes to connect to the SSLVPN from a "guest_vlan" which our wifi runs on, they connect to the X1 Management IP (which is our external WAN IP)
so X0:V10 is the guest_vlan
but when trying to connec to the SSL VPN, the firewall drops the TCP...
i have enabled SSLVPN on the Zone "guest_vlan" - so why does the Sonicwall drop the connection?
i tried creating an acces rule from guest_vlan subnet to X1 management IP, but it still drops
any ideas ?
Category: Firewall Management and Analytics
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
Hi @diondp , you need to make sure the rule is for the Service SSLVPN and also enable the "enable mangement" on the rule (this is the bit you are probably missing),
you don't need to enbable the VLAN Zone in the SSL VPN Server Page as if you do this you will need to connect using the VLAN Interface IP
Just make sure also you create rules from the VLAN zone to SSL VPN Zone and Vice versa to allow the traffic
Thank you for visiting SonicWall Community.
Your Guest users are behind the SonicWall and you have enabled the SSLVPN on the Guest VLAN. Your SSLVPN users should use the Guest VLAN interface IP (X0:V10 IP) in the Server field on the Netextender client. Being behind SonicWall and then trying to connect to the WAN IP address of SonicWall doesn't work for all cases like SSLVPN, firewall management access such as PING, HTTPS and HTTP. Hence the respective interface IP address of the non-WAN interfaces to be used.
Hope this clarifies. Please feel free to let me know for any questions/clarifications.
Technical Support Advisor - Premier Services
Hi Thank you for clarifying, however it is a "Always On" connection, which primarily connects from outside WAN, so to our outside WAN address... it would be kind of a dealbreaker to change this to the Interface IP of the VLAN 10.100.10.1... since it wouldnt not work, when trying to connect "outside" the company...
is it perhaps possible to create a reflective rule which redirects external WAN address on VLAN to: 10.100.10.1 on the VLAN interface? and that way keep the configuration for the "external wan IP" ?
You could use a DNS address as the SSLVPN desination that resolves differently whether a user is inside or outside the network.
E.g. externally vpn.mycompany.com resolves to 24.92.x.x so that remote users will connect to the WAN interface.
Internally vpn.mycompany.com resolves to 10.100.10.1 so that users will connect to the internal VLAN interface.
Check that you have added the following.
SSL VPN -> Client Settings -> Client Routes -> X[INTERFACE]:[VLAN] Subnet
Also, I think you are missing a rule under Access List in your USERS.
Goto USERS -> Local Users & Groups -> locate your group and edit.
Goto VPN Access and ADD the specific VLAN in question to the list (that's what causing TCP drops).
That should solve your issue.
Hope that helps.