Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Packet détail problem.....

DisaRicksDisaRicks Newbie ✭
in High End Firewalls

Hi everyone,

I still have problem (see my precedent post) to route traffic through vpn connection between 2 TZ-400 Firewall.

20210816_131113160_iOS.jpg

As you can see, on SITE A, i receive paket from the Internet (source ANY) and i have to route the traffic for a week to the server 172.20.30.40 in Site B

Before, i create a VPN Tunel Interface between TZ-400 A1 and TZ-400 B1 (The light is green on both side)

The packet arrive in TZ-400 A1 firewall

I nat like this :

Source : ANY

Source Translated : ORIGINAL

Destination : WAN IP (x.x.x.x)

Destination Translated : 172.20.30.40 (The server in Site B)

Service : 1919 (for example)

Service Translated : Original

After that, i route the traffic like this

Source : ANY

Destination : 172.20.30.40

Service : 1919

Interface : X2 (The WAN Interface)

Gateway : The X5 IP of TZ400 B2 (10.14.128.10)

I create a rule

From : WAN

To : VPN

Source : ANY

Destination : 172.20.30.40

Service : 1919

ALLOW

-----------------

When i try a telnet x.x.x.x 1919

I can see in the TZ-400 A1 paket mnitor that the packet is Dropped for Policy Dropped reason 726.

Ok, i can understand but what i don't understand is that in the packet détail, il see

Ethernet Header

 Ether Type: IP(0x800), Src=[02:03:3a:04:75:19], Dst=[00:86:9c:02:e9:10]

IP Packet Header

 IP Type: TCP(0x6), Src=[81.243.22.117], Dst=[172.20.30.40]

TCP Packet Header

 TCP Flags = [SYN,], Src=[52070], Dst=[1919], Checksum=0x970b

Application Header

 Not Known

Value:[1]

DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 2:2


In bold caracter, you can see that the destination is the MAC address of the PALO ALTO A1 interface. After the TZ-400 A2 firewall where nothing appear in the Paket Monitor.....

I know that it's complicated but i don't find why this and how to route the traffic to the SonicWall B1

Category: High End Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    DisaRicksDisaRicks Newbie ✭
    Answer ✓

    Hi,

    I solve my problem using the vpn connexion that already exist between TZ400-A2 and TZE400-B2

    Now i just need for just a few days to permit ANY ADDRESS in the VPN

    But when i create a Object with network 0.0.0.0/0.0.0.0 i received the message

    IP address can not be all zero in address Object used by IpHelper

    In the IPHemper, i just have a policie NETBIOS from local Network to IphPolicyDstAuto_0 (auto create by the vpn Policy

    May i delete this for 7 days or not?

    What is the goal of this entry in IP Helper

    Thank you very much

    Eric

  • CORRECT ANSWER
    DisaRicksDisaRicks Newbie ✭
    Answer ✓

    Hi,

    thank you for your answer.

    My problem is the following.

    Now i can accept 0.0.0.0/0.0.0.0 in the VPN with Broadcast Netbios Enable (but the option in IpHelper removed!)

    I don't have any error message.

    The green led in the vpn in front of 0.0.0.0/0.0.0.0 is ON.

    To Add 0.0.0.0/0.0.0.0 in the VPN, i create a address ANYADD included in LOCAL_NETWORK

    Now suppose my IP address is 81.243.22.102.

    If i change ANYADD to included 81.243.22.0 / 255.255.255.0, The VPN Include thoses addresses.

    If i make a telnet to the destination, i cross the VPN Withouot any problem

    If i change ANYADD to include 0.0.0.0 / 0.0.0.0, The VPN included all thoses addresses.

    If i make a telnet to the destination, i don't cross the vpn....

    I really don't know why......


    Thank you very very very much for your help.

  • CORRECT ANSWER
    DisaRicksDisaRicks Newbie ✭
    Answer ✓

    HI


    I solve my problem creating a TNULLE INTERFACE VPN between TZ400-A1 and B1 (on first SonicWall)

    I was not able to cross the VPN because in the route, i Gave the Interface X2 and the Gateway : The X5 IP of TZ400 B2 (10.14.128.10)

    In fact i had to put the INTERFACE with the name of the VPN Tunnel interface and no GATEWAY.

    Sorry fort the invconvenience....

    Thank you very much for your help

    Eric

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Routing decisions happen before NAT. See the flow chart published here:

    https://www.sonicwall.com/support/knowledge-base/how-does-the-firewall-process-a-packet-on-an-interface/170505518818927/

    What routes are advertised over your VPN tunnel interface? I suspect your route statement is part of the issue. Why do you have so many devices?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited August 2021

    How did you solve your problem? It helps to post for others to see.

    You cannot create an address object with all zeros even if you didnt have that IP Helper policy. There are other address objects that fulfill that need (e.g. 'Any', 'WAN Remote Access').

    The reason that policy exists is because you have enabled 'Windows Networking (NetBIOS) broadcast' in the VPN tunnel advanced options page. You'd have to disable that feature to remove that option from the tunnel config.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    have you done a packet capture to see how the firewall is handling the telnet traffic when using the 0.0.0.0 address in the VPN?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Glad to help. Feel free to mark an answer for others to see.

Sign In or Register to comment.