Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Client <> Site <> WAN - How to?

Cld_N3tCld_N3t Newbie ✭

Hi there,

Prospective question here from a networking amateur. I'm trying to figure out how to route a connection through our on-prem firewall, to a cloud IP that's externally facing. The cloud firewall is set to accept incoming traffic from our office ext. IP.

I'm trying to create a NAT policy that takes the incoming connection from a home worker (fixed external IP), routes that through the firewall and back out with out external IP, so as to be allowed for cloud ingress.

I think this might be the wrong approach, as when the user connects, they get given 10. address.

I didn't think I would need to add an incoming rule for the cloud provider, as this is browser traffic and we allow http & https. Am I wrong here?

I should mention this is a split tunnel. I know I could switch to full for the required users, but they already have bandwidth issues.

We use NetExtender and the SonicWall is the TZ700 (6.5).

Any help appreciated, I just can't think of the best way to approach and my limited knowledge of sonicwall is letting me down.

Thanks

Category: SSL VPN
Reply

Best Answers

  • CORRECT ANSWER
    MgnfcntBstrdMgnfcntBstrd Newbie ✭
    Answer ✓

    I would think you'd just need to add the Cloud subnet as a routed network to the SSL-VPN client configuration, a NAT rule to ensure it goes out through the WAN, and maybe an access rule to allow it.

  • CORRECT ANSWER
    prestonpreston Enthusiast ✭✭
    edited July 2021 Answer ✓

    Hi @Cld_N3t, I think this is what you are trying to do, @MgnfcntBstrd is quite right, this will only work with IP addresses though not FQDNs, SonicWall also have a document but I can't find it anywhere, I understand what @Saravanan means, but if you are already port forwarding using the WAN IP of your SonicWall for HTTP or HTTPs this will not work. Ideally if you need better thoughput, the Global VPN client is better than the SSL VPN client and is setup in a similar way (you just need to add the NAT from (Original Source - VPN DHCP Clients) and in the user group for the VPN (add the WAN IP you are trying to get to to the VPN Access tab) and add a VPN to WAN rule to the IP.

    you can obviously run both methods concurrently some on GVPN and some on SSL VPN


  • CORRECT ANSWER
    Cld_N3tCld_N3t Newbie ✭
    Answer ✓

    Thank you for the guide, that's exactly what I needed. Sadly, still no joy.

    What's odd (in the SonicWall logs) is I'm seeing a load of dropped connections from seemingly random IP's not in our IP address range.

    When filtering for the external IP, I would have expected to only see either an internal IP or the office ext. IP as source with the cloud ext. IP as destination.

Answers

  • SaravananSaravanan Moderator

    Hi @CLD_N3T,

    I believe you are looking to accomplish the requirement of reaching the cloud resource using the WAN IP of the firewall side without VPN due to bandwidth limitations. If this is right, may be you can try the below config change and see if it helps. I haven't tested this scenario but thinking logically the configs should help.

    Create a NAT policy on the SonicWall as below. The remote users should use the public IP address of the SonicWall's WAN IP to access to the cloud resource, so the traffic hits the SonicWall's WAN side and we translate the traffic to the cloud resource IP.

    • Source: Any
    • Translated Source: Original
    • Destination: Firewall's WAN IP
    • Translated Destination: Cloud Resource IP
    • Service: Any or HTTP or HTTPS (As Required)
    • Translated Service: Original
    • Inbound Interface: WAN Interface
    • Outbound Interface: WAN Interface

    Create an access rule from WAN to WAN,

    • Source: Any
    • Destination: Firewall's WAN IP
    • Service: Any or HTTP or HTTPS (As Required)

    With this config's in place, please have the users try using the public IP address of the SonicWall to connect to the cloud resource. This is done without the intervention of SonicWall Netextender SSLVPN.

    Please keep me posted on this for any help/assistance.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Cld_N3tCld_N3t Newbie ✭

    Hi Saravanan,


    Thank you for the advice, I have deployed this but sadly it still does not work. Do you think this is because all users are split VPN which splits web traffic through the home router?

    Thanks, Nathan

  • Cld_N3tCld_N3t Newbie ✭

    Thanks for this. Done as advised, however still no joy. I think this might be because the external IP I'm trying to reach is only open on a specific port. However I can't save the NAT policy with the port number added, for example 8.8.8.8:8000.

  • Cld_N3tCld_N3t Newbie ✭

    To close the thread, the guide Preston shared worked, I just hadn't added the rule in step 3 correctly.

Sign In or Register to comment.