Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Connecting to second office through VPN

Phil_GPhil_G Newbie ✭

Hi. I have three offices all of which are connected via site to site VPNs using Tunnel Interface Policy Type (in order to using routing across the VPN). My main office has an NSA2650 and the other offices have TZ300s. I have no issues connecting to any services from my main office to either of the other offices. However, when I work from home and I connect to my main office using the SSLVPN, I can only connect to computers and servers in my main office. On the NSA2650 I have created address objects for the two other office networks in the VPN zone. In client routes for the SSLVPN I have the address objects for the other two offices. However, I am unable to access the servers in my other offices, files or web apps. I have tried adding NAT policies but nothing seems to work. Does anyone have an idea on what I need to do to get this working?

Category: SSL VPN
Reply

Answers

  • Hi @PHIL_G,

    Thank you for visiting SonicWall Community.

    Merry Christmas!!!

    Could you please check the user account for VPN access and ensure you have added the address objects meant for the networks behind the other two TZ 300 offices? This is one thing that I see you have missed as per your description.

    Kindly check and let me know if it helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Phil_G

    does your work from home user on the NSa 2650 has the remote networks configured as well on the "VPN access" tab for that specific user?

    Did you checked the VPN -> LAN rules on the remote side that they cover your SSLVPN range as well? On the NSa 2650 I guess you're covered by the default rules, not 100% sure about that though.

    Did you cranked up a Packet-Monitor to see if there are any packets dropped or misrouted?

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Phil_G,

    Please follow the below steps to finish your requested task;

    1) First navigate to your TZ300 & create 2 address object. 1 for your site to site VPN (assume already existed) 2 for your SSL VPN Access.

    For example;


    Then add above address object group into your site to site VPN tunnel policy.

    Once you finished the above steps, navigate to your SW2650 & follow the below steps:

    1) Create a new Address Object Group and add the Lan Subnet & SSL VPN IP pool into the group.

    Once you done above step (Assume already you have created address object for your remote location where is the TZ300), Navigate to your existing site to site VPN policy to the Tz300 location & choose local network from list (HO VPN) as same as below screen shot.

    Once you done above steps apply the changes and make sure the access rules are updated with above changes. Let me know if this help you to resolve the problem.

  • Phil_GPhil_G Newbie ✭

    My remote user has the remote networks configured on the VPN access tab.

    On the remote TZ300 in Firewall VPN>LAN I do have a rule that covers the SSLVPN. It shows VPN>LAN Source Newark SSLVNP, Destination Any, Service Any, Allow All.


    And for Ajishlil, this does not apply to me because as I said, I am using Tunnel Interface for the policy type in my Site to Site VPN, and there is no network tab when you do that.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Phil_G

    to figure out what's going on, you should start a Packet-Monitor on both sides for ICMP (ping) with Destination Address on the remote site which you're ping via SSLVPN from the local site.

    Then you should see if the echo request reaches your remote site.

    You should make sure that your routing policy covers the LAN and SSLVPN Network on both sides to make sure the traffic gets routed through your tunnel.

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Phil_G,

    Ahh I didn't notice that but I tested your scenario (Tunnel interface with SSL VPN ) in my environment and its worked perfectly.

    Please follow the steps as same as below;

    Assume the below configuration in your 2650 location where you have SSLVPN:

    Step-1

    Create a Address object Group and add your LAN Subnets & the SSLVPN IP POOL/NW (See the below screen shot)

    Step-2

    Add a Route Policy as same as below example:

    After apply the above Route Policy the Access rules created should be same as below;

    LAN to VPN

    VPN to LAN

    TZ300 (Remote Location) Configuration:

    Step 1:

    Create a Address object Group and your 2650 network & SSL VPN IP POOL/NW (See the below screen shot)

    Step:2

    Add Route Policy for your 2650 & SSL VPN Access

    After apply the above Route Policy the Access rules created should be same as below;

    LAN to VPN

    VPN to LAN

    Testing the Connection:


    Please let me know if its help you or not.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Phil_G

    Make sure your User account have privilege to access the 2650 network as well as the remote location network.

    SSL VPN Client Routes:


  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Phil_G

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

  • MarkChengMarkCheng Newbie ✭

    Hi @Ajishlal ,

    I follow your instruction to configure the SSLVPN on our firewall (TZ500), and I observed when I add the route on the SSLVPN Client Routes is enough. All the users of SSLVPN could access the scope. Could I assign the specific user to access the scope only? Thanks.

Sign In or Register to comment.