How to access Remote services on existing Site to Site VPN
I have setup a site to site VPN between Site A and Site B. Both sites have cloud resources with a site to site vpn between on-prem FW and Cloud FW. I am trying to route traffic from Site A to Site B, then to Site B's cloud resources.
I see all the on-prem networks traversing data but cannot connect to the cloud resources from either side. I have an ACL VPN SSLVPN ANY ANY and SSLVPN VPN ANY ANY. But no dice.
When running packet monitor I see the traffic being generated but nothing else. I know I have to be missing something right in front of me but cannot put my finger on it.
I know I can setup Site to Site between Site B Cloud FW to Site A On-Prem FW but the On-prem FW has more capabilities/features that I want to utilize. Can anyone point me in the right direction please?
Best Answers
-
CORRECT ANSWER
preston
All-Knowing Sage ✭✭✭✭
Hi Blacksuit,
Presuming you already have connectivity between Site A & Site B SonicWall
then you just need to make sure that Site B Cloud Firewall knows about the Site A on Prem Firewall Network. (it needs to be added to its destinations)
Then on the Site to Site VPN if it is policy based Type (Site to Site) not (Tunnel Interface)
Site B on Prem Firewall needs to add the Site B Cloud FW Network to the local Networks in the VPN Network Tab in the policy
Site A on Prem Firewall Needs to have Site B Cloud FW Network added to the Remote Networks in the VPN Network Tab in the policy
if you already have this the bit you are probably missing is the VPN to VPN Allow rule, not the SSL VPN Rules you mentioned in your post.
Make sure also you have added the remote networks to be used to the VPN Zone as the SonicWall will then auto setup the correct access rules.
if you do possibly go down the Route Based method (Tunnel Interface) method as you can route specific IP addresses or ranges this way, you don't need to used advanced routing OSPF, RIPv2 or BGP between just two firewalls as there is no benefit at all, you would be better using the policy based routing (static Routes) using the method below.
0
Answers
Hi @Blacksuit
You need add routing on each firewalls and routers.
There are 2 options.
1) Policy Base Routing
2) Advenced Routing Protocols (RIP v2, OSPF)
routing table should be below diagram.
Site A App Server to Site B Cloud App Server IP SEGMENT--> Site A Cloud FW ---> Site A Firewall ---> Site B Firewall ---> Site B Cloud Firewall ---> Site B App IP subnet
Site B App Server to Site A Cloud App Server IP SEGMENT--> Site B Cloud FW ---> Site B Firewall ---> Site A Firewall ---> Site A Cloud Firewall ---> Site A App IP subnet
OSPF:
VPN SCENARIOS:
@preston
Excuse my ignorance as I only been working with firewalls for 3 years and I just implemented the SonicWall Security Appliances, Cisco ASA was prior to them.
What do you mean it needs to be added to the destinations? I am using a Site to Site policy, not the Tunnel Interface. I have the following setup:
Address Objects:
(On Site A) - Site B LAN, Site B SMA VPN, Site B Cloud LAN, Created Address Group Site B Corp
(On Site B) - Site A LAN, Site A SMA VPN, and Site B Cloud LAN, Created Address Group Site A Corp
I have added Both Address Groups into the VPN Group that is used for the S2S VPN. I see the IPs listed in the Active Tunnel sessions and they are marked Green. This tells me that they see each other but when I try to ping or RDP to the server on Site B from Site A's SMA VPN, there is no response.
I have ran the Packet Monitor where I see the traffic generated but no drops from either firewall.
Thanks for any further insight you can provide!
@Blacksuit, I'll take a look for you and get back to you ( see message )