Veteran TS Engineer ready to give conceptual guidance on Network, VPN, HA, CFS, Security Services
John_Lasersohn
Moderator
I believe we can use the Forums as a Case Deflection Tool. I am a veteran TS Engineer ready to give conceptual guidance on Network, VPN, HA, CFS, Security Services. While this cannot replace in-depth cases, forums are a way where conceptual issues can be discussed in ways that help multiple customers. I can answer questions, point you to articles which cover your topic, and suggest things like what data to collect to be ready to work in a support case.
Feel free to ask here, or post your own topic to get going. I am happy to help.
- John Lasersohn, San Jose, CA
Category: Entry Level Firewalls
10
Comments
Thrilled to have you here @John_Lasersohn. Appreciate all the help. 😀
is it possible to do the following on a TZ600?
I have two businesses in the same building. They both have VPN client users. Both need to VPN into the same firewall. Is it possible to have one business pull a certain IP and get routed to a sub interface and the other business get a different IP and sub interface? Both businesses should not have connectivity to each other. I am currently accomplishing this via a different brand of firewall. Will the sonic walls do this? I must also say that I've tried the static IP by MAC but the clients hang at acquiring IP address.
@John_Lasersohn please look into this:.Thank you alot for all the help John😊
Thanks and Regards,
Sridevi G
Global Service Account Manager,Premier Services
Hello @Tom,
The VPN clients get IP from the same pool but the access of the users is configured using the VPN access on the user level. So, basically they connect to the same firewall, get IP from the same pool but would have different access privileges based on the username/password they use while connecting.
Please have a look at the following KB
I hope that helps!
Thanks!!
Shipra Sahu
Technical Support Advisor, Premier Services
Hello Tom:
Through the User and User Group VPN Access settings, you can have two groups who access different networks or VLANs with no overlap. This configuration does not require the clients to have separate acquired IP addresses via DHCP. This can be done on both SSLVPN (NetExtender and Mobile Connect clients) and on WAN GroupVPN (Global VPN Client, which is ESP-based). I am working up a lab that can demonstrate this.
Here are images from the tests. Users in two groups connect with GVC to GroupVPN on a firewal, and have access only to their subnet and can't ping each other either. The two User Groups each have the correct VPN Access config on it (e.g., X2 Subnet or X4 Subnet), and users in each group inherit those settings. Let me know if you have questions.
@John_Lasersohn Awesome work John!! Good if someone KB's it.
Thanks & Regards,
Poornima.T.R
@John_Lasersohn ,
Wow. This set up looks amazing and I can see how much work you have put in to show this. Good job!! 😄
If you would like I can write a KB on it but this is more of a scenario driven situation, so let me know what would be best way to accommodate this information.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@John_Lasersohn ,
Great Work !!!
Thanks
Nevyaditha P
Technical Support Advisor, Premier Services
Hello @John_Lasersohn,
I'm really glad that you are here 😀. You are always known for experimenting SonicWall stuffs to gain precise results and the job still continues. 💪
Outstanding and Alluring!!! 👏
I would personally recommend a video documentary KB for scenarios for better Customer KCS exposure.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@Saravanan1990_V Amazing suggestion! I am involving @KaranM and @Micah to this discussion. I think they should be able to decide this in the best possible manner.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93 and @Saravanan1990_V ,
Thank you for the suggestion, We will look into this.
Knowledge Management Senior Analyst at SonicWall.
Thank you. I believe I see what I need to do. I will test and if all is good I'll switch out my firewalls.