Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Access to a Server via his WAN IP from remote site through a VPN Site to Site

The situation is I need to access a Server on Site A by using the WAN IP of the Site A from a Site B through the VPN Site to Site (between Site A and Site B).

From the WAN (Internet), I can access the Server on Site A without problem via its Public IP (NAT WAN to LAN) ; It also works from Site A LAN, still using its Public IP (NAT loopback) : https://1.2.3.4:4000 (NAT to local address https://1.2.3.4).

But accessing to Server on Site A from Site B via Server A's Public IP does not work  through the VPN Site to Site.

Site A : SonicWall TZ 400

WAN : 1.2.3.4

LAN : 192.168.0.x

Server : 192.168.0.253 - https port from the LAN

From the WAN, Server accessible on port number 4000 (NAT from port 4000 to https)

----------------------------

Site B : SonicWall TZ 300

WAN : 4.3.2.1

LAN 192.168.1.x

I can access from the Site B through the VPN Site to Site to the Server on the Site A with the address https://192.168.0.253 but not form his WAN address access https://1.2.3.4:4000

Category: Entry Level Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    JeroLefeJeroLefe Newbie ✭
    Answer ✓

    I just solve the issue: I have add network port TCP 4000 in ACL LAN to WAN on the "Site B" and now it's OK, I can access from the "Site B" through the VPN Site to Site to the Server on the "Site A" with his WAN address https://1.2.3.4:4000

  • CORRECT ANSWER
    JeroLefeJeroLefe Newbie ✭
    Answer ✓

    I have solve the issue like this:

    Site A : SonicWall TZ 400
    WAN : 1.2.3.4
    LAN : 192.168.0.x
    Server : 192.168.0.253 - https port from the LAN
    Note: From the WAN, Server accessible on port number 4000 (NAT from port 4000 to https)
    
    ----------------------------
    
    Site B : SonicWall TZ 300
    WAN : 4.3.2.1
    LAN 192.168.1.x
    


    About Access Rules at Site A

    From LAN To VPN
    Source: LAN Subnets (192.168.0.x)
    Destination: LAN SITE B (192.168.1.x)
    Service: Any
    
    From VPN To LAN
    Source: LAN SITE B (192.168.1.x)
    Destination: LAN Subnets (192.168.0.x)
    Service: Any
    
    


    About Access Rules at Site B

    From LAN To VPN
    Source: LAN Subnets (192.168.1.x)
    Destination: LAN SITE A (192.168.0.x)
    Service: Any
    
    From LAN To VPN
    Source: LAN Subnets
    Destination: SRV-APP Public IP (=Address Objetc >> Host 1.2.3.4 - Zone: VPN)
    Service: "Service SRV-APP" (=Service Object >> TCP 4000)
    
    From VPN To LAN
    Source: LAN SITE A (192.168.0.x)
    Destination: LAN Subnets (192.168.1.x)
    Service: Any
    

    About NAT Rule at Site B

    Source Original: LAN Subnets (192.168.1.0/24)
    Source Translated: Original
    Destination Original: SRV-APP Public IP (=Address Objetc >> Host 1.2.3.4 - Zone: VPN)
    Destination Translated: SRV-APP Private IP (=Address Objetc >> Host 192.168.0.253 - Zone: VPN)
    Service Original: Service SRV-APP (=Service Object >> TCP 4000)
    Service Translated: HTTPS
    Inbound Interface: Any
    Outbound Interface: Any
    


    From the WAN (Internet), I can access the Server on Site A without problem via its Public IP (NAT WAN to LAN) ; It also works from Site A LAN, still using its Public IP (NAT loopback) : https://1.2.3.4:4000 (NAT to local address https://1.2.3.4).

    More over, I can access from the Site B through the VPN Site to Site to the Server on the Site A with its Local IP Address: https://192.168.0.253

    And now I can also accessing to Server on Site A from Site B via Server Public IP on Site A through the VPN Site to Site: https://1.2.3.4:4000

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @JeroLefe did you tried to enable a NAT Rule on Site B?

    Source Original: 192.168.1.0/24
    Source Translated: Original
    Destination Original: 4.3.2.1
    Destination Translated: 192.168.0.253
    Service Original: 4000
    Service Translated: Original
    

    You probably need an Access Rule from LAN to VPN for 4.3.2.1 as destination as well.

    --Michael@BWC

  • JeroLefeJeroLefe Newbie ✭

    The situation is I need to access a Server on "Site A" by using the WAN IP of the Site A from a "Site B" through the VPN Site to Site (between "Site A" and "Site B").

    From the WAN (Internet), I can access the Server on "Site A" without problem via its Public IP (NAT WAN to LAN) ; It also works from "Site A" LAN, still using its Public IP (NAT loopback) : https://1.2.3.4:4000 (NAT to local address https://192.168.0.253).

    But accessing to Server on "Site A" from "Site B" via Public IP of the Server on "Site A" https://1.2.3.4:4000 does not work through the VPN Site to Site.

    Site A : SonicWall TZ 400

    WAN : 1.2.3.4

    LAN : 192.168.0.x

    Server : 192.168.0.253 - https port from the LAN

    From the WAN, Server accessible on port number 4000 (NAT from port 4000 to https)

    ----------------------------

    Site B : SonicWall TZ 300

    WAN : 4.3.2.1

    LAN 192.168.1.x

    I can access from the "Site B" through the VPN Site to Site to the Server on the "Site A" with the address https://192.168.0.253 but not from his WAN address access https://1.2.3.4:4000

  • JeroLefeJeroLefe Newbie ✭

    Hi,

    I have try your solution (NAT + ACL) but the result is the same unfortunately...

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @JeroLefe having an Access Rule from LAN to WAN means that the traffic is not going over the VPN Tunnel.

    It should have worked with the Rules I gave you, except that I messed up the Destination address, it should have been 1.2.3.4 and not 4.3.2.1.

    --Michael@BWC

  • JeroLefeJeroLefe Newbie ✭

    I understand.

    So, I have created this NAT rule on Site B as you mentioned above:

    Source Original: LAN Subnets (192.168.1.0/24)
    Source Translated: Original
    Destination Original: SRV-APP Public IP (=Address Objetc >> Host 1.2.3.4 - Zone: VPN)
    Destination Translated: SRV-APP Private IP (=Address Objetc >> Host 192.168.0.253 - Zone: VPN)
    Service Original: Service SRV-APP (=Service Object >> TCP 4000)
    Service Translated: Original
    Inbound Interface: Any
    Outbound Interface: Any
    

    Also, I have add the access rule LAN to VPN on Site B for 1.2.3.4 as destination as well (WAN IP of the Site A) like this:

    From LAN To VPN
    Source: Any
    Destination: SRV-APP Public IP (=Address Objetc >> Host 1.2.3.4 - Zone: VPN)
    Service: "Service SRV-APP" (=Service Object >> TCP 4000)
    

    But unfortunately I still don't have access to https://1.2.3.4:4000 (Site A WAN IP) from Site B...

    I note the NAT rule and the Access rule created above have traffic match (Traffice Statistics greater than 0).

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited May 2023

    Do you see any Port 4000 traffic on Site A coming via VPN?

    Do you allow Port 400 traffic from VPN to LAN at Site A?

    --Michael@BWC

  • JeroLefeJeroLefe Newbie ✭

    On Site A I have this log entry:

    Message: TCP connection reject received ; TCP connection dropped
    Source: 192.168.0.253, 4000, X0
    Destination: 192.168.1.58, 13490, X1
    IP Protocol: tcp
    Notes: TCP Flag(s): ACK RST
    


  • BWCBWC Cybersecurity Overlord ✭✭✭

    On Site A, do you have an Access Rule from VPN to LAN which allows Port 4000 to 192.168.0.253? ... the reject shown above tells otherwise.

    --Michael@BWC

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    As "TCP connection reject received" is logged on the Site A Sonicwall, that suggests it's 192.168.0.253 which is rejecting this, rather than the Sonicwall itself. A packet capture on Site A Sonicwall should confirm this.

  • JeroLefeJeroLefe Newbie ✭
    edited May 2023

    Solved

  • ArkwrightArkwright Community Legend ✭✭✭✭✭
    edited May 2023

    What was the resolution?

    -----

    Sorry, ignore this, posts out of order.

Sign In or Register to comment.