Access to a Server via his WAN IP from remote site through a VPN Site to Site
JeroLefe
Newbie ✭
The situation is I need to access a Server on Site A by using the WAN IP of the Site A from a Site B through the VPN Site to Site (between Site A and Site B).
From the WAN (Internet), I can access the Server on Site A without problem via its Public IP (NAT WAN to LAN) ; It also works from Site A LAN, still using its Public IP (NAT loopback) : https://1.2.3.4:4000 (NAT to local address https://1.2.3.4).
But accessing to Server on Site A from Site B via Server A's Public IP does not work through the VPN Site to Site.
Site A : SonicWall TZ 400
WAN : 1.2.3.4
LAN : 192.168.0.x
Server : 192.168.0.253 - https port from the LAN
From the WAN, Server accessible on port number 4000 (NAT from port 4000 to https)
----------------------------
Site B : SonicWall TZ 300
WAN : 4.3.2.1
LAN 192.168.1.x
I can access from the Site B through the VPN Site to Site to the Server on the Site A with the address https://192.168.0.253 but not form his WAN address access https://1.2.3.4:4000
Best Answers
-
CORRECT ANSWERJeroLefe
Newbie ✭
I just solve the issue: I have add network port TCP 4000 in ACL LAN to WAN on the "Site B" and now it's OK, I can access from the "Site B" through the VPN Site to Site to the Server on the "Site A" with his WAN address https://1.2.3.4:4000
0 -
CORRECT ANSWERJeroLefe
Newbie ✭
I have solve the issue like this:
Site A : SonicWall TZ 400 WAN : 1.2.3.4 LAN : 192.168.0.x Server : 192.168.0.253 - https port from the LAN Note: From the WAN, Server accessible on port number 4000 (NAT from port 4000 to https) ---------------------------- Site B : SonicWall TZ 300 WAN : 4.3.2.1 LAN 192.168.1.x
About Access Rules at Site A
From LAN To VPN Source: LAN Subnets (192.168.0.x) Destination: LAN SITE B (192.168.1.x) Service: Any From VPN To LAN Source: LAN SITE B (192.168.1.x) Destination: LAN Subnets (192.168.0.x) Service: Any
About Access Rules at Site B
From LAN To VPN Source: LAN Subnets (192.168.1.x) Destination: LAN SITE A (192.168.0.x) Service: Any From LAN To VPN Source: LAN Subnets Destination: SRV-APP Public IP (=Address Objetc >> Host 1.2.3.4 - Zone: VPN) Service: "Service SRV-APP" (=Service Object >> TCP 4000) From VPN To LAN Source: LAN SITE A (192.168.0.x) Destination: LAN Subnets (192.168.1.x) Service: Any
About NAT Rule at Site B
Source Original: LAN Subnets (192.168.1.0/24) Source Translated: Original Destination Original: SRV-APP Public IP (=Address Objetc >> Host 1.2.3.4 - Zone: VPN) Destination Translated: SRV-APP Private IP (=Address Objetc >> Host 192.168.0.253 - Zone: VPN) Service Original: Service SRV-APP (=Service Object >> TCP 4000) Service Translated: HTTPS Inbound Interface: Any Outbound Interface: Any
From the WAN (Internet), I can access the Server on Site A without problem via its Public IP (NAT WAN to LAN) ; It also works from Site A LAN, still using its Public IP (NAT loopback) : https://1.2.3.4:4000 (NAT to local address https://1.2.3.4).
More over, I can access from the Site B through the VPN Site to Site to the Server on the Site A with its Local IP Address: https://192.168.0.253
And now I can also accessing to Server on Site A from Site B via Server Public IP on Site A through the VPN Site to Site: https://1.2.3.4:4000
0
Answers
@JeroLefe did you tried to enable a NAT Rule on Site B?
You probably need an Access Rule from LAN to VPN for 4.3.2.1 as destination as well.
--Michael@BWC
The situation is I need to access a Server on "Site A" by using the WAN IP of the Site A from a "Site B" through the VPN Site to Site (between "Site A" and "Site B").
From the WAN (Internet), I can access the Server on "Site A" without problem via its Public IP (NAT WAN to LAN) ; It also works from "Site A" LAN, still using its Public IP (NAT loopback) : https://1.2.3.4:4000 (NAT to local address https://192.168.0.253).
But accessing to Server on "Site A" from "Site B" via Public IP of the Server on "Site A" https://1.2.3.4:4000 does not work through the VPN Site to Site.
Site A : SonicWall TZ 400
WAN : 1.2.3.4
LAN : 192.168.0.x
Server : 192.168.0.253 - https port from the LAN
From the WAN, Server accessible on port number 4000 (NAT from port 4000 to https)
----------------------------
Site B : SonicWall TZ 300
WAN : 4.3.2.1
LAN 192.168.1.x
I can access from the "Site B" through the VPN Site to Site to the Server on the "Site A" with the address https://192.168.0.253 but not from his WAN address access https://1.2.3.4:4000
Hi,
I have try your solution (NAT + ACL) but the result is the same unfortunately...
@JeroLefe having an Access Rule from LAN to WAN means that the traffic is not going over the VPN Tunnel.
It should have worked with the Rules I gave you, except that I messed up the Destination address, it should have been 1.2.3.4 and not 4.3.2.1.
--Michael@BWC
I understand.
So, I have created this NAT rule on Site B as you mentioned above:
Also, I have add the access rule LAN to VPN on Site B for 1.2.3.4 as destination as well (WAN IP of the Site A) like this:
But unfortunately I still don't have access to https://1.2.3.4:4000 (Site A WAN IP) from Site B...
I note the NAT rule and the Access rule created above have traffic match (Traffice Statistics greater than 0).
Do you see any Port 4000 traffic on Site A coming via VPN?
Do you allow Port 400 traffic from VPN to LAN at Site A?
--Michael@BWC
On Site A I have this log entry:
On Site A, do you have an Access Rule from VPN to LAN which allows Port 4000 to 192.168.0.253? ... the reject shown above tells otherwise.
--Michael@BWC
As "TCP connection reject received" is logged on the Site A Sonicwall, that suggests it's 192.168.0.253 which is rejecting this, rather than the Sonicwall itself. A packet capture on Site A Sonicwall should confirm this.
Solved
What was the resolution?
-----
Sorry, ignore this, posts out of order.