Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Firewall config

I have a firewall between 2 networks and it is working. I am try to reach the other side of from a subnet that has access to the Lan subnet. How do I configure the firewall to allow other subnets to transverse the connected subnet?

Category: Entry Level Firewalls
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Garyb

    For that you would have to configure the Access rule accordingly. Your can follow the below KB for configuring the Access Rule;


  • shiprasahu93shiprasahu93 Moderator
    edited June 2021

    @Garyb,

    If you have the routing on the firewall, the other subnet should also be able to reach it. What zones are the two interfaces on the firewall on?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • GarybGaryb Newbie ✭

    To clarify the firewall is connected to 2 LAN networks

    X2- 10.10.201.x

    X3 - 10.172.1.X

    another subnet - 10.10.100.x is routed to 10.10.201.X but also needs to reach !0.172.1.x over the firewall.

  • @Garyb,

    What zones are X2 and X3 on and what zone have you created the network 10.10.100.x on?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • GarybGaryb Newbie ✭

    X2 is Office LAN zone

    X3 is Plant LAN Zone

    10.10.100.x is Sec_lan zone

  • Then you need to check the access rules between Plant LAN zone and Sec_lan zone and vice versa. If there are no rules, the traffic is denied by default. So you may need to add rules to allow it.

    If the access rules are present, you can do a packet capture to see what could be blocking the traffic.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • GarybGaryb Newbie ✭

    Should I add the 10.10.100.X network to interface X2?

  • You have a routing policy on the firewall that explains how 10.10.100.X network can be reached through the interface X2 right?

    If yes, then the firewall understands how it can reach that network. Since the X3 interface is configured on the firewall, it has an automatic route created to reach it.

    So, if the connectivity between the X3 subnet and 10.10.100.X network is not there, it could be due to access rules.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • GarybGaryb Newbie ✭

    I am a new to firewalls like this. I have the following route


    Any Sec_Lan Any N/A Any Standard 0.0.0.0 X2 1 4

    The packet monitor shows the packets dropped.  

  • GarybGaryb Newbie ✭

    Here is the packet info:

    Ethernet Header

     Ether Type: IP(0x800), Src=[00:38:df:4f:92:47], Dst=[2c:b8:ed:76:86:26]

    IP Packet Header

     IP Type: ICMP(0x1), Src=[192.168.201.111], Dst=[10.172.1.50]

    ICMP Packet Header

     ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 12084

    Value:[1]

    DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 1:1)

  • Yes, the drop code suggests that it is a policy drop. So, the access rules are missing.

    Please navigate to MANAGE | Rules | Access rules and use the matrix view as below and add the following access rules

    From Office LAN zone and Sec_lan zone

    Action: Allow

    Source: X2 subnet

    Destination: Sec_Lan

    Service: Any

    and also Sec_lan zone to Office LAN zone

    Action: Allow

    Source: Sec_Lan

    Destination: X2 subnet

    Service: Any

    I am telling the zones etc based on the packet capture. You mentioned that the communication issue is between the X3 subnet and Sec_Lan, but this drop is for the X2 subnet and Sec_Lan.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • GarybGaryb Newbie ✭

    Great! I have access now. I had a discard rule in there. Now I need to control access by LDAP authenication. I have LDAP configured, and the group imported. How due I add it to the rules or interface?


    Thanks,

  • @Garyb,

    Are you using SSO or ULA for identifying the user after which the group that it belongs to could be checked from LDAP?

    There is a field called Users included on the firewall where the group can be sleected. But SSO or ULA should be present as well for this to work.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.