1

I need to figure out a way to allow access to two LAN subnets on a SonicWall NSA 220 through the built-in SonicWall GlobalVPN server. I've Googled and tried everything I can think of, but nothing has worked. The SonicWall NSA management web interface is also very unorganized; I'm probably missing something simple/obvious.

There are two networks, called Network A and Network B for simplicity, with two different subnets. A SonicWall NSA 220 is the router/firewall/DHCP Server for Network A, which is plugged into the X2 port. Some other router is the router/firewall/DHCP server for Network B. Both of these networks need to be managed through a VPN connection.

I setup the X3 interface on the SonicWall to have a static IP in the Network B subnet and plugged it in. Network A and Network B should not be able to access each other, which appears the be the default configuration. I then configured and enabled VPN.

The SonicWall currently has the X1 interface setup with a subnet of 192.168.1.0/24 with a DHCP Server enabled, although it is not plugged in. When I VPN into the SonicWall, I get an IP address supplied by the DHCP Server on the X1 interface and I can access Network A remotely although I do not have access to Network B.

How can I allow access to both Network A and Network B to VPN clients although keep devices on Network B from accessing Network A and vice-versa.

Is there some way to create a VPN-only subnet (something like 10.100.0.0/24) on the SonicWall that can access Network A and Network B without changing the current network configuration or allowing devices on both netorks "see" each other? How would I go about setting this up?

Diagram of the network: (Hopefully this kind of helps)

       WAN1                                    WAN2
        |                                       |
[ SonicWall NSA 220 ]-(X3)-----------------[ Router 2 ]
        |                                       |  
       (X2)                               192.168.2.0/24
    10.1.1.0/24

Any help would be greatly appriciated!

Rain
  • 211
  • 1
  • 3
  • 10
  • 1
    Is router 2 just a router, or is it also a stateful firewall? – SpacemanSpiff Nov 24 '12 at 21:08
  • Router 2 is a stateful firewall, although this shouldn't matter. If I SSH into the SonicWall, I can ping devices on `Network B`. The X3 port on the SonicWall is actually plugged into a switch that Router 2 is also connected to. – Rain Nov 24 '12 at 21:28
  • Sure, that's because the Sonicwall has an interface directly in the 2.0/24 network that you can get a direct ARP response from. I'm trying to figure out how to use a dedicated subnet on the Sonicwall just for GlobalVPN clients... you will need to add a static route onto RT2 for that subnet, I just don't see how to create it just yet. I think a new zone, with a loopback interface in that zone would do it. – SpacemanSpiff Nov 24 '12 at 21:30
  • I wish I could full prove this out for you,but I'm fairly certain the answer to your problem will be under the "DHCP over VPN" configuration section under VPN – SpacemanSpiff Nov 24 '12 at 21:45
  • I've tried every permutation of settings in the "DHCP over VPN" section. I find it interesting that there is a `VPN` zone pre-configured but it simply shares the `LAN` Subnet (on `X1`, in this case). `Network A` is currently accessible, although `Network B` and even the `X3` Interface IP are not. – Rain Nov 24 '12 at 22:40
  • Yes, you'd need to add network B as a network object and then give the user's group access to it. Still a little unclear here... might be worth a ticket to sonicwall – SpacemanSpiff Nov 24 '12 at 23:10

1 Answers1

1

The problem was not that VPN clients could not access the X3 network, any LAN device on the Sonicwall could not access the X3 network. Once a NAT entry was created to properally translate the source/destination of the packets destined for the X3 network everything worked fine. This is also described in a bit more detail in this question: Sonicwall routing between multiple subnets on multiple interfaces

Community
  • 1
Rain
  • 211
  • 1
  • 3
  • 10