Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricting Sonicwall SSL-VPN users for WAN access

Status
Not open for further replies.
Shmid

Shmid

IS-IT--Management
Joined
Apr 11, 2018
Messages
5
Location
ES
Hi

Is it possible to allow access to a couple of public IP addresses via the SSL-VPN for remote users, BUT any other WAN access via their own internet?
Reason is that we have two public servers only accessible from one location where the Sonicwall is.

Sonicwall TZ-500 - F/W Ver: 6.2

Thanks
Shmid
 
Sort by date Sort by votes
I think you can actually do that, but I would like to know how myself.
 
Upvote 0 Downvote
I have not worked with Sonicwall so I can point you to the direction without specifics. What you are looking for is making sure you are running a split tunnel which means only specified networks (typically inside/LAN subnets) are routed through the tunnel. That will ensure that the remote users will use their own ISP for other (public) networks. You will need to add these specific public IP addresses to the list of split tunnel networks. The VPN will do the rest. To clarify further the VPN will inject routes to those IP addresses in the remote clients' routing tables.
 
Upvote 0 Downvote
Hi thanks for your help.

The SSL-VPN "Client Routes" has "Tunnel All Mode" and is set to "Enabled". But if I disable it then test showed that the public IP used is the local user internet, but access to servers on the LAN at the destination site works. So it all works except we need remote users to access two public servers from the main site which is blocked from all other public IP's, hence the VPN. These two sites were blocked via VPN on the test as the source public IP is not the correct one. Hope this makes sense!

Not sure if this is possible to achieve.

 
Upvote 0 Downvote
If the LAN addresses work that means the appliance knows what the LAN IPs are. Add the public addresses there you will be good to go.
 
Upvote 0 Downvote
The 2 public IP's are only accessible from the destination LAN, as they are only allowing access from the destination public IP, nowhere else. So the VPN connects then is able to see destination LAN devices and able to connect to the internet via clients IP. THis part works great. But because the client Public IP is seen when connecting via VPN and not the destination IP, hence gets blocked because the call to those IP's is coming from the clients public IP address. No need to add a route or access rule as the destination LAN is able to see the 2 IP's. This is the problem!


 
Upvote 0 Downvote
I keep telling you that ADDING the two IP addresses to the TUNNEL configuration so the VPN clients will receive the two /32 addresses INJECTED into their (clients) routing tables will do the job. The traffic to the two addresses will therefore be sent to the tunnel and not to the ISP, hit your LAN and then sent to the IPs while NATed the same way as your LAN. It is what you need, isn't it?
 
Upvote 0 Downvote
I spoke to Sonicwall support on two ocassions with two different support agents and both have said this is not possible.
Thanks for you time anyway.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
intel233
  • Locked
  • Question Question
ASA5510 - SSL Cert
Replies
0
Views
767
intel233
intel233
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
424
WhosYourDiffie
WhosYourDiffie
XLNTech1
  • Locked
  • Question Question
iptables port forwarding
Replies
0
Views
854
XLNTech1
XLNTech1
intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top