×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Restricting Sonicwall SSL-VPN users for WAN access

Restricting Sonicwall SSL-VPN users for WAN access

Restricting Sonicwall SSL-VPN users for WAN access

(OP)
Hi

Is it possible to allow access to a couple of public IP addresses via the SSL-VPN for remote users, BUT any other WAN access via their own internet?
Reason is that we have two public servers only accessible from one location where the Sonicwall is.

Sonicwall TZ-500 - F/W Ver: 6.2

Thanks
Shmid

RE: Restricting Sonicwall SSL-VPN users for WAN access

I think you can actually do that, but I would like to know how myself.

RE: Restricting Sonicwall SSL-VPN users for WAN access

I have not worked with Sonicwall so I can point you to the direction without specifics. What you are looking for is making sure you are running a split tunnel which means only specified networks (typically inside/LAN subnets) are routed through the tunnel. That will ensure that the remote users will use their own ISP for other (public) networks. You will need to add these specific public IP addresses to the list of split tunnel networks. The VPN will do the rest. To clarify further the VPN will inject routes to those IP addresses in the remote clients' routing tables.

RE: Restricting Sonicwall SSL-VPN users for WAN access

(OP)
Hi thanks for your help.

The SSL-VPN "Client Routes" has "Tunnel All Mode" and is set to "Enabled". But if I disable it then test showed that the public IP used is the local user internet, but access to servers on the LAN at the destination site works. So it all works except we need remote users to access two public servers from the main site which is blocked from all other public IP's, hence the VPN. These two sites were blocked via VPN on the test as the source public IP is not the correct one. Hope this makes sense!

Not sure if this is possible to achieve.

RE: Restricting Sonicwall SSL-VPN users for WAN access

If the LAN addresses work that means the appliance knows what the LAN IPs are. Add the public addresses there you will be good to go.

RE: Restricting Sonicwall SSL-VPN users for WAN access

(OP)
The 2 public IP's are only accessible from the destination LAN, as they are only allowing access from the destination public IP, nowhere else. So the VPN connects then is able to see destination LAN devices and able to connect to the internet via clients IP. THis part works great. But because the client Public IP is seen when connecting via VPN and not the destination IP, hence gets blocked because the call to those IP's is coming from the clients public IP address. No need to add a route or access rule as the destination LAN is able to see the 2 IP's. This is the problem!


RE: Restricting Sonicwall SSL-VPN users for WAN access

I keep telling you that ADDING the two IP addresses to the TUNNEL configuration so the VPN clients will receive the two /32 addresses INJECTED into their (clients) routing tables will do the job. The traffic to the two addresses will therefore be sent to the tunnel and not to the ISP, hit your LAN and then sent to the IPs while NATed the same way as your LAN. It is what you need, isn't it?

RE: Restricting Sonicwall SSL-VPN users for WAN access

(OP)
I spoke to Sonicwall support on two ocassions with two different support agents and both have said this is not possible.
Thanks for you time anyway.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close