Restricting Sonicwall SSL-VPN users for WAN access

Question

Restricting Sonicwall SSL-VPN users for WAN access

Shmid (IS/IT--Management)

(OP)

11 Apr 18 09:59

Hi

Is it possible to allow access to a couple of public IP addresses via the SSL-VPN for remote users, BUT any other WAN access via their own internet?
Reason is that we have two public servers only accessible from one location where the Sonicwall is.

Sonicwall TZ-500 - F/W Ver: 6.2

Thanks
Shmid

Moris53 (TechnicalUser) · Answer 1 · 2018-04-16 02:04:14

I think you can actually do that, but I would like to know how myself.

iggsterman (TechnicalUser) · Answer 2 · 2018-04-16 14:03:10

I have not worked with Sonicwall so I can point you to the direction without specifics. What you are looking for is making sure you are running a split tunnel which means only specified networks (typically inside/LAN subnets) are routed through the tunnel. That will ensure that the remote users will use their own ISP for other (public) networks. You will need to add these specific public IP addresses to the list of split tunnel networks. The VPN will do the rest. To clarify further the VPN will inject routes to those IP addresses in the remote clients' routing tables.

Shmid (IS/IT--Management) · Answer 3 · 2018-04-19 08:51:19

Hi thanks for your help.

The SSL-VPN "Client Routes" has "Tunnel All Mode" and is set to "Enabled". But if I disable it then test showed that the public IP used is the local user internet, but access to servers on the LAN at the destination site works. So it all works except we need remote users to access two public servers from the main site which is blocked from all other public IP's, hence the VPN. These two sites were blocked via VPN on the test as the source public IP is not the correct one. Hope this makes sense!

Not sure if this is possible to achieve.

iggsterman (TechnicalUser) · Answer 4 · 2018-04-19 13:07:10

If the LAN addresses work that means the appliance knows what the LAN IPs are. Add the public addresses there you will be good to go.

Shmid (IS/IT--Management) · Answer 5 · 2018-04-19 13:31:16

The 2 public IP's are only accessible from the destination LAN, as they are only allowing access from the destination public IP, nowhere else. So the VPN connects then is able to see destination LAN devices and able to connect to the internet via clients IP. THis part works great. But because the client Public IP is seen when connecting via VPN and not the destination IP, hence gets blocked because the call to those IP's is coming from the clients public IP address. No need to add a route or access rule as the destination LAN is able to see the 2 IP's. This is the problem!

iggsterman (TechnicalUser) · Answer 6 · 2018-04-19 13:56:02

I keep telling you that ADDING the two IP addresses to the TUNNEL configuration so the VPN clients will receive the two /32 addresses INJECTED into their (clients) routing tables will do the job. The traffic to the two addresses will therefore be sent to the tunnel and not to the ISP, hit your LAN and then sent to the IPs while NATed the same way as your LAN. It is what you need, isn't it?

Shmid (IS/IT--Management) · Answer 7 · 2018-05-02 11:12:32

I spoke to Sonicwall support on two ocassions with two different support agents and both have said this is not possible.
Thanks for you time anyway.

Come Join Us!

Posting Guidelines

Jobs

Restricting Sonicwall SSL-VPN users for WAN access