Wireless Networks Thread, No access to LAN behind SonicWALL in Technical; Hi there, I hope someone may be able to point me in the right direction on this one:
We support ...
23rd April 2008, 02:14 PM #1
No access to LAN behind SonicWALL
Hi there, I hope someone may be able to point me in the right direction on this one:
We support 2 networks at College, one main multi Vlan'd multi domain curriculum/admin network and 1 tiny (1 server and 8 PCs) Accounts network.
Currently the Accounts network use our network for Email, Internet and File Share access through a SonicWALL TZ170.
I would like to be able to remote to their network for support through the SonicWALL and have set a static route on the main layer 3 switch for anything on their network 192.168.1.0/24 to go to 192.168.10.250/23 (WAN interface on SonicWALL).
For testing I've opened all ports from the ICT Dept vlan (192.168.10.0/23) through the SW.
I can try pinging a host on the Accounts network and I get an RTO.
I can check the logs on the SW and it reports that an ICMP request was dropped from my IP address which is weird as I've got all ports open.
Any suggestions would be magic
23rd April 2008, 03:33 PM #2
OK - not 100% sure I have your network clear from this - but I think you are saying you have something like :
Net 1 - +TZ170+- Net 2
With Net1 being 192.168.1.0/24
Net 2 being 192.168.10.0/23
You have said that you have put a route in place so that anything to go to 192.168.1.0/24 should go to 192.168.10.250. If this is the IP address of the interface of the TZ170 on Net 2 then this should allow Net 2 to know how to reach Net1. You dont mention if you have put a route in the other side to let Net 1 know how to reach back to Net2. Both sides will need to know how to route to each other - could this be the problem?
Once the routing is sorted, you will need to ensure that the firewall is allowing the traffic to go through between the networks, but routing should be sorted first.
Does this help at all?
24th April 2008, 12:24 PM #3
Thanks for the advice. You've got the network spot on I've checked the TZ170 and there appears to be a route in place:
192.168.10.0 255.255.254.0 0.0.0.0 WAN
Not sure what the 0.0.0.0 specifies.
We've tried adding a static route back to 192.168.10.0/23 telling in to use the DG of 192.168.1.250 (which the SW's LAN IP) and get a Error: Route message.
Not sure what to do now?
24th April 2008, 02:51 PM #4
OK - it may be worth while PM-ing me with your phone number and we may be able to chat through some of the networking.
Basically we need to add another couple of items to the picture to make it clear what we are talking about.
PC1 - Net1 - TZ170 - Net2 - PC2
Let me assume the following
Net1 = 192.168.1.0/24
PC1 - Ip = 192.168.1.1
TZ170 - IP = 192.168.1.2
Net2 = 192.168.10.0/23
PC2 - IP = 192.168.10.1
TZ170 - IP = 192.168.10.2
The first thing to do is to make sure that there is a route from PC1 to PC2 and back again.
So in a simple world, on PC1, you either needs to have a DG of 192.168.1.2 or it needs to have a route for 192.168.10.0/23 to 192.168.1.2
Similary, on PC2 you either needs to have a DG of 192.168.10.2 or a route for 192.168.1.0/24 to 192.168.10.2
Now, with a routing device (such as a layer 3 switch) you can complicate the matter slightly. If the DG of PC1 or PC2 is the layer 3 switch, then you can put the route for the other network onto the layer 3 device and it will provide the route to the PC on your behalf.
Now, you may run into problems if the routing device is the same for both of your networks. On my configuration, this would cause the routing device to provide a bridge between Network 1 and Network2 and bypass the smoothwall device. This would be a bad thing ;-)
I guess the main question is to clarify the state of play of the IP addresses for the PCs and TZ170 and the DG and routing table for the PCs. This may be more than you are comfortable doing in an open conference, so again - feel free to PM me if you want to chat more privately.
Once the routing is in a state where it should work, then one can move on to the smoothwall configuration and any logs etc.
I hope all this helps.
Thanks to ArchersIT from:
jimothy (28th April 2008)
28th April 2008, 12:14 PM #5
I can't begin to thank you enough!
I've looked through what you have suggested and should be able to clarify a couple of things.
The 2 networks look like this:
Static Route on 192.168.10.1: 192.168.1.0/24 192.168.10.254 (WAN of SW)
DG: 192.168.1.254/24 (LAN of SW)
Route on DG to 192.168.10.0/23 is 0.0.0.0 (seems to be a catch all)
Firewall ports are all open in both directions.
With this setup I have tried pinging from 192.168.10.242 to 192.168.1.1 which is still getting dropped at the SW (I can see this from the logs).
I've tried RDP to 192.168.1.1 which MSTSC shows the logon dialogue box for the PC I'm trying to reach. This works about 1 time out of 5 attempts.
I've since replaced the SW with a Cisco 2605 router and replicated the network settings from above, and guess what?
It works fine, so am I looking at a faulty SW?
Whichever way I'm really grateful for the help and getting the routing working between the networks is going to help no-end.
Many thanks again!
28th April 2008, 01:18 PM #6
OK - from what you have said, especially:
It looks like the routing is sorted.
Originally Posted by jimothy
Next is to work out what is going on with the sonicwall.
Hmm - not sure that this is necessarily the case - the sonicwall is a firewall so is intended to block traffic that it has not been told to allow.
Originally Posted by jimothy
Now - I have not used a sonicwall so cannot give specific advice on how to configure it but...
This sounds like this is intended to drop the traffic to that network. While my routers configure a route to 0.0.0.0 of 192.168.10.254 (for example) this is how they specify a default gateway. I would expect a destination of 0.0.0.0 to mean that the traffic should be dropped.
Originally Posted by jimothy
So, I would expect somewhere in the configuration of the SW is a block for that network which means it remains blocked even though you have opened the ports.
Another option may be that it is just "failing safe" and you need to tell the SW that you are ahppy for traffic to be routed between those networks.
Apologies for not being able to give too much advice on the SW - does this give you enough to help you progress?
By contink in forum Windows
Last Post: 24th June 2007, 11:43 PM
By rusty155 in forum Windows
Last Post: 8th February 2007, 08:15 AM
By wesleyw in forum How do you do....it?
Last Post: 9th November 2006, 09:50 AM
By ben_hampshire in forum Windows
Last Post: 27th April 2006, 11:44 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread