This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow VPN client through UTM

Hi there.

I have a host machine with Sonicwall Global VPN Client installed on it that can't connect to the peer/destination. The network map looks something like this:

Host >>> UTM >>> Cisco ASA >>> Internet >>> VPN Target

I've been looking at this problem for a few days, configuring host/IP/port specific rules, and eventually I put an [ any source / any destination / any service - permit ] outgoing rule on the UTM... but still no dice.

I have checked the live logs but the host's IP isn't showing up at all as a source, despite it continually attempting to establish a connection, which leads me to believe that there's something else at play that I don't know about. The host IP shows up intermittently but as a destination - the log entry looks something like this: Source = <UTM internal IP>, Service = IMCP, Destination = <host IP>, Action = dropped.

I have no issues if the host is situated between the UTM and the ASA (i.e. bypassing the UTM entirely, and with a different IP address, gateway, etc. configured of course) so the UTM seems to be causing the roadblock. In both cases the client tries to use ports 500 and 4500, but I made sure to allow these and they are reportedly in use already (probably by the ASA) so it uses dynamic ports instead. The Sonicwall GVC connects by IP address, so I don't think it's a DNS issue.

Can anyone signpost me in the right direction or say if there's a glaringly obvious setting I've missed?



This thread was automatically locked due to age.
Parents
  • Hi,

    "In both cases the client tries to use ports 500 and 4500."

    I thought the SonicWALL clients were SSL VPN, but those are ports used by IPsec.  If you are using IPsec, you might well have issues with NAT.  What shows up in the SonicWALL IPsec log when this problem occurs?

    Also, when posting lines from the logs, be sure to copy the complete line and not just describe what you're seeing.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi,

    "In both cases the client tries to use ports 500 and 4500."

    I thought the SonicWALL clients were SSL VPN, but those are ports used by IPsec.  If you are using IPsec, you might well have issues with NAT.  What shows up in the SonicWALL IPsec log when this problem occurs?

    Also, when posting lines from the logs, be sure to copy the complete line and not just describe what you're seeing.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data