Sorry for not answering

natureboy99 · ‎03-30-2016

I have a SonicWall TZ400 that sits behind a Cisco 819 4G router (provided by my ISP). I am trying to set up the SonicWALL GLobal VPN Client so that I can extend the LAN side of the SonicWall for remote users. The Global VPN CLient works just fine if the client is connecting from another LAN port on the Cisco router, so I am pretty sure I have the SonicWall device/client software configured correctly. However, the client never connects if I am connecting from any outside internet connection (the WAN side of the Cisco).

So the Cisco is not passing VPN traffic from the WAN to the LAN. I believe this is a NAT issue. THe logs on the SonicWall indicate that it receives the ISAKMP request, and eventually has an IKE Responder: Remote party timeout message.

I have some familiarity with command-line Cisco configurations, but I am unsure what I need to do here to allow traffic through. If anyone could assist I would greatly appreciate it. For discussions sake, lets say the WAN side of the SonicWall is 1.2.3.4 and the LAN side is 192.168.99.0/24.

luisram2 · ‎03-30-2016

How is the Nat configuration on the Cisco device? do you have port forwarding or a one to one translation?

For an IPSec VPN tunnel you will need to make sure the ports UDP 500 and 4500 are open, normally the SSL clients will work on port 443 TCP and UDP so if you are not being able to connect from outside the problem should be on the way those ports are open.

If you don't handle the Cisco router let your ISP now you need those ports open.

Let me know if that helps

natureboy99 · ‎03-30-2016

Hello,

Thank you for your reply. I forwarded those ports to the SonicWall but that did not appear to change anything. Not sure what to try next. This should be a very simple setup, the Cisco was provided by my ISP and I only want it to pass traffic through to the SonicWall. I'll post the config on the Cisco in the morning.

Dennis Mink · ‎03-30-2016

is there some sort of logging on the sonic FW to verify that the VPN requests are actually it?

also, what protocol is it using for VPN? pptp? ipsec, tls?

cheers

Please remember to rate useful posts, by clicking on the stars below.

natureboy99 · ‎03-31-2016

Sorry for not answering sooner, unrelated issues took all of my time today.

This is a ipsec vpn.

Interestingly, before the upgrade that gave me this Cisco router, I had a site-to-site VPN set up between two pfSense firewalls (OpenVPN), and it worked perfectly. Now they cannot connect either. It appears that the Cisco is not passing any VPN traffic.

The way I got into this mess is Verizon 'upgraded' my service from a T1 line to a faster connection, that came with the Cisco 819. I am nearly certain that the Cisco is not passing VPN traffic between WAN and LAN, as if I connect a separate subnet to the LAN side of the Cisco, the VPN connection works. I still need to post the Cisco config, will do that tomorrow morning when I am back at the office.

Dennis Mink · ‎03-31-2016

open the router up for UDP port 500 (ISAKMP) and protocols 50 and 51 (ESP and AH).

once you configure an access list that allows these 3, log it and see if it gets hit. or just to a permit any any based on the source IP address of the remote and that is trying to connect to you.

obviously you will need to do a static NAT to send these protocols to your Sonic FW

Please remember to rate useful posts, by clicking on the stars below.

natureboy99 · ‎04-15-2016

I am sorry for the late reply. I got pulled out of town for several weeks, and am now back trying to solve the problem. I shall create a new thread with my current configuration, as well as a better explanation of the problem.

Cisco 819 not allowing VPN access - need help