How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask Quiksilver07070 Your Own Question

Quiksilver07070
Quiksilver07070, PC Technician
Category: Networking
Satisfied Customers: 738
Experience:  All types of network devices, routers/switches/bridges/wifi/NIC's/Modems
63493917
Type Your Networking Question Here...
Quiksilver07070 is online now

I need an expert with practical experience of a Dell

Customer Question

I need an expert with practical experience of a Dell Sonicwall NSA2400 with SonicOS Enhanced 5.8.1.8-57o or Similar firmware.
Two related issues
1. I have another office who use a sonicwall (same type) in their office to link to our Sonicwall with a point to point VPN policy. (VPN-settings-VPN Policies)
2. I have other individual users in remote locations with individual VPN "local users" who connect. (users-Local users)
Currently both of the above come through the same ethernet cable as the general internet which connects to our "servers" switch.
I need to move the 1&2 to a "client" switch. In other words attach another network cable to port X3, X4 or X5 and connect that to a client switch.
I need help setting up/modifying the settings to do this.
This may take some time and I will probably have to leave the chat occasionally.
Submitted: 6 months ago.
Category: Networking
Expert:  Quiksilver07070 replied 6 months ago.

Hello DM, and thank you for choosing JUSTANSWER.com

.

About your network.....can you provide a simple Network Map?

Showing ALL the network devices....the ports they use, IP address's, VLAN's, server designations (network related such as DHCP), etc etc

Do your best to show the PHYSICAL Layout as well. But its okay if you can only do a logical drawing.

.

I await your reply

Customer: replied 6 months ago.
Hi, Before I do (this question is going to use a fair bit of your and my time) do you have experience with the NSA2400?
Expert:  Quiksilver07070 replied 6 months ago.

Sure do....in fact i used to SELL them. Along with Cisco ASA's, and Meraki MX series.

In order to BE ABLE to sell them....you had to go through their training courses and become Technician Assistant, along with the SALES side of it. Specs, and sizing, and cost, and future proofing, and so on and so on.

.

Adding a Switch to a Network isnt too difficult, ofcourse it matters a bit on the complexity of the network, and where in the network the switch is going in....but overall, a switch is one of the those network devices, that are Set it....and Forget it.

Customer: replied 6 months ago.
Great. Layout enclosed showing proposed VPN connections.
Expert:  Quiksilver07070 replied 6 months ago.

Okay....so the new client switch should be connected to the SonicWall Directly, instead of passing through the Server Switch.

Can that be changed?

Daisy chaining creates an additional POF (point Of Failure). But, if you are unable to change it....we can work with it.

.

So your SSLVPN clients are terminating on the LAN side....correct?

Customer: replied 6 months ago.
Just to be clear I only want the VPN connections to move to X3, X4 or X5. (the general internet still needs to stay in place from firewall to server switch). The client to server connection must stay in place.
The SSLVPN clients terminate on the Lan side.
Expert:  Quiksilver07070 replied 6 months ago.

Okay.....You can leave the connection between Server Switch and Client Switch.....but I urge you to put a connection between Client Switch, and NSA.....Unless I am seeing this already in the diagram in the box labeled Proposed Remote Users (VLAN ID:1)

Is this an actual Networking device? Or are you just showing the location of SSLVPN termination?

Customer: replied 6 months ago.
Proposed Remote Users (Vlan ID:1) is the ethernet cable I need to put in. Connecting the cable is easy, it's the settings on the firewall I need help with to make sure only the VPN connections go over it.
So an external VPN user goes from the internet to the firewall, from the firewall to the client switch and from the client switch to the server switch to connect to a server. (Technically it doesn't make sense to do it this way but trust me, there is a good reason for this)
Expert:  Quiksilver07070 replied 6 months ago.

Okay.

So you just need to decide which port your using to connect on the NSA to the new client switch.

From there....remote VPN user traffic is tagged, and sent out that port.

Easier said than done i suppose...EH!

Theres a fwe different ways to do this....im sure....doing the simplest and most efficient is the goal.

.

You could create a new Vlan, and tag the VPN traffic as it comes in, to that Vlan which is assigned the port which connects to the client switch.

Expert:  Quiksilver07070 replied 6 months ago.

Are you doing ANY segregation of the network traffic? You mentioned VLAN ID1.....but that is the default VLAN which every node uses.

If you want to control the Remote User traffic, then you should probably place it on a different VLAN. This makes it a WHOLE lot easier to control when they are on their own VLAN.

.

The exact routes that you want the client to be able to use when they connect to the NetExtender VPN gives you complete control over which machines they can connect directly to. routes for SSLVPN users can be individually controlled, or group controlled, and this is assigned in the Users>LocalUsers>Add User or Edit User>VPNSettings Tab.

.

Expert:  Quiksilver07070 replied 6 months ago.

No Firewall changes needed.

Place remote Users on different VLAN...try to group your remote users together BY the network resources they need, which will help keep the setup simple.

.

But about your Server switch......will it be connected to BOTH the NSA, and the client Switch simultaneously? Or are you disconnecting the link between server switch and NSA once you have the client switch in place?

Customer: replied 6 months ago.
Cant edit Vlans, need a different method.
Server switch is and will remain connected to both the nsa and the client switch simultaneously.
Expert:  Quiksilver07070 replied 6 months ago.

Cant edit VLAN's?? What the heck? What gives on that?

Thats how i would do it, with VLAN's.

But its your network....you know it better than me.

The alternative, is to use a subnet.....which would require a router to be the middle man (you only have 1 the NSA) between the server switch and client switch creating MORE traffic for the NSA to process.

Just create a NEW DHCP Pool for the remote users, on a diff subnet, then you can route that subnet as you wish.

Customer: replied 6 months ago.
Is there no way of just editing the firewall to send the VPN traffic over the X5 interface to the VLAN ID:1 on the client switch?
Expert:  Quiksilver07070 replied 6 months ago.

Okay.....sorry for the delay.

The firewall isnt used to for that purpose.

If you must keep the network FLAT, then you should use the NETWORK ACCESS RULES.

You can Allow or Deny by IP address, or User, or Network Service.

Customer: replied 6 months ago.
OK, where do I find NETWORK ACCESS RULES?
Expert:  Quiksilver07070 replied 6 months ago.

Heres the link to the instructions

http://help.mysonicwall.com/sw/eng/281/ui1/6600/Access/Add_Rule.htm

The path is: Access>Rules>Add New Rule

Customer: replied 6 months ago.
Have you got a web page for the firmware I'm using as that's different?
Expert:  Quiksilver07070 replied 6 months ago.

Okay i finally found it.

You need to use the SSL VPN Client Routes to restrict access to the SSL VPN remote users.

The link shows the topic in FULL detail. and is for the version 5.8

Let me know what you think.

http://documents.software.dell.com/sonicos/5.8/administration-guide/ssl-vpn/configuring-ssl-vpn/ssl-vpn-client-routes?ParentProduct=630

Customer: replied 6 months ago.
we are not using SSLVPN. We are using the "VPN" and the "Users-Local Users" tabs on the left hand side.
Expert:  Quiksilver07070 replied 6 months ago.

Ok, Then...Remote users must be explicitly granted access to network resources on the Users > Local Users or Users > Local Groups pages. When configuring local users or local groups, the VPN Access tab affects the ability of remote clients using GVC connecting to GroupVPN; it also affects remote users using NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. This is new behavior in SonicOS 5.6 and above. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the “allow” list on the VPN Access tab

Expert:  Quiksilver07070 replied 6 months ago.

Editing the LOCAL USERS (You can edit local users from the Users > Local Users screen. ) that are assigned to your IPSec VPN Users, under the VPN Access Tab (The VPN access tab affects the ability of remote clients using GVC, NetExtender, and Virtual Office bookmarks to access network resources.),you can select the INTERFACE you want to allow the VPN users to use.

Thats the simplest I can make it.

Expert:  Quiksilver07070 replied 6 months ago.

See image for VPNA Access showing the interface as selection

Expert:  Quiksilver07070 replied 6 months ago.

Please kindly take a moment to reflect my effort put forth and performance, and RATE me by selecting the STARS (or SMILE FACES), so I can be compensated.

Thank you, ***** ***** a Great Night!

What Customers are Saying:

 
 
 
  • My Expert answered my question promptly and he resolved the issue totally. This is a great service. I am so glad I found it I will definitely use the service again if needed. One Happy Customer
< Previous | Next >
  • My Expert answered my question promptly and he resolved the issue totally. This is a great service. I am so glad I found it I will definitely use the service again if needed. One Happy Customer
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C.
  • This expert is wonderful. They truly know what they are talking about, and they actually care about you. They really helped put my nerves at ease. Thank you so much!!!! Alex
  • Thank you for all your help. It is nice to know that this service is here for people like myself, who need answers fast and are not sure who to consult. GP
  • I couldn't be more satisfied! This is the site I will always come to when I need a second opinion. Justin
  • Just let me say that this encounter has been entirely professional and most helpful. I liked that I could ask additional questions and get answered in a very short turn around. Esther
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C.
 
 
 

Meet The Experts:

 
 
 
  • Claws224

    Claws224

    IEEE Network Engineer

    Satisfied Customers:

    1256
    IEEE, Microsoft
< Last | Next >
  • http://ww2.justanswer.com/uploads/Claws224/2009-07-07_063935_Dork_Portrait.JPG Claws224's Avatar

    Claws224

    IEEE Network Engineer

    Satisfied Customers:

    1256
    IEEE, Microsoft
  • http://ww2.justanswer.com/uploads/KN/knelly74/2011-4-14_215651_kevin.64x64.jpg Kevin's Avatar

    Kevin

    LAN/WAN Specialist

    Satisfied Customers:

    1160
    Certified MCSA and MCP Network Administrator with over 20 years of PC experience.
  • http://ww2.justanswer.com/uploads/tealnet/2009-09-26_000218_headshot_64.jpg Eric K.'s Avatar

    Eric K.

    Network Administrator

    Satisfied Customers:

    510
    13 years of desktop, server and network support experience
  • http://ww2.justanswer.com/uploads/MA/matthewpj73/2012-1-20_18729_TWO.64x64.jpg Matthew J's Avatar

    Matthew J

    Computer Support Specialist

    Satisfied Customers:

    397
    12+ yrs computer diagnosis/repair, network infrastructure install and support, IT Administration
  • http://ww2.justanswer.com/uploads/rsoram/2010-08-01_154219_justanswer.jpg R.A. McConnell's Avatar

    R.A. McConnell

    Network Admin

    Satisfied Customers:

    310
    A-Plus, MCP, 18+ years experience, LINUX admin
  • http://ww2.justanswer.com/uploads/SE/Seashore2011/2011-12-6_33418_111205223015.64x64.jpg Chris L.'s Avatar

    Chris L.

    Support Specialist

    Satisfied Customers:

    291
    Certified Networking expert with over 10 years experience.
  • http://ww2.justanswer.com/uploads/jnayes/2010-12-23_132454_japicbetter.jpg Justin's Avatar

    Justin

    Certified Networking Engineer

    Satisfied Customers:

    255
    Network Specialist Degree, A+/Net+ Certs, 10 years Contract IT/Network Administration
 
 
 

Related Networking Questions