How can I allow ssl vpn user to access the remote network across site to site vpn?
06/17/2022 3,347 People found this article helpful 511,958 Views
Description
This article explains how to allow SSLVPN user to access the remote network across site to site VPN.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- Click Network | IPSec VPN | Rules and Settings.
- Make sure the SSLVPN IP pool is added to the local network in Site to Site Tunnel configuration on SonicWall A and in the remote network (in VPN Zone) in SonicWall B.
- Add a client route to the SonicWall B network under:
a) Click Network | SSLVPN | Client settings | Edit Profile | Client Routes:
- Click Device | Users | Local Users & Groups in the top navigation menu.
- Add the same VPN network under the user which connects over SSL VPN and add the SSLVPN IP Pool under the VPN Access tab.
- Reconnect NetExtender / Mobile Connect and test the access.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- Click Manage in the top navigation menu.
- Make sure the SSLVPN IP pool is added to the local network in Site to Site Tunnel configuration on SonicWall A and in the remote network (in VPN Zone) in SonicWall B.
- Add a client route to the SonicWall B network under:
a) Click Manage in the top navigation menu. Click SSL VPN | Client Settings | Edit profile | Client Routes Tab:
- Click Manage in the top navigation menu.
- Add the same VPN network under System Setup | Users | edit the user or user group which connects over SSL VPN under the VPN Access tab.
- Reconnect NetExtender / Mobile Connect and test the access.
NOTE: Now when that user will try to access any computer with 1.1.1.x network he will be able to access that.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
- Make sure the SSLVPN IP pool is added to the local network in site to site tunnel configuration on SonicWall A and in the remote network (in VPN Zone) in SonicWall B.
- Add a client route to the SonicWall B network under:
a) SSL VPN | Client Settings | Edit profile | Client Routes Tab in Firmware 5.9 and 6.2:
b) SSL VPN | Client Routes in Firmware 5.8 and 6.1:
- Add the same VPN network under Users | edit the user or user group which connects over SSL VPN | VPN Access Tab.
- Reconnect NetExtender / Mobile Connect and test the access.
NOTE: Now when that user will try to access any computer with 1.1.1.x network he will be able to access that.
If it is not possible to change the Site to Site VPN Tunnel
If it is not possible to modify the currently active VPN Site to Site tunnel it is always possible to perform a NAT of the SSLVPN range.
Configure the SSLVPN like the examples above and add a NAT policy.
In the example above:
SSL Scope is the SSLVPN Address Range configured in SSLVPN Client Settings
Translated Source is the NAT applied to the incoming packets translated with X0 IP (in a scenario in which the X0 Subnet is the subnet already active in the Site to Site tunnel)
Original Destination is the remote VPN Subnet
Keep in mind that the NAT solution will works only when the traffic is originated from SSL VPN Client to the remote network.
It is not possible to originate the traffic from Chicago LAN due to the routing of the firewall.
Related Articles
Categories
Was This Article Helpful?
YESNO