VPN: Unable to access DMZ hosts in Transparent Mode through Site to Site VPN (SonicOS Standar

03/26/2020 8 10995

DESCRIPTION:
VPN: Unable to access DMZ hosts in Transparent Mode through Site to Site VPN (SonicOS Standard).

RESOLUTION:

Problem Definition:

A special configuration must be made when terminating a VPN to a LAN / DMZ in transparent mode using SonicOS Standard or Firmware 6.X. The routing table will not properly accommodate ranges for the tunnel for these firmware versions.

When using DMZ in Standard Mode, an IP address range is typically specified for a group of hosts located on the DMZ. Specifying an address range in this manner does not generate a typical network address and subnet mask combination in the routing table. Entering an IP address range in this manner will cause a problem routing to some or all of the addresses through a VPN that terminates on the DMZ.

Resolution or Workaround:

To overcome this problem, each IP address on the DMZ must be entered individually in the DMZ Addresses. This will force each host address to be listed with a 32 bit subnet mask in the routing table. Additionally, host addresses of the servers must be entered individually (with 32 bit subnet mask) in the SA Destination Network field on the other SonicWall.

This is not a problem in SonicOS Enhanced. SonicOS Enhanced allows configuration of subnet ranges for VPN configurations.