Domain to domain. Different subnets.

Zoomer

Ok, I have a question about computers on different domains wanting to communicate.

Domain 1 is a 10.0.2.x
Netscreen 25 (firewall) external IP for Domain 1 is 66.92.139.62

Domain 2 is a 192.168.2.x
SonicWall (firewall) external IP for Domain 2 is 66.92.139.59

Now some managers want to be able to connect SQL Server data (or push data to eachother) between two servers running SQL Server 2005 on those different subnets.

What would be the best way of going about this? Should I create a static route? That's all I can think of at this time. The Netscreen 25 is old and is a little difficult to configure, but does anyone have any suggestions?

Pash

Here is what I would do:

1. Find out what ports need to be allowed on each netscreen on each end for these SQL services to run.

2. Write the policies to however you want to maximize security but achieve your desired services end to end.

3. Routing - Are you planning to create a VPN (recommended)? Are you using NAT? need more info here.

sprkymrk

SQL communicates on TCP port 1433 by default, so you would need to set up the firewalls to listen for port 1433 traffic from the other host (in other words, don't create an allow all rule for port 1433) and forward that traffic to the internal IP address of the SQL servers. Here is some more detailed information for you that may help:

http://support.microsoft.com/kb/287932

TechJunky

Many ways to go about this..

VPN tunnel
static route
port traffic'ing

Choose your pick.

Zoomer

Ok, I'm really starting to get aggravated now since I can't seem to see computers on the other domain. Sorry, if I sound so green. I'm new to this...

N25
ethernet1 [trust]= 192.168.1.1/24 layer 3(interface mode NAT) Secondary IP 10.0.2.2 (route among secondary IPs selected)

ethernet 2 [untrust]= 66.92.139.22/24 layer 3(interface mode route)

--

Router LAN gateway 66.92.139.17 subnet mask 255.255.255.240

--

SonicWall TZ 170
WAN port WAN IP Public = 66.92.139.19 /255.255.255.240 [NAT]
LAN = 192.168.2.254 /255.255.255.0

Now, what should I be configuring for a static route? The two computers in question are:

192.168.2.4 behind the Sonicwall
&
10.0.2.9 behind the N25

These are all in the same LAN. Another thing is, from behind the SonicWall I can ping the N25's 66.92.139.22 IP from any system. But behind the N25 I cannot ping the SonicWall's 66.92.139.19.

Any suggestions?

Pash

I was tired when I last posted, so take none of what i said to be correct. My fault!

Now,

ethernet 2 [untrust]= 66.92.139.22/24 layer 3(interface mode route) I don't think this is a flat /24 mate, especially when your ISP router is /28.

Let us know what route you are trying to use.

Btw a VPN would be best here, seen as you need to use services on another network, otherwise you are going to have to use some VIP's (which map services/ports to particular IP's).

Zoomer

It's no problem Pash. Ok, here's the VPN route I tried to create. Note, both LANs are behind the same router.

On the N25:

Remote GW: 66.92.139.17
Remote PC: 192.168.2.8
Local PC: 10.0.2.8
Encryption: standard


On the SonicWall TZ 170:
IPSec Primary GW Name or address: 66.92.139.17
Destination networks: 192.168.1.1 and 10.0.2.2

IKE Phase 1
exchange: main mode
DH Group: group2
encryp: 3DES
Auth: SHA1

IPSec phase2
Protocol: ESP
encryp: 3DES
auth: SHA1

Advanced:
- enable keep alive checked
- try to bring up all possible tunnels checked

Well, I can't connect so I'm probably WAY off somewhere. Again, I'm new to this so bare with me.

Pash

Zoomer wrote:

It's no problem Pash. Ok, here's the VPN route I tried to create. Note, both LANs are behind the same router.

On the N25:

Remote GW: 66.92.139.17
Remote PC: 192.168.2.8
Local PC: 10.0.2.8
Encryption: standard


On the SonicWall TZ 170:
IPSec Primary GW Name or address: 66.92.139.17
Destination networks: 192.168.1.1 and 10.0.2.2

IKE Phase 1
exchange: main mode
DH Group: group2
encryp: 3DES
Auth: SHA1

IPSec phase2
Protocol: ESP
encryp: 3DES
auth: SHA1

Advanced:
- enable keep alive checked
- try to bring up all possible tunnels checked

Well, I can't connect so I'm probably WAY off somewhere. Again, I'm new to this so bare with me.

Hi Zoomer,

I cant help with the Sonic Firewall (never used one before). But the NS i can help with. How are you trying to "match" the VPN on the NS? Using route based VPN or policy based? The two are very different, and I would suggest you take time to look at both:

http://kb.juniper.net/KB4124

Cheers,

Zoomer

I used a policy based VPN similar to the knowledge base link that you gave. I tried pinging from the remote network to the intended destination PC, but it didn't work. I think I've about given up. We'll probably hire a consultant to come in and do it. I guess they were trying to save some money by having me do it, but I'm just too green.

Thanks for the help though.

Pash

Zoomer, it's never a problem being new to something, but for your own technical gain I would suggest practicing with this stuff.

Out of curiousity where is your IKE getting to, as in which Phase?

Zoomer

Here's a few of the logs I was getting:

2007-11-19 14:46:09 info IKE<66.92.139.19> Phase 2 msg-id <fc66310e>: Negotiations have failed.
2007-11-19 14:46:09 info IKE<66.92.139.19> Phase 2: No policy exists for the proxy ID received: local ID (<10.0.2.0>/<255.255.255.0>,<0>,<0>) remote ID (<192.168.2.0>/<255.255.255.0>,<0>,<0>)
2007-11-19 14:46:09 info IKE<66.92.139.19> Phase 2 msg-id <fc66310e>: Responded to the first peer message.
2007-11-19 14:45:53 info IKE<66.92.139.19> Phase 2 msg-id <fc66310e>: Negotiations have failed.
2007-11-19 14:45:53 info IKE<66.92.139.19> Phase 2: No policy exists for the proxy ID received: local ID (<10.0.2.0>/<255.255.255.0>,<0>,<0>) remote ID (<192.168.2.0>/<255.255.255.0>,<0>,<0>)
2007-11-19 14:45:53 info IKE<66.92.139.19> Phase 2 msg-id <fc66310e>: Responded to the first peer message.