Outbound Ports We have this firewall in our office, 3CR870-95. I am having problems running my VPN client from inside to outside. I need to open ports 50,51, and 500. I was able to add them manually but for some reason I still could not get my sonicwall vpn client to go through this firewall out to my servers thru a vpn session. Is there something I am missing?
Right... well, first thing is that you don't need to open ports 50 or 51. IPSec VPNs use PROTOCOL (not port) 50 and 51.
The good news is that if you allow IPSec through the 3CR870 it will automatically sort those protocols for you. So for inside->outside you need to go to PC privileges and make sure your PC has permission to do that - I can't remember whether you get the option to select "IPSec" or whether you just need to open UDP port 500. Note that it's UDP not TCP (default is that all PCs on the network can do everything outbound anyway!)
Secondly - the 3CR870 has its own VPN servers built-in. In order to run an IPSec VPN through from the LAN to the internet you need to make sure that the built-in IPSec server is turned off.
Go to the VPN section of the GUI and make sure that IPSec (and L2TP-over-IPSec) are disabled.
If none of that helps, try enabling UDP port 4500 outbound too - most IPSec implementations support NAT-Traversal protocol but you need to allow that additional UDP port.
If you're still having problems, I suggest you then raise the issue in the VPN forum (forums->broadband tech->virtual private networking) and post the logs from both ends of the connection if you can (you probably want to obfuscate the IP addresses in some way though)... and you'll need to also tell that forum what hardware/software the remote end is using.
Hope that helps,
Thanks so much for your help. OK, the problem was the internal VPN server in the 3CR870. As soon as I turned off IPsec and L2TP my client in the LAN was successfully able to connect to our remote Sonicwall VPN and establish a connection through the 3CR870. HOWEVER, I am pretty certain that the 2-3 folks that connect into the office (outside - inside) through the 3CR870 are now hosed. I wont know until this weekend when they attempt it but it is my assumption they probably wont be able to establish an outside in connection to the 3CR870? Any advice you can provide here would be hugely appreciated. THANK YOU!