Hey Ben, They (Sonicwall) thought of that but they still couldn't get the packets to pass correctly. There is a way to do it, but it would be problematic at best so we've decided to pursue this from another angle.
One: we're looking to replace our firewall with something more flexible. Sonicwall devices have a tendency to work only with other Sonicwall devices. We've experienced that recently when trying to establish a VPN from a TZ170 to a Cisco router, the VPN would connect but no packets were passing. Two: We are pursuing Paciolan to give us a temporary license for the server software that normally costs 20K for us to use for this one event. We'll see what happens from here. Thanks for your time sir. Tom -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2008 5:51 PM To: NT System Admin Issues Subject: Re: VPN Issue On Tue, Mar 25, 2008 at 3:31 PM, Tom Strader <[EMAIL PROTECTED]> wrote: > ... application server ... handhelds must have a > static IP on the same subnet as the application server. Call the application vendor and tell them to fix their crappy software or you'll switch to the competition. > Any assistance would be appreciated. I was thinking it could be done using > CIDR maybe?? CIDR alone won't help you, as the application server will think everyone on the CIDR subnet is on the local broadcast domain, and try to ARP for them, rather than sending packets to the gateway. You might be able to do something with static host routes. On the server, you'd have to add a host route to each handheld, with the gateway being the VPN gateway/router. Not sure this would work. It makes my head hurt. It might be possible to use static one-to-one NAT between sites, and I think that would be better if so. For example: Make the main site 10.1.1.0/24. Make the remote site 10.2.2.0/24. Route and VPN between them as normal. Put the handhelds at the remote site on 10.2.2.32/28. Have the intermediate gateways translate 10.2.2.32/28 to 10.1.1.32/28 and back again. Also have the gateway for the main site do proxy ARP for the handhelds at the remote. This won't work if the IP payload embeds the handheld IP address, but a lot of applications just grab it from the IP headers. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
