Wednesday, January 13, 2021

Limited access over a VPN tunnel to and from AWS

Hi,

I've got a weird one. The short of it is, we have a VPN tunnel from our office to a demo environment in AWS. It's a pretty basic setup.

  • We've used the built-in utility on our SonicWALL to configure the VPN.
  • On the Amazon side of things, we have a public and private subnet.
  • Security groups are allowing all access from our LAN on both subnets.
  • Firewall rules are on the SonicWALL to allow all traffic from our AWS subnet.
  • In AWS, I can ping any service that should be pingable, like our firewall or a NAS device.
  • In AWS, I can verify open ports to any port that should be open, like 80 on a NAS or our management port on the SonicWALL.
  • On the LAN, I can ping any service that should be pingable, like the servers we've deployed.
  • On the LAN, I can't verify open ports to any port that should be open, like RDP.
  • In AWS, even though I can ping and test ports, if I try to browse to the management interface of a service (like the NAS), I get "connection reset". Likewise, I can't browse shares or join the domain.

I've tried:

  • Recreating the tunnel both manually and with the utility. Setting up AWS is a pretty common thing for us, so I have our base environment setup with Cloud Formation.
  • Disabling firewalls on Windows Servers (temporarily and even though basic services like the NAS don't work, either).
  • Creating a new instance in AWS without any of our stuff on it. Can't join the domain or browse to the NAS or management IP of the SonicWALL.
  • Verified ACLs and security groups in AWS are allowing things.
  • Disabling security services on the SonicWALL one-by-one (and re-enabled) to test.
  • Enlisted our firewall management company to take a look. They say there's no traffic coming into the SonicWALL except for my pings.
  • Turned on logging on my VPC to Cloud Watch. It's reporting these connections, like 3389, as being accepted in both directions.

It's also worth noting that this was working before Christmas. It's a demo environment, so no one's really been using it. I guess I just don't understand enough about networking to know how a port could be open, but just time out. It's like the second half of the TCP handshake is being blocked coming back to AWS, but there aren't any firewall rules to justify this behavior.

Thanks and sorry for the wall of text!



No comments:

Post a Comment