Solved

HELP! How to set up static NAT for internal IP on Cisco so that SonicWall VPN Connects using public IP

Posted on 2006-10-19
13
525 Views
Last Modified: 2010-03-19
Ok, sounds weird right?  Here goes, I have a SonicWall firewall in front of a Cisco router.  I am not using NAT on the Cisco, and internally I am using 10.10.x.x.  I need to set up a VPN to another company for FTP traffic.  They do not route 10.10.x.x addresses.  I have the SonicWall VPN tunnel set up and can negotiate a connection, but since they see a 10.10.x.x address they do not allow me to establish a FTP session.  Question, how can I set up NAT on my Cisco so that they see a public ip instead of my private? Or am I going about this the wrong way?  Any advice would be greatly appreciated.  Thanks!

 
0
Comment
Question by:nate22007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17767729
If the Sonicwall is the VPN endpoint you should be able to do it on that..
0
 

Author Comment

by:nate22007
ID: 17768267
All I can do is assign a static NAT to the internal IP address.  That is fine if I wanted to hit that internal FTP server from the Internet, but with a VPN tunnel it terminates on my LAN, meaning they are already past the firewall where the static NAT resides.  I was wondering if I could set up a static NAT on my Cisco router(one that did not affect internal access) that would make this work?
0
 
LVL 8

Expert Comment

by:saw830
ID: 17768750
Hi,

Do you have multiple IP addresses from your ISP, or can you and the other company agree to use some other Private IP address range, like maybe 192.168.x.x somewhere?  Then....

renumber the network between your Sonic Wall and your Cisco router to either a Public address range (get this from your ISP) or to some agreeable Private Range (10.x.x.x, 192.168.x.x, or 172.16.x.x-172.31.x.x).  Turn on NAT on your Cisco router to hide your 10.x.x.x network.  Connect your VPN from your Sonic Wall and the other end of the tunnel should only see the network between those two devices.

Be aware, however, that some things may not work well, or at all in this configuration.  For example, if there is something being served/hosted on the other end, and that something wants to see all clients on the same port but from different addresses, then the NAT is going to get in the way.

Hope this helps,
Alan
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 79

Expert Comment

by:lrmoore
ID: 17768784
Hmmm... on Cisco router or firewall we can selectively nat or not through the vpn tunnel on the firewall itself.

Since the router is inside the LAN and the Sonicwall does the encryption, you won't be able to nat on the router before it hits the sonicwall....
0
 

Author Comment

by:nate22007
ID: 17768859
Well, I do have multiple IP addresses from my ISP, but the other company will not be changing their IP's and they speciafically forbid using RFC1918 addresses to access their system. So, I must find a way to NAT my internal 10.10.x.x address when it is accessed over the VPN tunnel.  (They insist on VPN for security, other wise i could set up a one to one NAT on my firewall. The VPN thing is what is killing me)  This probably means NAT on my cisco, but I dont want this to affect current network traffic on the inside.  I suppose NAT based on destination sounds correct to me, but I am a n00b.  Any additional info would help.  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17768914
You can't use the internal router to nat to a public IP address on the inside of the Sonicwall. Then the sonicwall gets confused because that IP is supposed to be outside and can't do anything with that traffic.
The solution must reside on the Sonicwall. Unfortunately, I don't know anything about them but I'm sure we have some SW experts lurking around here somewhere..

0
 

Author Comment

by:nate22007
ID: 17769035
I agree, the solution logically would be on the SonicWall, but I can't seem to find the right setting.  Would a Cisco firewall product be able to do this for me?
0
 

Author Comment

by:nate22007
ID: 17769610
Just found out that the product I have, SonicWall 230, does not have the NAT policies that I need to do this.  They are approching end of life on this model, but their new models should allow me to do what I need.  Looks like it's time to upgrade!  Whoopee!  Another project...If anyone has any other suggestions, I would love to hear them.  Thanks!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17769728
Cisco PIX or ASA5500 would do the job quite easily..
0
 

Author Comment

by:nate22007
ID: 17769756
Are you confident the PIX will let me translate a public IP to an internal IP via a VPN tunnel?
0
 
LVL 1

Expert Comment

by:Sean64
ID: 17769759
If you're using a hardware NAT (i.e. Sonicwall) then the two networks should be connected by some route anyway.
You could possibly request another static IP address from your ISP, and apply it on the Cisco router using a loopback interface.  Have the Cisco NAT traffic destined for the VPN to that address.
You'll need to have a route in the Sonicwall pointing that IP to the router.  Also the far side Sonicwall (other company) will need to put a similar route into their system.
Let me know if I was too confusing.  Short answer though is: if you have another public ip address you can use, you can make this work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17769876
You would need another public IP subnet, not just one address, and it must not be in the same subnet as the outside IP of the sonicwall. The outside router would have to route that subnet to the Sonicwall, and the sonicwall would have to have a route statement pointing to the inside router for this subnet, and the router would have to be set up with 'nat on a stick' which is an unsupported configuration and rarely works well. And the sonicwall would have to be configured to allow that subnet through the VPN and not the internal private IP's..

Yes, I'm 100% sure that the PIX would do the trick. Been there, done that. Piece of cake.
0
 

Author Comment

by:nate22007
ID: 17769904
thanks for your help.  I appreciate it!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question