[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

HELP! How to set up static NAT for internal IP on Cisco so that SonicWall VPN Connects using public IP

Ok, sounds weird right?  Here goes, I have a SonicWall firewall in front of a Cisco router.  I am not using NAT on the Cisco, and internally I am using 10.10.x.x.  I need to set up a VPN to another company for FTP traffic.  They do not route 10.10.x.x addresses.  I have the SonicWall VPN tunnel set up and can negotiate a connection, but since they see a 10.10.x.x address they do not allow me to establish a FTP session.  Question, how can I set up NAT on my Cisco so that they see a public ip instead of my private? Or am I going about this the wrong way?  Any advice would be greatly appreciated.  Thanks!

 
0
nate22007
Asked:
nate22007
1 Solution
 
lrmooreCommented:
If the Sonicwall is the VPN endpoint you should be able to do it on that..
0
 
nate22007Author Commented:
All I can do is assign a static NAT to the internal IP address.  That is fine if I wanted to hit that internal FTP server from the Internet, but with a VPN tunnel it terminates on my LAN, meaning they are already past the firewall where the static NAT resides.  I was wondering if I could set up a static NAT on my Cisco router(one that did not affect internal access) that would make this work?
0
 
saw830Commented:
Hi,

Do you have multiple IP addresses from your ISP, or can you and the other company agree to use some other Private IP address range, like maybe 192.168.x.x somewhere?  Then....

renumber the network between your Sonic Wall and your Cisco router to either a Public address range (get this from your ISP) or to some agreeable Private Range (10.x.x.x, 192.168.x.x, or 172.16.x.x-172.31.x.x).  Turn on NAT on your Cisco router to hide your 10.x.x.x network.  Connect your VPN from your Sonic Wall and the other end of the tunnel should only see the network between those two devices.

Be aware, however, that some things may not work well, or at all in this configuration.  For example, if there is something being served/hosted on the other end, and that something wants to see all clients on the same port but from different addresses, then the NAT is going to get in the way.

Hope this helps,
Alan
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
Hmmm... on Cisco router or firewall we can selectively nat or not through the vpn tunnel on the firewall itself.

Since the router is inside the LAN and the Sonicwall does the encryption, you won't be able to nat on the router before it hits the sonicwall....
0
 
nate22007Author Commented:
Well, I do have multiple IP addresses from my ISP, but the other company will not be changing their IP's and they speciafically forbid using RFC1918 addresses to access their system. So, I must find a way to NAT my internal 10.10.x.x address when it is accessed over the VPN tunnel.  (They insist on VPN for security, other wise i could set up a one to one NAT on my firewall. The VPN thing is what is killing me)  This probably means NAT on my cisco, but I dont want this to affect current network traffic on the inside.  I suppose NAT based on destination sounds correct to me, but I am a n00b.  Any additional info would help.  
0
 
lrmooreCommented:
You can't use the internal router to nat to a public IP address on the inside of the Sonicwall. Then the sonicwall gets confused because that IP is supposed to be outside and can't do anything with that traffic.
The solution must reside on the Sonicwall. Unfortunately, I don't know anything about them but I'm sure we have some SW experts lurking around here somewhere..

0
 
nate22007Author Commented:
I agree, the solution logically would be on the SonicWall, but I can't seem to find the right setting.  Would a Cisco firewall product be able to do this for me?
0
 
nate22007Author Commented:
Just found out that the product I have, SonicWall 230, does not have the NAT policies that I need to do this.  They are approching end of life on this model, but their new models should allow me to do what I need.  Looks like it's time to upgrade!  Whoopee!  Another project...If anyone has any other suggestions, I would love to hear them.  Thanks!
0
 
lrmooreCommented:
Cisco PIX or ASA5500 would do the job quite easily..
0
 
nate22007Author Commented:
Are you confident the PIX will let me translate a public IP to an internal IP via a VPN tunnel?
0
 
Sean64Commented:
If you're using a hardware NAT (i.e. Sonicwall) then the two networks should be connected by some route anyway.
You could possibly request another static IP address from your ISP, and apply it on the Cisco router using a loopback interface.  Have the Cisco NAT traffic destined for the VPN to that address.
You'll need to have a route in the Sonicwall pointing that IP to the router.  Also the far side Sonicwall (other company) will need to put a similar route into their system.
Let me know if I was too confusing.  Short answer though is: if you have another public ip address you can use, you can make this work.
0
 
lrmooreCommented:
You would need another public IP subnet, not just one address, and it must not be in the same subnet as the outside IP of the sonicwall. The outside router would have to route that subnet to the Sonicwall, and the sonicwall would have to have a route statement pointing to the inside router for this subnet, and the router would have to be set up with 'nat on a stick' which is an unsupported configuration and rarely works well. And the sonicwall would have to be configured to allow that subnet through the VPN and not the internal private IP's..

Yes, I'm 100% sure that the PIX would do the trick. Been there, done that. Piece of cake.
0
 
nate22007Author Commented:
thanks for your help.  I appreciate it!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now