Solved

HELP! How to set up static NAT for internal IP on Cisco so that SonicWall VPN Connects using public IP

Posted on 2006-10-19
13
517 Views
Last Modified: 2010-03-19
Ok, sounds weird right?  Here goes, I have a SonicWall firewall in front of a Cisco router.  I am not using NAT on the Cisco, and internally I am using 10.10.x.x.  I need to set up a VPN to another company for FTP traffic.  They do not route 10.10.x.x addresses.  I have the SonicWall VPN tunnel set up and can negotiate a connection, but since they see a 10.10.x.x address they do not allow me to establish a FTP session.  Question, how can I set up NAT on my Cisco so that they see a public ip instead of my private? Or am I going about this the wrong way?  Any advice would be greatly appreciated.  Thanks!

 
0
Comment
Question by:nate22007
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If the Sonicwall is the VPN endpoint you should be able to do it on that..
0
 

Author Comment

by:nate22007
Comment Utility
All I can do is assign a static NAT to the internal IP address.  That is fine if I wanted to hit that internal FTP server from the Internet, but with a VPN tunnel it terminates on my LAN, meaning they are already past the firewall where the static NAT resides.  I was wondering if I could set up a static NAT on my Cisco router(one that did not affect internal access) that would make this work?
0
 
LVL 8

Expert Comment

by:saw830
Comment Utility
Hi,

Do you have multiple IP addresses from your ISP, or can you and the other company agree to use some other Private IP address range, like maybe 192.168.x.x somewhere?  Then....

renumber the network between your Sonic Wall and your Cisco router to either a Public address range (get this from your ISP) or to some agreeable Private Range (10.x.x.x, 192.168.x.x, or 172.16.x.x-172.31.x.x).  Turn on NAT on your Cisco router to hide your 10.x.x.x network.  Connect your VPN from your Sonic Wall and the other end of the tunnel should only see the network between those two devices.

Be aware, however, that some things may not work well, or at all in this configuration.  For example, if there is something being served/hosted on the other end, and that something wants to see all clients on the same port but from different addresses, then the NAT is going to get in the way.

Hope this helps,
Alan
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Hmmm... on Cisco router or firewall we can selectively nat or not through the vpn tunnel on the firewall itself.

Since the router is inside the LAN and the Sonicwall does the encryption, you won't be able to nat on the router before it hits the sonicwall....
0
 

Author Comment

by:nate22007
Comment Utility
Well, I do have multiple IP addresses from my ISP, but the other company will not be changing their IP's and they speciafically forbid using RFC1918 addresses to access their system. So, I must find a way to NAT my internal 10.10.x.x address when it is accessed over the VPN tunnel.  (They insist on VPN for security, other wise i could set up a one to one NAT on my firewall. The VPN thing is what is killing me)  This probably means NAT on my cisco, but I dont want this to affect current network traffic on the inside.  I suppose NAT based on destination sounds correct to me, but I am a n00b.  Any additional info would help.  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
You can't use the internal router to nat to a public IP address on the inside of the Sonicwall. Then the sonicwall gets confused because that IP is supposed to be outside and can't do anything with that traffic.
The solution must reside on the Sonicwall. Unfortunately, I don't know anything about them but I'm sure we have some SW experts lurking around here somewhere..

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:nate22007
Comment Utility
I agree, the solution logically would be on the SonicWall, but I can't seem to find the right setting.  Would a Cisco firewall product be able to do this for me?
0
 

Author Comment

by:nate22007
Comment Utility
Just found out that the product I have, SonicWall 230, does not have the NAT policies that I need to do this.  They are approching end of life on this model, but their new models should allow me to do what I need.  Looks like it's time to upgrade!  Whoopee!  Another project...If anyone has any other suggestions, I would love to hear them.  Thanks!
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Cisco PIX or ASA5500 would do the job quite easily..
0
 

Author Comment

by:nate22007
Comment Utility
Are you confident the PIX will let me translate a public IP to an internal IP via a VPN tunnel?
0
 
LVL 1

Expert Comment

by:Sean64
Comment Utility
If you're using a hardware NAT (i.e. Sonicwall) then the two networks should be connected by some route anyway.
You could possibly request another static IP address from your ISP, and apply it on the Cisco router using a loopback interface.  Have the Cisco NAT traffic destined for the VPN to that address.
You'll need to have a route in the Sonicwall pointing that IP to the router.  Also the far side Sonicwall (other company) will need to put a similar route into their system.
Let me know if I was too confusing.  Short answer though is: if you have another public ip address you can use, you can make this work.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You would need another public IP subnet, not just one address, and it must not be in the same subnet as the outside IP of the sonicwall. The outside router would have to route that subnet to the Sonicwall, and the sonicwall would have to have a route statement pointing to the inside router for this subnet, and the router would have to be set up with 'nat on a stick' which is an unsupported configuration and rarely works well. And the sonicwall would have to be configured to allow that subnet through the VPN and not the internal private IP's..

Yes, I'm 100% sure that the PIX would do the trick. Been there, done that. Piece of cake.
0
 

Author Comment

by:nate22007
Comment Utility
thanks for your help.  I appreciate it!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now