Solved

Need for NAT or PAT?

Posted on 2008-10-02
25
495 Views
Last Modified: 2012-06-21
We have a basic internet ipsec vpn setup between our remotes and corporate. One of our vendors will now require a vpn connection to connect to them. They have provided a sonicwall firewall for the connection. I've attached the network diagram. We are a cascaded network(option b), but why is the NAT or PAT required, wouldnt the netgate bounce traffic it didnt know what to do with back to the firewall and then the firewall sent it to the appropiate device through the network?

network.pdf
0
Comment
Question by:wvumountie
  • 14
  • 11
25 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22633868
Apparently the vpn device cannot handle anything other than a local /24 network on its inside. Their concept of cascaded is multiple subnets (vlans or remote offices over a WAN), all routing.
Tell the vendor to find another solution or go away.
If that is not an option because they are holding you hostage... and you actually do have an internal router, and it is a Cisco router, then we can help you. If it is a L3 switch internal, they don't "do" NAT.
0
 

Author Comment

by:wvumountie
ID: 22633914
You are exactly correct as I have learned today. You are 100% on the correct page.  I have a firebox core .  I am  not opposed to putting a cisco in the middle of the two parallel devices.  Is that an option?
0
 

Author Comment

by:wvumountie
ID: 22634002
I do have a layer 3 hp procurve.  Let me give you a little more back ground.....

We recenty started using a piece of software that requires a vpn connection back to their host.  They provide the hardware.  So I have it set up parallel to my firewall which terminates my vpn ipsec tunnels.  What I need to do is route a public block of addresses from my remote sites over the vpn to my firewall and then to the parallel firewall.  I have  a route built from my corporate firewall to theirs, and all routing is working fine on the local subnet, all users can connect to the software fine.

So i need to create some sort of route or additional tunnel  from the remotes to my firewall, to tell this block of public address not to go out its gateway to the internet but route it back to the corporate office.(I have this tunnel built and it seems to be working)  

Also the hardware that was given to me is a sonicwall they have a limitation that they can not change or will not change that only allows it to see local subnet traffic.

I am using Watchguard for my tunnels, I have a core 750 at the host and edge x55 at the remotes and it is fully meshed.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22634548
Unfortunately, I have zero experience with any of the items you have. If you had all Cisco gear, I know i could come up with a solution for you.
Perhaps if you put something like a 1811 or 1841 router in between the LAN and the Sonicwall, then nat everything to the sonicwalls internal network.

Internet         Internet                     Internet
    |                     |                                  |
Sonicwall        VPN FW  ==== vpn ===X55
      |                   |
     Router  -------| --- LAN

The router can handle as many different subnets as you need and PAT them all to the sonicwall
0
 

Author Comment

by:wvumountie
ID: 22634608
well I guess I am in luck I have cisco 1800 in the closet.

my problem now is i have 14 different subnets coming accross the vpn.  All of those clients are using DHCP.  How would I NAT that many IP's?  although you are suggesting PAT.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22634798
Here's what I envision on the router:
In this example, the SonicWall inside IP is 10.200.200.1 /24
All remote sites are 10.x.y.0 something..

interface Fast 0/0
 descript Sonicwall inside lan
 ip address 10.200.200.2 255.255.255.0
 ip nat outside

interface Fast 0/1
 descript Internal network
 ip address 10.1.1.254 255.255.255.0  <== whatever is appropriate for your LAN
 ip nat inside

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 10.0.0.0 0.255.255.255  
access-list 10 permit 192.168.123.0 0.0.0.255  <== maybe an odd remote not on a 10. network

ip route <vendor ip> 255.255.255.255 10.200.200.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1  <== VPN FW
ip route 192.168.0.0 255.255.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.1.1.250  <== corp firewall for Inet access

All the Sonicwall ever sees is the Fast0/0 ip address (PAT) no matter how many remote subnets you have
0
 

Author Comment

by:wvumountie
ID: 22635107
First off I want to thank you for your help.

Secondly I have never used a cisco.

my sonicwall inside is 192.168.111.64
remote sites are 192.168.1.x
                            192.168.2.x
all the way to       192.168.17.x

what you posted is the correct syntax? I would be more than happy to pay for your services to write the configuration for me.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 22635339
Let's try this. Assuming that your Local LAN is 192.168.111.0/24
You'll have to change the Sonicwall inside IP to something new and unique to your network, like 192.168.112.64 /24

interface Fast 0/0
 descript Sonicwall inside lan
 ip address 192.168.112.66 255.255.255.0
 ip nat outside
 no shutdown

interface Fast 0/1
 descript Internal network
 ip address 192.168.111.64 255.255.255.0
 ip nat inside
 no shutdown

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 192.168.0.0 0.0.255.255  

ip route <vendor ip> 255.255.255.255 192.168.112.64
ip route 192.168.0.0 255.255.0.0 192.168.111.1  <== your vpn firewall inside IP??
0
 

Author Comment

by:wvumountie
ID: 22635404
yes my local lan is 192.168.110.0 /23
and you guessed right on my firewall

so this should be the whole config?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22635579
Your local LAN is 110. or .111. ?
Basically, yes, that's the whole config. Pretty simple, huh?
0
 

Author Comment

by:wvumountie
ID: 22635763
both  its a .110 /23

cool, so then I need to build a  route to route all of my firewall traffic destined to the sonicwall through the cisco first?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22635880
Yep.
Just change the mask on FA 0/1 to match your /23 lan
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:wvumountie
ID: 22635945
interface Fast 0/0
 descript Sonicwall inside lan
 ip address 192.168.112.66 255.255.255.0
 ip nat outside
 no shutdown

interface Fast 0/1
 descript Internal network
 ip address 192.168.111.64 255.255.254.0
 ip nat inside
 no shutdown

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 192.168.0.0 0.0.255.255  

ip route <vendor ip> 255.255.255.255 192.168.112.64
ip route 192.168.0.0 255.255.0.0 192.168.111.1


I am so sorry to beat this to death but the above would be all I need to put on the cisco?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636032
Yes, but replace
   <vendor ip>
With the appropriate IP address
0
 

Author Comment

by:wvumountie
ID: 22636052
venor ip would be the pubilc ? if so its a whole network block doest that change anything?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636142
Yes, just make it the block

ip route ven.dor.ip.0 255.255.255.0 192.168.112.64
0
 

Accepted Solution

by:
wvumountie earned 0 total points
ID: 22636173
interface Fast 0/0
 descript Sonicwall inside lan
 ip address 192.168.112.66 255.255.255.0
 ip nat outside
 no shutdown

interface Fast 0/1
 descript Internal network
 ip address 192.168.111.64 255.255.254.0
 ip nat inside
 no shutdown

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 192.168.0.0 0.0.255.255  

ip route x.x.x.0 255.255.255.255 192.168.112.64
ip route 192.168.0.0 255.255.0.0 192.168.111.1
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636209
Looks good.

Just make sure that you add a route to that vendor subnet on your firewall that points to the 1841 192.168.111.64... You might already have that in place from what you've been working on and that's why I chose to use the same IP on the 1841 that you had originally on the Sonicwall.
0
 

Author Comment

by:wvumountie
ID: 22636239
thank you so much, I am going to try it now then I will award points (I may have another stupid question).  You have been right on from the begining a real help
0
 

Author Comment

by:wvumountie
ID: 22637235
I assume this should respond to pings?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22637460
You should be able to ping 192.168.111.64 from just about anywhere.
You'll have to add another route for the new 192.168.112.0 network on your firewall, pointed back at the router 192.168.111.64.
Then you should be able to ping 192.168.112.64
If you can get that far, you should be good.
0
 

Author Comment

by:wvumountie
ID: 22637598
wouldnt the 112 network always go back throught the cisco and get nat'ed?
0
 

Author Comment

by:wvumountie
ID: 22637816
from the cisco I can ping the sonicwall  but from my computer I cant ping 192.168.112.64 which is the internal of the sonicwall.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22639373
Just for a test, add a static route on your PC for both the .112 network and the vendor public ip block
c:\>route add 192.168.112.0 mask 255.255.255.0 192.168.111.64
c:\>route add x.x.x.0 mask 255.255.255.0 192.168.111.64
0
 

Author Comment

by:wvumountie
ID: 22648909
Everything is working great thanks for all of your help
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cannot access shared files from Windows 7 Computer 9 68
Simple Guest VLAN Help 17 39
Network Config 9 59
Device same like our heart 12 49
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now