Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 538
  • Last Modified:

Need for NAT or PAT?

We have a basic internet ipsec vpn setup between our remotes and corporate. One of our vendors will now require a vpn connection to connect to them. They have provided a sonicwall firewall for the connection. I've attached the network diagram. We are a cascaded network(option b), but why is the NAT or PAT required, wouldnt the netgate bounce traffic it didnt know what to do with back to the firewall and then the firewall sent it to the appropiate device through the network?

network.pdf
0
wvumountie
Asked:
wvumountie
  • 14
  • 11
2 Solutions
 
lrmooreCommented:
Apparently the vpn device cannot handle anything other than a local /24 network on its inside. Their concept of cascaded is multiple subnets (vlans or remote offices over a WAN), all routing.
Tell the vendor to find another solution or go away.
If that is not an option because they are holding you hostage... and you actually do have an internal router, and it is a Cisco router, then we can help you. If it is a L3 switch internal, they don't "do" NAT.
0
 
wvumountieAuthor Commented:
You are exactly correct as I have learned today. You are 100% on the correct page.  I have a firebox core .  I am  not opposed to putting a cisco in the middle of the two parallel devices.  Is that an option?
0
 
wvumountieAuthor Commented:
I do have a layer 3 hp procurve.  Let me give you a little more back ground.....

We recenty started using a piece of software that requires a vpn connection back to their host.  They provide the hardware.  So I have it set up parallel to my firewall which terminates my vpn ipsec tunnels.  What I need to do is route a public block of addresses from my remote sites over the vpn to my firewall and then to the parallel firewall.  I have  a route built from my corporate firewall to theirs, and all routing is working fine on the local subnet, all users can connect to the software fine.

So i need to create some sort of route or additional tunnel  from the remotes to my firewall, to tell this block of public address not to go out its gateway to the internet but route it back to the corporate office.(I have this tunnel built and it seems to be working)  

Also the hardware that was given to me is a sonicwall they have a limitation that they can not change or will not change that only allows it to see local subnet traffic.

I am using Watchguard for my tunnels, I have a core 750 at the host and edge x55 at the remotes and it is fully meshed.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
lrmooreCommented:
Unfortunately, I have zero experience with any of the items you have. If you had all Cisco gear, I know i could come up with a solution for you.
Perhaps if you put something like a 1811 or 1841 router in between the LAN and the Sonicwall, then nat everything to the sonicwalls internal network.

Internet         Internet                     Internet
    |                     |                                  |
Sonicwall        VPN FW  ==== vpn ===X55
      |                   |
     Router  -------| --- LAN

The router can handle as many different subnets as you need and PAT them all to the sonicwall
0
 
wvumountieAuthor Commented:
well I guess I am in luck I have cisco 1800 in the closet.

my problem now is i have 14 different subnets coming accross the vpn.  All of those clients are using DHCP.  How would I NAT that many IP's?  although you are suggesting PAT.
0
 
lrmooreCommented:
Here's what I envision on the router:
In this example, the SonicWall inside IP is 10.200.200.1 /24
All remote sites are 10.x.y.0 something..

interface Fast 0/0
 descript Sonicwall inside lan
 ip address 10.200.200.2 255.255.255.0
 ip nat outside

interface Fast 0/1
 descript Internal network
 ip address 10.1.1.254 255.255.255.0  <== whatever is appropriate for your LAN
 ip nat inside

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 10.0.0.0 0.255.255.255  
access-list 10 permit 192.168.123.0 0.0.0.255  <== maybe an odd remote not on a 10. network

ip route <vendor ip> 255.255.255.255 10.200.200.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1  <== VPN FW
ip route 192.168.0.0 255.255.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.1.1.250  <== corp firewall for Inet access

All the Sonicwall ever sees is the Fast0/0 ip address (PAT) no matter how many remote subnets you have
0
 
wvumountieAuthor Commented:
First off I want to thank you for your help.

Secondly I have never used a cisco.

my sonicwall inside is 192.168.111.64
remote sites are 192.168.1.x
                            192.168.2.x
all the way to       192.168.17.x

what you posted is the correct syntax? I would be more than happy to pay for your services to write the configuration for me.
0
 
lrmooreCommented:
Let's try this. Assuming that your Local LAN is 192.168.111.0/24
You'll have to change the Sonicwall inside IP to something new and unique to your network, like 192.168.112.64 /24

interface Fast 0/0
 descript Sonicwall inside lan
 ip address 192.168.112.66 255.255.255.0
 ip nat outside
 no shutdown

interface Fast 0/1
 descript Internal network
 ip address 192.168.111.64 255.255.255.0
 ip nat inside
 no shutdown

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 192.168.0.0 0.0.255.255  

ip route <vendor ip> 255.255.255.255 192.168.112.64
ip route 192.168.0.0 255.255.0.0 192.168.111.1  <== your vpn firewall inside IP??
0
 
wvumountieAuthor Commented:
yes my local lan is 192.168.110.0 /23
and you guessed right on my firewall

so this should be the whole config?
0
 
lrmooreCommented:
Your local LAN is 110. or .111. ?
Basically, yes, that's the whole config. Pretty simple, huh?
0
 
wvumountieAuthor Commented:
both  its a .110 /23

cool, so then I need to build a  route to route all of my firewall traffic destined to the sonicwall through the cisco first?

0
 
lrmooreCommented:
Yep.
Just change the mask on FA 0/1 to match your /23 lan
0
 
wvumountieAuthor Commented:
interface Fast 0/0
 descript Sonicwall inside lan
 ip address 192.168.112.66 255.255.255.0
 ip nat outside
 no shutdown

interface Fast 0/1
 descript Internal network
 ip address 192.168.111.64 255.255.254.0
 ip nat inside
 no shutdown

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 192.168.0.0 0.0.255.255  

ip route <vendor ip> 255.255.255.255 192.168.112.64
ip route 192.168.0.0 255.255.0.0 192.168.111.1


I am so sorry to beat this to death but the above would be all I need to put on the cisco?
0
 
lrmooreCommented:
Yes, but replace
   <vendor ip>
With the appropriate IP address
0
 
wvumountieAuthor Commented:
venor ip would be the pubilc ? if so its a whole network block doest that change anything?
0
 
lrmooreCommented:
Yes, just make it the block

ip route ven.dor.ip.0 255.255.255.0 192.168.112.64
0
 
wvumountieAuthor Commented:
interface Fast 0/0
 descript Sonicwall inside lan
 ip address 192.168.112.66 255.255.255.0
 ip nat outside
 no shutdown

interface Fast 0/1
 descript Internal network
 ip address 192.168.111.64 255.255.254.0
 ip nat inside
 no shutdown

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit 192.168.0.0 0.0.255.255  

ip route x.x.x.0 255.255.255.255 192.168.112.64
ip route 192.168.0.0 255.255.0.0 192.168.111.1
0
 
lrmooreCommented:
Looks good.

Just make sure that you add a route to that vendor subnet on your firewall that points to the 1841 192.168.111.64... You might already have that in place from what you've been working on and that's why I chose to use the same IP on the 1841 that you had originally on the Sonicwall.
0
 
wvumountieAuthor Commented:
thank you so much, I am going to try it now then I will award points (I may have another stupid question).  You have been right on from the begining a real help
0
 
wvumountieAuthor Commented:
I assume this should respond to pings?
0
 
lrmooreCommented:
You should be able to ping 192.168.111.64 from just about anywhere.
You'll have to add another route for the new 192.168.112.0 network on your firewall, pointed back at the router 192.168.111.64.
Then you should be able to ping 192.168.112.64
If you can get that far, you should be good.
0
 
wvumountieAuthor Commented:
wouldnt the 112 network always go back throught the cisco and get nat'ed?
0
 
wvumountieAuthor Commented:
from the cisco I can ping the sonicwall  but from my computer I cant ping 192.168.112.64 which is the internal of the sonicwall.
0
 
lrmooreCommented:
Just for a test, add a static route on your PC for both the .112 network and the vendor public ip block
c:\>route add 192.168.112.0 mask 255.255.255.0 192.168.111.64
c:\>route add x.x.x.0 mask 255.255.255.0 192.168.111.64
0
 
wvumountieAuthor Commented:
Everything is working great thanks for all of your help
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 14
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now