I am attempting to configure a VPN tunnel between our Sonicwal TZ 210 (SonicOS 126.96.36.199-7o) and a customer's Cisco 3000 device.
Goal - to configure our subnet (192.168.249.0/24) to access 150.xxx.xxx.68 (which has been translated on the customer's side to get us to the privately routed public IP address of the server we need) via a VPN connectoin, while appearing on their network as 150.xxx.xxx.69. The customer has suggested that we use PAT to route all of our traffic through 150.xxx.xxx.69 so that we route through their networks appropriately.
The good news - the tunnel works (Key exchanges work according to logs on both ends and both ends show a working tunnel)
The bad news - I can't get my traffic to route properly to this VPN.
The ugly news...
Why? - well this is not a "normal" VPN setup. The customer has NATted the VPN on their end in order to provide me with Access to only the one server that we need access to. This seems to have been set up OK - we have tested this by pinging a NATted server on their network from mine.
To further complicate things, the server we need to reach is not on the customer's network, but is actually a vendor's system on a public IP that is only accessible from the customer's network. This means that I need to use NAT/PAT on my end expose all of the traffic from my local subnet as a single IP address that was provided by the customer (that will route properly on their network)
Sonicwall provides a pretty good walkthrough of this, which has gotten me most of the way at
Here is my current VPN policy setup (skipping the IKE/IPSEC info - since this is working fine)...
Policy Type - Site to Site
Local Networks - Choose local network from list - LAN primary subnet (this is my local subnet)
Remote Netowrks - Choose Destination network from list - Customer - Remote (this is a single address "network" provided by customer, and is a public-range IP address that has been reserved for this purpose - it is configured (as per above document) in the VPN zone, Type of Network with an address 150.xxx.xxx.68. with a netmask of 255.255.255.255.
Enable Keep Alive - Checked
Apply NAT policies - Checked
Translated Local Network - Customer - Local (this is a similar single address "network" provided by customer) - configured in the LAN zone, as a type Network, with an address of 150.xxx.xxx.69 and a netmask of 255.255.255.255
Current behavior - the tunnel comes up, but only when i turn Keep-Alives ON. Otherwise the tunnel does not come up, even when pinging the desired server 150.xxx.xxx.68. In fact, when looking at a Sonicwall Packet Capture, the ICMP traffic of a PING normally shows "forwarded", where pings to this address just show "recieved" - leading me to believe this is a routing problem related to my configuration.
Anyone have any ideas?