We help IT Professionals succeed at work.

Configure Sonicwall TZ-190 with Cisco VPN box

riverbank
riverbank asked
on
On the Sonicwall we have an assigned range of WAN IP addresses 123.123.123.1/255.255.255.248 while the WAN IP address we need to use is 111.111.111.229/255.255.255.252. This configuration has worked fine for our requirements until now.

x0:lan - 192.168.168.1/255.255.255.0
x1:wan - 111.111.111.229/255.255.255.252
x2:
x3:
x4:
x5:

We have an external US dept who want to introuduce a Cisco box-to-box VPN to allow users in our network to access servers in the US one. They have supplied a pre-configured Cisco ASA device configured with a public IP address 123.123.123.3 (i.e in the range of useable IP addresses we have).

To get this incorporated in the network I believe we need to add another PortShield interface in transparent mode to allocate the required IP address to this device and allow it to create the box to box VPN. However because of the disparity in the WAN IP address and the useable IP address I get "Error: Transparent Range not in WAN subnet" when I try to add this interface.

I have no access to the Cisco box so I cannot see a way to alter the setup to use NAT instead of transaprent mode and I'm not sure whether it would correctly build the VPN tunnel using NAT. Does anyone know if this is possible and if it is what I am missing?
Comment
Watch Question

Top Expert 2010

Commented:
What is the LAN IP of the Cisco?  Whatever that is, configure another interface on the sonicwall with that IP network.  Make a new trusted zone.  I've got a few of these configurations with checkpoint and cisco.  That's how I resolve those issues.

Author

Commented:
The LAN side of the Cisco has an IP address of 192.168.200.3. So are you suggesting that I create a port shield interface with an ip address such as 192.168.200.1, connect the LAN of the Cisco to this and then setup NAT to this interface? Am I correct in assuming this then effectively ignores the WAN interface on the Cisco?
Top Expert 2010
Commented:
You are understanding the direction I think you should go.  You only need a NAT rule if you need to hide your subnet from the network on the other side of their VPN.  They may already be handling that.  If you already know the IP network their servers are on that need to be accessed over the VPN AND if it is different from 192.168.200.0/24, then you'll need to setup static route to use the new interface as the gateway for that IP network.
Top Expert 2010

Commented:
Glad I could help and thanks for the points!