We help IT Professionals succeed at work.

Configure Sonicwall TZ-190 with Cisco VPN box

riverbank asked
On the Sonicwall we have an assigned range of WAN IP addresses while the WAN IP address we need to use is This configuration has worked fine for our requirements until now.

x0:lan -
x1:wan -

We have an external US dept who want to introuduce a Cisco box-to-box VPN to allow users in our network to access servers in the US one. They have supplied a pre-configured Cisco ASA device configured with a public IP address (i.e in the range of useable IP addresses we have).

To get this incorporated in the network I believe we need to add another PortShield interface in transparent mode to allocate the required IP address to this device and allow it to create the box to box VPN. However because of the disparity in the WAN IP address and the useable IP address I get "Error: Transparent Range not in WAN subnet" when I try to add this interface.

I have no access to the Cisco box so I cannot see a way to alter the setup to use NAT instead of transaprent mode and I'm not sure whether it would correctly build the VPN tunnel using NAT. Does anyone know if this is possible and if it is what I am missing?
Watch Question

Top Expert 2010

What is the LAN IP of the Cisco?  Whatever that is, configure another interface on the sonicwall with that IP network.  Make a new trusted zone.  I've got a few of these configurations with checkpoint and cisco.  That's how I resolve those issues.


The LAN side of the Cisco has an IP address of So are you suggesting that I create a port shield interface with an ip address such as, connect the LAN of the Cisco to this and then setup NAT to this interface? Am I correct in assuming this then effectively ignores the WAN interface on the Cisco?
Top Expert 2010
You are understanding the direction I think you should go.  You only need a NAT rule if you need to hide your subnet from the network on the other side of their VPN.  They may already be handling that.  If you already know the IP network their servers are on that need to be accessed over the VPN AND if it is different from, then you'll need to setup static route to use the new interface as the gateway for that IP network.
Top Expert 2010

Glad I could help and thanks for the points!