We help IT Professionals succeed at work.

Add VPN Router Hardware to VPN Firewall Sonicwall Hardware

fireguy1125
fireguy1125 asked
on
We currently have a VPN Firewall (Sonicwall Pro3060).  An outside company is requiring to install a VPN router on our network to secure VPN to them. Our SonicWall already has IPsec VPN tunnels to our other office locations.  One static route is configured to one of our offices that we have a T1 connection to.  We have a block of 5 static IPs from our Cable ISP.  The two WAN ports are already being used on the Sonicwall Pro3060 (one for internet connetivity/webhosting the other for the vpn tunnels).  We cannot assign another static IP to an interface on the sonicwall, which I would assume we would require to NAT the additional VPN router behind one of the interfaces.

I'm sure this is very simple in theory but am getting confused with everything else comes into play with the existing VPNS and that the sonicwall is our VPN router already.  Am I just assigning a port and NAT one of the IP addresses on the existing interface to the external port of the new VPN router?

I am not configuring the new VPN router, it is being preconfigured and sent to us, but requires information from us.  Below is the info that they require, any help on this would be appreciated:

Hosted Router expected configuration (applies to VPN connectivity)
(I italicized my answer and bolded ones I'm not sure of)

-Internet routable IP/subnet mask and default gateway for outside Ethernet port for Hosted vpn router:
-Interface setting for outside port? We are looking for speed (10/100/1000) and duplex (auto, half, full): Auto
-IP/subnet/gateway for inside Ethernet port of Hosted router: 192.168.0.2 / 192.168.0.2
-Interface setting for inside port? We are looking for speed (10/100/ or 1000) and duplex (auto, half, or full): 100/Full
-Next hop for inside port of Hosted router: Unsure, do I put our exisiting Sonicwall as the Hop?
-Source IP address of traffic inbound to Hosted servers (typically, end user subnet, firewall NAT, firewall hide address): Unsure, is this our WAN IP? 68.190.x.x? with the port?
-For outside PORT, if hosted VPN router would be located behind firewall, we need info for that too (ip, subnet, gateway and associated routable IP/subnet/gateway): Since I think it will have to be behind our Sonicwall, I'm thinking 192.168.0.3:6000 gateway: (sonicwall ip: 192.168.0.1) subnet: 255.255.0.0

Our local LAN info is 192.168.x.x / 255.255.0.0 / 192.168.0.1

Thank you.
Comment
Watch Question

Top Expert 2010
Commented:
What you should do, in order to keep one gateway for your hosts, is to configure an interface on your 3060.  Give it an IP on the subnet that the LAN of the VPN appliance is on.  When you setup the interface, this will create your routes.  When I've set these up in the past, I give the vendor an IP in my public static range.  They'll configure their WAN interface with this IP.  I get a small switch and connect my sonicwall WAN interface, the vendor's WAN interface and the Internet on this switch.  Additionally, being a VPN appliance, it will be important that they are not behind your sonicwall.

-This would be one of your public IP addresses.
-Check your sonicwall for this setting.
-When they configured the appliance, did they provide you with a LAN IP address?
-You could probably get away with Auto on the LAN interface.
-If you put their WAN interface directly on the Internet, then it will be your ISP's gateway.
-I think it's one of your public IP addresses.
-If you put them directly on the Internet, then this becomes null.

Author

Commented:
digitap, thank you, when you write :Give it an IP on the subnet that the LAN of the VPN appliance is on

Should I make it different than what my lan is, for example if I have 192.168.x.x/16 can I make it 10.1.1.x/24 ? So I would give them the IP of 10.1.1.254 and they can use that network when configuring the switch?

My ISP provides us with Cable modem and Cisco 851 ISR that we can plug their WAN interface into.

They require connectivity to appliances that are located at our various VPN links, so theyre router will be interfacing at our main VPN/firewall that has VPN links to other sites at different addresses.  Our main is 192.168.x.x the remote sites are 10.1.x.x.  What additional configuring will need to be performed to provide connectivity to these locations?
Take a look at the following Tech Note. It tells you how to use the X2 interface to connect the VPN.
http://www.sonicwall.com/downloads/Using_the_OPT_Port.pdf

Author

Commented:
digitap to answer your other questions:

-When they configured the appliance, did they provide you with a LAN IP address? ----No they did not they are asking for, so they can configure with what I specify.  Should I keep it in the 192.168.x.x. range or make it different?

Top Expert 2010
Commented:
Correct.  Make is spearate and allow your sonicwall to route between the two network.  Their gateway on their LAN interface will be the IP you assign the new interface on your sonicwall.  My primary purpose for this is I can now allow/disallow connectivity to my LAN through firewall rules on the sonicwall.  If they use the VPN to connect to only specific hosts on my LAN, then why put them on my LAN to have access to everything.  I set their appliance on a Sonicwall Interface then only give them access to the specific hosts....that's it.  You can bet their doing this to me on their end.


I don't really understand what the 851 is doing in this case.  Is it running in transparent mode and your sonicwall has a public IP address or is the public IP address on the WAN interface of the 851?
Top Expert 2010

Commented:
Regarding http:#a32985799, you want to make it different.

Also, you don't have an Opt port, as the article points out since you have a Pro 3060, so the Tech Note provided here, http:#a32985789, won't match entirely, but the principle is the same.  You create a new zone, assign the zone to an existing physical interface giving it an IP address, etc.

Author

Commented:
To my understanding all it is doing is providing the static IP addresses, I have the public IP addresses entered in the sonicwall interface settings.
Top Expert 2010

Commented:
So, does it have a built in switch such that you can connect the vendor's VPN appliance or would you need to get your own 4 to 8 port switch for this purpose?

Author

Commented:
Yes, built in switch, if I plug in a laptop and configure it with ISP provided static settings i get connectivity, so I will just plug in the vendor's VPN appliance into that and give them those settings.

So just to review....
I'll setup an unused interface on sonicwall, give it a different network range (ie.) 172.20.0.x, give it say 172.20.0.1 as the INT IP, have the vendor assign the VPN router INT IP as 172.20.0.2.  Have the vendor VPN router external interface be assigned to 68.190.x.1 the next hop on the vendor INT interface be the ISP gatway 68.190.x.254, the source of the inbound traffic on THEIR servers will be the range of our static IPs, and I think that covers it, and all I'll do is configure firewall rules to what they need access to on our network.

Thanks so much I now have a better understanding of everything!
Attached is a page right out of the Pro 3060 manual that shows the Opt port X3.
SonicWALL-PRO-3060.pdf
Top Expert 2010

Commented:
That's awesome!  One less thing that could go wrong.

You are correct.  The WAN interface will look like the WAN interface of your sonicwall except the public IP address will be different.  Subnet mask and gateway will be the same.  The LAN interface will have the 172.20.0.2/24 with the gateway being the interface of your sonicwall, 172.20.0.1/24.

If they need to access hardware at other locations that are across a VPN established by your sonicwall, then don't forget to configure the firewall rules as such.  Just giving them access to the LAN zone will not give them access to the VPN zone and vice versa.

I'm glad I could help!

Author

Commented:
How will the vendor connect to nodes over VPN links?  At our main HQ we have a subnet 192.168.x.x / 16.  At our remote offices we have 10.1.1.x / 24, 10.1.2.x / 24 .... etc up to 15 remote sites with VPN.  If the vendor is being interfaced with a newly created network 172.20.x.x /24, will the rules work if I setup for the DMZ interface IP: 172.20.0.1 to allow access over a VPN to 10.1.1.50? Isn't there more involved to this, like NATing?

Author

Commented:
If anyone can assist I will open new question.
Top Expert 2010

Commented:
yes, I can help you with this as well as others.  there is no nat'ing.  are you talking about a sonicwall in particular?  essentially, when you indicate someone can connect to your network via a VPN, then you are putting them directly on your network.  at this point, there is not nat'ing.  only routes to get from one network to another and firewall rules to keep traffic secure.  the only time you really need to consider nat'ing is if you have one ip network that is identical to another, then you have to "mask" the networks making them appear as different ip networks to each other.  however, looks like you don't have that situation here.

Author

Commented:
Sorry I didn't see your reply until now, I have opened a second question that someone is working on but feel free to chime in.  Thank you.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_26301971.html#a33126135
Top Expert 2010

Commented:
No worries...