fireguy1125
asked on
Add VPN Router Hardware to VPN Firewall Sonicwall Hardware
We currently have a VPN Firewall (Sonicwall Pro3060). An outside company is requiring to install a VPN router on our network to secure VPN to them. Our SonicWall already has IPsec VPN tunnels to our other office locations. One static route is configured to one of our offices that we have a T1 connection to. We have a block of 5 static IPs from our Cable ISP. The two WAN ports are already being used on the Sonicwall Pro3060 (one for internet connetivity/webhosting the other for the vpn tunnels). We cannot assign another static IP to an interface on the sonicwall, which I would assume we would require to NAT the additional VPN router behind one of the interfaces.
I'm sure this is very simple in theory but am getting confused with everything else comes into play with the existing VPNS and that the sonicwall is our VPN router already. Am I just assigning a port and NAT one of the IP addresses on the existing interface to the external port of the new VPN router?
I am not configuring the new VPN router, it is being preconfigured and sent to us, but requires information from us. Below is the info that they require, any help on this would be appreciated:
Hosted Router expected configuration (applies to VPN connectivity)
(I italicized my answer and bolded ones I'm not sure of)
-Internet routable IP/subnet mask and default gateway for outside Ethernet port for Hosted vpn router:
-Interface setting for outside port? We are looking for speed (10/100/1000) and duplex (auto, half, full): Auto
-IP/subnet/gateway for inside Ethernet port of Hosted router: 192.168.0.2 / 192.168.0.2
-Interface setting for inside port? We are looking for speed (10/100/ or 1000) and duplex (auto, half, or full): 100/Full
-Next hop for inside port of Hosted router: Unsure, do I put our exisiting Sonicwall as the Hop?
-Source IP address of traffic inbound to Hosted servers (typically, end user subnet, firewall NAT, firewall hide address): Unsure, is this our WAN IP? 68.190.x.x? with the port?
-For outside PORT, if hosted VPN router would be located behind firewall, we need info for that too (ip, subnet, gateway and associated routable IP/subnet/gateway): Since I think it will have to be behind our Sonicwall, I'm thinking 192.168.0.3:6000 gateway: (sonicwall ip: 192.168.0.1) subnet: 255.255.0.0
Our local LAN info is 192.168.x.x / 255.255.0.0 / 192.168.0.1
Thank you.
I'm sure this is very simple in theory but am getting confused with everything else comes into play with the existing VPNS and that the sonicwall is our VPN router already. Am I just assigning a port and NAT one of the IP addresses on the existing interface to the external port of the new VPN router?
I am not configuring the new VPN router, it is being preconfigured and sent to us, but requires information from us. Below is the info that they require, any help on this would be appreciated:
Hosted Router expected configuration (applies to VPN connectivity)
(I italicized my answer and bolded ones I'm not sure of)
-Internet routable IP/subnet mask and default gateway for outside Ethernet port for Hosted vpn router:
-Interface setting for outside port? We are looking for speed (10/100/1000) and duplex (auto, half, full): Auto
-IP/subnet/gateway for inside Ethernet port of Hosted router: 192.168.0.2 / 192.168.0.2
-Interface setting for inside port? We are looking for speed (10/100/ or 1000) and duplex (auto, half, or full): 100/Full
-Next hop for inside port of Hosted router: Unsure, do I put our exisiting Sonicwall as the Hop?
-Source IP address of traffic inbound to Hosted servers (typically, end user subnet, firewall NAT, firewall hide address): Unsure, is this our WAN IP? 68.190.x.x? with the port?
-For outside PORT, if hosted VPN router would be located behind firewall, we need info for that too (ip, subnet, gateway and associated routable IP/subnet/gateway): Since I think it will have to be behind our Sonicwall, I'm thinking 192.168.0.3:6000 gateway: (sonicwall ip: 192.168.0.1) subnet: 255.255.0.0
Our local LAN info is 192.168.x.x / 255.255.0.0 / 192.168.0.1
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Take a look at the following Tech Note. It tells you how to use the X2 interface to connect the VPN.
http://www.sonicwall.com/downloads/Using_the_OPT_Port.pdf
http://www.sonicwall.com/downloads/Using_the_OPT_Port.pdf
ASKER
digitap to answer your other questions:
-When they configured the appliance, did they provide you with a LAN IP address? ----No they did not they are asking for, so they can configure with what I specify. Should I keep it in the 192.168.x.x. range or make it different?
-When they configured the appliance, did they provide you with a LAN IP address? ----No they did not they are asking for, so they can configure with what I specify. Should I keep it in the 192.168.x.x. range or make it different?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Regarding http:#a32985799, you want to make it different.
Also, you don't have an Opt port, as the article points out since you have a Pro 3060, so the Tech Note provided here, http:#a32985789, won't match entirely, but the principle is the same. You create a new zone, assign the zone to an existing physical interface giving it an IP address, etc.
Also, you don't have an Opt port, as the article points out since you have a Pro 3060, so the Tech Note provided here, http:#a32985789, won't match entirely, but the principle is the same. You create a new zone, assign the zone to an existing physical interface giving it an IP address, etc.
ASKER
To my understanding all it is doing is providing the static IP addresses, I have the public IP addresses entered in the sonicwall interface settings.
So, does it have a built in switch such that you can connect the vendor's VPN appliance or would you need to get your own 4 to 8 port switch for this purpose?
ASKER
Yes, built in switch, if I plug in a laptop and configure it with ISP provided static settings i get connectivity, so I will just plug in the vendor's VPN appliance into that and give them those settings.
So just to review....
I'll setup an unused interface on sonicwall, give it a different network range (ie.) 172.20.0.x, give it say 172.20.0.1 as the INT IP, have the vendor assign the VPN router INT IP as 172.20.0.2. Have the vendor VPN router external interface be assigned to 68.190.x.1 the next hop on the vendor INT interface be the ISP gatway 68.190.x.254, the source of the inbound traffic on THEIR servers will be the range of our static IPs, and I think that covers it, and all I'll do is configure firewall rules to what they need access to on our network.
Thanks so much I now have a better understanding of everything!
So just to review....
I'll setup an unused interface on sonicwall, give it a different network range (ie.) 172.20.0.x, give it say 172.20.0.1 as the INT IP, have the vendor assign the VPN router INT IP as 172.20.0.2. Have the vendor VPN router external interface be assigned to 68.190.x.1 the next hop on the vendor INT interface be the ISP gatway 68.190.x.254, the source of the inbound traffic on THEIR servers will be the range of our static IPs, and I think that covers it, and all I'll do is configure firewall rules to what they need access to on our network.
Thanks so much I now have a better understanding of everything!
Attached is a page right out of the Pro 3060 manual that shows the Opt port X3.
SonicWALL-PRO-3060.pdf
SonicWALL-PRO-3060.pdf
That's awesome! One less thing that could go wrong.
You are correct. The WAN interface will look like the WAN interface of your sonicwall except the public IP address will be different. Subnet mask and gateway will be the same. The LAN interface will have the 172.20.0.2/24 with the gateway being the interface of your sonicwall, 172.20.0.1/24.
If they need to access hardware at other locations that are across a VPN established by your sonicwall, then don't forget to configure the firewall rules as such. Just giving them access to the LAN zone will not give them access to the VPN zone and vice versa.
I'm glad I could help!
You are correct. The WAN interface will look like the WAN interface of your sonicwall except the public IP address will be different. Subnet mask and gateway will be the same. The LAN interface will have the 172.20.0.2/24 with the gateway being the interface of your sonicwall, 172.20.0.1/24.
If they need to access hardware at other locations that are across a VPN established by your sonicwall, then don't forget to configure the firewall rules as such. Just giving them access to the LAN zone will not give them access to the VPN zone and vice versa.
I'm glad I could help!
ASKER
How will the vendor connect to nodes over VPN links? At our main HQ we have a subnet 192.168.x.x / 16. At our remote offices we have 10.1.1.x / 24, 10.1.2.x / 24 .... etc up to 15 remote sites with VPN. If the vendor is being interfaced with a newly created network 172.20.x.x /24, will the rules work if I setup for the DMZ interface IP: 172.20.0.1 to allow access over a VPN to 10.1.1.50? Isn't there more involved to this, like NATing?
ASKER
If anyone can assist I will open new question.
yes, I can help you with this as well as others. there is no nat'ing. are you talking about a sonicwall in particular? essentially, when you indicate someone can connect to your network via a VPN, then you are putting them directly on your network. at this point, there is not nat'ing. only routes to get from one network to another and firewall rules to keep traffic secure. the only time you really need to consider nat'ing is if you have one ip network that is identical to another, then you have to "mask" the networks making them appear as different ip networks to each other. however, looks like you don't have that situation here.
ASKER
Sorry I didn't see your reply until now, I have opened a second question that someone is working on but feel free to chime in. Thank you.
https://www.experts-exchange.com/questions/26301971/Sonicwall-Pro3060-and-Cisco-VPN-Firewall-NAT-rules.html?anchorAnswerId=33126135#a33126135
https://www.experts-exchange.com/questions/26301971/Sonicwall-Pro3060-and-Cisco-VPN-Firewall-NAT-rules.html?anchorAnswerId=33126135#a33126135
No worries...
ASKER
Should I make it different than what my lan is, for example if I have 192.168.x.x/16 can I make it 10.1.1.x/24 ? So I would give them the IP of 10.1.1.254 and they can use that network when configuring the switch?
My ISP provides us with Cable modem and Cisco 851 ISR that we can plug their WAN interface into.
They require connectivity to appliances that are located at our various VPN links, so theyre router will be interfacing at our main VPN/firewall that has VPN links to other sites at different addresses. Our main is 192.168.x.x the remote sites are 10.1.x.x. What additional configuring will need to be performed to provide connectivity to these locations?