Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

NAT / External IP Needed

Posted on 2010-09-08
8
Medium Priority
?
470 Views
Last Modified: 2012-05-10
I have a SonicWall 2040 Pro with a T1 plugged into the X1 WAN port with several internal servers NAT'd to external IP's.  I have a couple Cisco VPN routers that need external IP's outside of the firewall and I don't have any DMZ ports available on the SonicWall.  What is the best way to accomplish this?  I have 13 IP's, with 5 available still.
0
Comment
Question by:drivetech
8 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33632319
You should be able to make a static NAT mapping from the external IPs to the internal IPs on the Cisco devices.  Then just allow all traffic destined to the external IPs and outbound from the internal IPs.
0
 
LVL 33

Accepted Solution

by:
digitap earned 252 total points
ID: 33633368
Install a switch and connect the T1 to it along with the WAN interface of the sonicwall and the WAN of the Cisco.  That will put the Cisco on the Internet since you don't have any available ports on the sonicwall.  Put the LAN interface on the same IP network as the sonicwall LAN interface.  Put a route on the sonicwall for traffic needed to traverse the VPN pointing at the LAN interface of the Cisco.  Make sense?
0
 
LVL 17

Assisted Solution

by:ccomley
ccomley earned 248 total points
ID: 33634365
You can go two ways.

1) Bridge the Cisco firewall "around" the Sonicwall. This means you have to trust BOTH firewalls equally and make sure both remain fully secure, with all the same rules and filters in place, as either can be a route IN to your network, and either is a route out. But this way the Cisco has a real public IP address on its WAN port, and everything is just as the Cisco manual. You would also need to make sure any traffic using the VPN has teh Cisco as its default gateway, not the Sonicwall, or that  there's a static route on the Sonicwall forwarding relevant traffic to the Cisco.  To do this, you buy a new switch and connect it on the WAN side, so it connects the T1 router's LAN port, the WAN port of the Cisco and the WAN port of the Sonicwall. (And if you have more than one Cisco, clearly you can just repeat the trick!)

2) Much safer would be to put the Cisco INSIDE the Sonicwall. If you have a spare X-port on the Sonicwall it may be easier to connect the WAN of the Cisco to that and the LAN of the Cisco to your main LAN switch. Or else just connect BOTH Cisco ports to your LAN switch. Whatever IP address you give to the Cisco WAN port, map THAT to a public IP address using the NAT tools of the Sonicwall just as you would for any other "public server" setup. Use this IP as the target for the VPN tunnel, with suitable "permit" rules ni place on the Sonicwall to allow the IKE (et al) traffic in.

or...

3) Why are you not using the very powerful VPN tools on the Sonicwall itself?

0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 
LVL 33

Expert Comment

by:digitap
ID: 33637157
@ccomley :: Regarding option 1, sounds like my suggestion.  Regarding your 2nd option, I guess I was assuming that the Cisco VPN appliance WAS a firewall.  Assuming it's a firewall means you should trust it as much as the sonicwall, right?  Putting it behind the sonicwall means you believe the sonicwall is a better firewall than the Cisco...am I reading into that too much?  Regarding option 3, that's a good question, which had not occurred to me.  Many times the vendors supply their own hardware and there's no way around that.
0
 

Author Comment

by:drivetech
ID: 33642385
@ccomley / digitap:

Using a switch worked great. I have no control over the Cisco (corporate does), so I have to make it work.
Thanks!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33642430
i'm glad it worked...thanks for the points!
0
 
LVL 17

Expert Comment

by:ccomley
ID: 33644314
Digitap - yes, the first solution is one you suggested but I felt it warranted further explanation especially as it breaches the existing firewall which is always a risk, even if the second firewall is just as good. It still need someone to realise the problem and apply sufficient thought and skill to configuring the second firewall to make sure it doesn't cause a breach. There may also be policy issues. Would I trust a Cisco firewall as much as a Sonicwall, specifically? I have to say, it depends which Cisco. A PIX is massivly inferior to a Sonicwall. An ASA is better. But is it as good? Test results I've seen say not necessarily. Just coz they make good routers doesn't mean everything that says "Cisco" on the front is automatically the best.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33646439
@ccomley :: Indeed, clarity is always a bonus.  You know, there was a time when I wished our company worked with Cisco over Sonicwall.  As my experience grows through my job and here on EE, neither are really good across the board.  Like you, each have their models that are better than the other and there is the right firewall for the job, but it's not always the same vendor.  I think we see eye to eye on that.  It's been nice working with you.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question