?
Solved

NAT / External IP Needed

Posted on 2010-09-08
8
Medium Priority
?
474 Views
Last Modified: 2012-05-10
I have a SonicWall 2040 Pro with a T1 plugged into the X1 WAN port with several internal servers NAT'd to external IP's.  I have a couple Cisco VPN routers that need external IP's outside of the firewall and I don't have any DMZ ports available on the SonicWall.  What is the best way to accomplish this?  I have 13 IP's, with 5 available still.
0
Comment
Question by:drivetech
8 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33632319
You should be able to make a static NAT mapping from the external IPs to the internal IPs on the Cisco devices.  Then just allow all traffic destined to the external IPs and outbound from the internal IPs.
0
 
LVL 33

Accepted Solution

by:
digitap earned 252 total points
ID: 33633368
Install a switch and connect the T1 to it along with the WAN interface of the sonicwall and the WAN of the Cisco.  That will put the Cisco on the Internet since you don't have any available ports on the sonicwall.  Put the LAN interface on the same IP network as the sonicwall LAN interface.  Put a route on the sonicwall for traffic needed to traverse the VPN pointing at the LAN interface of the Cisco.  Make sense?
0
 
LVL 17

Assisted Solution

by:ccomley
ccomley earned 248 total points
ID: 33634365
You can go two ways.

1) Bridge the Cisco firewall "around" the Sonicwall. This means you have to trust BOTH firewalls equally and make sure both remain fully secure, with all the same rules and filters in place, as either can be a route IN to your network, and either is a route out. But this way the Cisco has a real public IP address on its WAN port, and everything is just as the Cisco manual. You would also need to make sure any traffic using the VPN has teh Cisco as its default gateway, not the Sonicwall, or that  there's a static route on the Sonicwall forwarding relevant traffic to the Cisco.  To do this, you buy a new switch and connect it on the WAN side, so it connects the T1 router's LAN port, the WAN port of the Cisco and the WAN port of the Sonicwall. (And if you have more than one Cisco, clearly you can just repeat the trick!)

2) Much safer would be to put the Cisco INSIDE the Sonicwall. If you have a spare X-port on the Sonicwall it may be easier to connect the WAN of the Cisco to that and the LAN of the Cisco to your main LAN switch. Or else just connect BOTH Cisco ports to your LAN switch. Whatever IP address you give to the Cisco WAN port, map THAT to a public IP address using the NAT tools of the Sonicwall just as you would for any other "public server" setup. Use this IP as the target for the VPN tunnel, with suitable "permit" rules ni place on the Sonicwall to allow the IKE (et al) traffic in.

or...

3) Why are you not using the very powerful VPN tools on the Sonicwall itself?

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
LVL 33

Expert Comment

by:digitap
ID: 33637157
@ccomley :: Regarding option 1, sounds like my suggestion.  Regarding your 2nd option, I guess I was assuming that the Cisco VPN appliance WAS a firewall.  Assuming it's a firewall means you should trust it as much as the sonicwall, right?  Putting it behind the sonicwall means you believe the sonicwall is a better firewall than the Cisco...am I reading into that too much?  Regarding option 3, that's a good question, which had not occurred to me.  Many times the vendors supply their own hardware and there's no way around that.
0
 

Author Comment

by:drivetech
ID: 33642385
@ccomley / digitap:

Using a switch worked great. I have no control over the Cisco (corporate does), so I have to make it work.
Thanks!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33642430
i'm glad it worked...thanks for the points!
0
 
LVL 17

Expert Comment

by:ccomley
ID: 33644314
Digitap - yes, the first solution is one you suggested but I felt it warranted further explanation especially as it breaches the existing firewall which is always a risk, even if the second firewall is just as good. It still need someone to realise the problem and apply sufficient thought and skill to configuring the second firewall to make sure it doesn't cause a breach. There may also be policy issues. Would I trust a Cisco firewall as much as a Sonicwall, specifically? I have to say, it depends which Cisco. A PIX is massivly inferior to a Sonicwall. An ASA is better. But is it as good? Test results I've seen say not necessarily. Just coz they make good routers doesn't mean everything that says "Cisco" on the front is automatically the best.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33646439
@ccomley :: Indeed, clarity is always a bonus.  You know, there was a time when I wished our company worked with Cisco over Sonicwall.  As my experience grows through my job and here on EE, neither are really good across the board.  Like you, each have their models that are better than the other and there is the right firewall for the job, but it's not always the same vendor.  I think we see eye to eye on that.  It's been nice working with you.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question