Solved

NAT / External IP Needed

Posted on 2010-09-08
8
465 Views
Last Modified: 2012-05-10
I have a SonicWall 2040 Pro with a T1 plugged into the X1 WAN port with several internal servers NAT'd to external IP's.  I have a couple Cisco VPN routers that need external IP's outside of the firewall and I don't have any DMZ ports available on the SonicWall.  What is the best way to accomplish this?  I have 13 IP's, with 5 available still.
0
Comment
Question by:drivetech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33632319
You should be able to make a static NAT mapping from the external IPs to the internal IPs on the Cisco devices.  Then just allow all traffic destined to the external IPs and outbound from the internal IPs.
0
 
LVL 33

Accepted Solution

by:
digitap earned 63 total points
ID: 33633368
Install a switch and connect the T1 to it along with the WAN interface of the sonicwall and the WAN of the Cisco.  That will put the Cisco on the Internet since you don't have any available ports on the sonicwall.  Put the LAN interface on the same IP network as the sonicwall LAN interface.  Put a route on the sonicwall for traffic needed to traverse the VPN pointing at the LAN interface of the Cisco.  Make sense?
0
 
LVL 17

Assisted Solution

by:ccomley
ccomley earned 62 total points
ID: 33634365
You can go two ways.

1) Bridge the Cisco firewall "around" the Sonicwall. This means you have to trust BOTH firewalls equally and make sure both remain fully secure, with all the same rules and filters in place, as either can be a route IN to your network, and either is a route out. But this way the Cisco has a real public IP address on its WAN port, and everything is just as the Cisco manual. You would also need to make sure any traffic using the VPN has teh Cisco as its default gateway, not the Sonicwall, or that  there's a static route on the Sonicwall forwarding relevant traffic to the Cisco.  To do this, you buy a new switch and connect it on the WAN side, so it connects the T1 router's LAN port, the WAN port of the Cisco and the WAN port of the Sonicwall. (And if you have more than one Cisco, clearly you can just repeat the trick!)

2) Much safer would be to put the Cisco INSIDE the Sonicwall. If you have a spare X-port on the Sonicwall it may be easier to connect the WAN of the Cisco to that and the LAN of the Cisco to your main LAN switch. Or else just connect BOTH Cisco ports to your LAN switch. Whatever IP address you give to the Cisco WAN port, map THAT to a public IP address using the NAT tools of the Sonicwall just as you would for any other "public server" setup. Use this IP as the target for the VPN tunnel, with suitable "permit" rules ni place on the Sonicwall to allow the IKE (et al) traffic in.

or...

3) Why are you not using the very powerful VPN tools on the Sonicwall itself?

0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 33

Expert Comment

by:digitap
ID: 33637157
@ccomley :: Regarding option 1, sounds like my suggestion.  Regarding your 2nd option, I guess I was assuming that the Cisco VPN appliance WAS a firewall.  Assuming it's a firewall means you should trust it as much as the sonicwall, right?  Putting it behind the sonicwall means you believe the sonicwall is a better firewall than the Cisco...am I reading into that too much?  Regarding option 3, that's a good question, which had not occurred to me.  Many times the vendors supply their own hardware and there's no way around that.
0
 

Author Comment

by:drivetech
ID: 33642385
@ccomley / digitap:

Using a switch worked great. I have no control over the Cisco (corporate does), so I have to make it work.
Thanks!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33642430
i'm glad it worked...thanks for the points!
0
 
LVL 17

Expert Comment

by:ccomley
ID: 33644314
Digitap - yes, the first solution is one you suggested but I felt it warranted further explanation especially as it breaches the existing firewall which is always a risk, even if the second firewall is just as good. It still need someone to realise the problem and apply sufficient thought and skill to configuring the second firewall to make sure it doesn't cause a breach. There may also be policy issues. Would I trust a Cisco firewall as much as a Sonicwall, specifically? I have to say, it depends which Cisco. A PIX is massivly inferior to a Sonicwall. An ASA is better. But is it as good? Test results I've seen say not necessarily. Just coz they make good routers doesn't mean everything that says "Cisco" on the front is automatically the best.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33646439
@ccomley :: Indeed, clarity is always a bonus.  You know, there was a time when I wished our company worked with Cisco over Sonicwall.  As my experience grows through my job and here on EE, neither are really good across the board.  Like you, each have their models that are better than the other and there is the right firewall for the job, but it's not always the same vendor.  I think we see eye to eye on that.  It's been nice working with you.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question