Solved

NAT / External IP Needed

Posted on 2010-09-08
8
462 Views
Last Modified: 2012-05-10
I have a SonicWall 2040 Pro with a T1 plugged into the X1 WAN port with several internal servers NAT'd to external IP's.  I have a couple Cisco VPN routers that need external IP's outside of the firewall and I don't have any DMZ ports available on the SonicWall.  What is the best way to accomplish this?  I have 13 IP's, with 5 available still.
0
Comment
Question by:drivetech
8 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33632319
You should be able to make a static NAT mapping from the external IPs to the internal IPs on the Cisco devices.  Then just allow all traffic destined to the external IPs and outbound from the internal IPs.
0
 
LVL 33

Accepted Solution

by:
digitap earned 63 total points
ID: 33633368
Install a switch and connect the T1 to it along with the WAN interface of the sonicwall and the WAN of the Cisco.  That will put the Cisco on the Internet since you don't have any available ports on the sonicwall.  Put the LAN interface on the same IP network as the sonicwall LAN interface.  Put a route on the sonicwall for traffic needed to traverse the VPN pointing at the LAN interface of the Cisco.  Make sense?
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 62 total points
ID: 33634365
You can go two ways.

1) Bridge the Cisco firewall "around" the Sonicwall. This means you have to trust BOTH firewalls equally and make sure both remain fully secure, with all the same rules and filters in place, as either can be a route IN to your network, and either is a route out. But this way the Cisco has a real public IP address on its WAN port, and everything is just as the Cisco manual. You would also need to make sure any traffic using the VPN has teh Cisco as its default gateway, not the Sonicwall, or that  there's a static route on the Sonicwall forwarding relevant traffic to the Cisco.  To do this, you buy a new switch and connect it on the WAN side, so it connects the T1 router's LAN port, the WAN port of the Cisco and the WAN port of the Sonicwall. (And if you have more than one Cisco, clearly you can just repeat the trick!)

2) Much safer would be to put the Cisco INSIDE the Sonicwall. If you have a spare X-port on the Sonicwall it may be easier to connect the WAN of the Cisco to that and the LAN of the Cisco to your main LAN switch. Or else just connect BOTH Cisco ports to your LAN switch. Whatever IP address you give to the Cisco WAN port, map THAT to a public IP address using the NAT tools of the Sonicwall just as you would for any other "public server" setup. Use this IP as the target for the VPN tunnel, with suitable "permit" rules ni place on the Sonicwall to allow the IKE (et al) traffic in.

or...

3) Why are you not using the very powerful VPN tools on the Sonicwall itself?

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Expert Comment

by:digitap
ID: 33637157
@ccomley :: Regarding option 1, sounds like my suggestion.  Regarding your 2nd option, I guess I was assuming that the Cisco VPN appliance WAS a firewall.  Assuming it's a firewall means you should trust it as much as the sonicwall, right?  Putting it behind the sonicwall means you believe the sonicwall is a better firewall than the Cisco...am I reading into that too much?  Regarding option 3, that's a good question, which had not occurred to me.  Many times the vendors supply their own hardware and there's no way around that.
0
 

Author Comment

by:drivetech
ID: 33642385
@ccomley / digitap:

Using a switch worked great. I have no control over the Cisco (corporate does), so I have to make it work.
Thanks!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33642430
i'm glad it worked...thanks for the points!
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33644314
Digitap - yes, the first solution is one you suggested but I felt it warranted further explanation especially as it breaches the existing firewall which is always a risk, even if the second firewall is just as good. It still need someone to realise the problem and apply sufficient thought and skill to configuring the second firewall to make sure it doesn't cause a breach. There may also be policy issues. Would I trust a Cisco firewall as much as a Sonicwall, specifically? I have to say, it depends which Cisco. A PIX is massivly inferior to a Sonicwall. An ASA is better. But is it as good? Test results I've seen say not necessarily. Just coz they make good routers doesn't mean everything that says "Cisco" on the front is automatically the best.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33646439
@ccomley :: Indeed, clarity is always a bonus.  You know, there was a time when I wished our company worked with Cisco over Sonicwall.  As my experience grows through my job and here on EE, neither are really good across the board.  Like you, each have their models that are better than the other and there is the right firewall for the job, but it's not always the same vendor.  I think we see eye to eye on that.  It's been nice working with you.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SolarWinds reporting 2 25
svi stops eigrp advertisement 13 34
BGP recommended setup with failover 2 50
decoding the error message TEI_ASSIGNED 8 43
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question