NAT / External IP Needed

I have a SonicWall 2040 Pro with a T1 plugged into the X1 WAN port with several internal servers NAT'd to external IP's.  I have a couple Cisco VPN routers that need external IP's outside of the firewall and I don't have any DMZ ports available on the SonicWall.  What is the best way to accomplish this?  I have 13 IP's, with 5 available still.
drivetechAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
digitapConnect With a Mentor Commented:
Install a switch and connect the T1 to it along with the WAN interface of the sonicwall and the WAN of the Cisco.  That will put the Cisco on the Internet since you don't have any available ports on the sonicwall.  Put the LAN interface on the same IP network as the sonicwall LAN interface.  Put a route on the sonicwall for traffic needed to traverse the VPN pointing at the LAN interface of the Cisco.  Make sense?
0
 
Matt VCommented:
You should be able to make a static NAT mapping from the external IPs to the internal IPs on the Cisco devices.  Then just allow all traffic destined to the external IPs and outbound from the internal IPs.
0
 
ccomleyConnect With a Mentor Commented:
You can go two ways.

1) Bridge the Cisco firewall "around" the Sonicwall. This means you have to trust BOTH firewalls equally and make sure both remain fully secure, with all the same rules and filters in place, as either can be a route IN to your network, and either is a route out. But this way the Cisco has a real public IP address on its WAN port, and everything is just as the Cisco manual. You would also need to make sure any traffic using the VPN has teh Cisco as its default gateway, not the Sonicwall, or that  there's a static route on the Sonicwall forwarding relevant traffic to the Cisco.  To do this, you buy a new switch and connect it on the WAN side, so it connects the T1 router's LAN port, the WAN port of the Cisco and the WAN port of the Sonicwall. (And if you have more than one Cisco, clearly you can just repeat the trick!)

2) Much safer would be to put the Cisco INSIDE the Sonicwall. If you have a spare X-port on the Sonicwall it may be easier to connect the WAN of the Cisco to that and the LAN of the Cisco to your main LAN switch. Or else just connect BOTH Cisco ports to your LAN switch. Whatever IP address you give to the Cisco WAN port, map THAT to a public IP address using the NAT tools of the Sonicwall just as you would for any other "public server" setup. Use this IP as the target for the VPN tunnel, with suitable "permit" rules ni place on the Sonicwall to allow the IKE (et al) traffic in.

or...

3) Why are you not using the very powerful VPN tools on the Sonicwall itself?

0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
digitapCommented:
@ccomley :: Regarding option 1, sounds like my suggestion.  Regarding your 2nd option, I guess I was assuming that the Cisco VPN appliance WAS a firewall.  Assuming it's a firewall means you should trust it as much as the sonicwall, right?  Putting it behind the sonicwall means you believe the sonicwall is a better firewall than the Cisco...am I reading into that too much?  Regarding option 3, that's a good question, which had not occurred to me.  Many times the vendors supply their own hardware and there's no way around that.
0
 
drivetechAuthor Commented:
@ccomley / digitap:

Using a switch worked great. I have no control over the Cisco (corporate does), so I have to make it work.
Thanks!
0
 
digitapCommented:
i'm glad it worked...thanks for the points!
0
 
ccomleyCommented:
Digitap - yes, the first solution is one you suggested but I felt it warranted further explanation especially as it breaches the existing firewall which is always a risk, even if the second firewall is just as good. It still need someone to realise the problem and apply sufficient thought and skill to configuring the second firewall to make sure it doesn't cause a breach. There may also be policy issues. Would I trust a Cisco firewall as much as a Sonicwall, specifically? I have to say, it depends which Cisco. A PIX is massivly inferior to a Sonicwall. An ASA is better. But is it as good? Test results I've seen say not necessarily. Just coz they make good routers doesn't mean everything that says "Cisco" on the front is automatically the best.
0
 
digitapCommented:
@ccomley :: Indeed, clarity is always a bonus.  You know, there was a time when I wished our company worked with Cisco over Sonicwall.  As my experience grows through my job and here on EE, neither are really good across the board.  Like you, each have their models that are better than the other and there is the right firewall for the job, but it's not always the same vendor.  I think we see eye to eye on that.  It's been nice working with you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.