Solved

Need to NAT for VPN where the host subnet exists on both ends.

Posted on 2010-09-16
31
460 Views
Last Modified: 2012-05-10
I have to add a new VPN tunnel to my Sonicall Pro3060.  Normally, no problem.  However in this case, the hosts on the other side use the same subnet as mine --- which means I need to do a NAT translation of some kind...

As this would be the first one on this appliance, I have no idea what needs to be set in order to make this work.  Unlike my other VPN appliance, it's not clear to me where to do this.

Any input to point me would be helpful.

0
Comment
Question by:btetlow-expert
  • 12
  • 9
  • 8
  • +2
31 Comments
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33696214
To maybe complicate this, I have 2 hosts on my side that are the addresses needing to be NAT'd.

I find what I would think is a place to translate in the VPN network section, but I don't see how to map my existing internal host to the nat'd address I plan on using, or how it would apply since I have 2 addresses to use.
0
 
LVL 7

Expert Comment

by:tlovie
ID: 33696227
I think that this will be really difficult functionally.... if the router get a packet destined for some address on the overlapping subnets, how would it know to route it over the VPN tunnel or not?  I would look into changing the subnet on one of the sites so that there is no overlap... I'm sure you've already thought of this... is there some reason that you can't or don't want to?
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33696389
NAT answers this "overlap" issue by basically hiding the REAL internal address and replacing it with another one.  

This is a case where the host on the other side cannot change their IP scheme, and neither can I as we're both operating in production environments.  

It's not unusual for two different locations to use the same internal subnetting --- but until now, I've been able to work around it in other ways that didn't involve NATing.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 33696404
The solution to the last question is that you use NAT on both sides - one is translated to e.g. 10.11.12.0/24, the other to 10.11.13.0/24. No conflicts that way, but any IP info retrieved from the remote site is void if not translated by the SonicWall.
Since I do not have the slightest clue of SonicWall devices, I'll shut up at that point ;-).
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33697081
Qlemo you are correct --- and this is partially done ---  I have the information to do my end, but it's the actual "doing" it part that I have no details on.

Of course, the company that owns the device has no service contract so I can't call the vendor directly in this case unless someone with a good checkbook is nearby... :)  

That said, if I can get the information on where to set things, I'm sure I can manage it.   It's just not clear to me where this is configured.

NAT policies in this case I am unfamiliar with, but I think this is the location I need to setup this "translation".
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33701808
If you have a sonicwall on the other end, your in luck.  I have this exact setup here.  Sonic wall has a function setup for this.  I will try to get the instructions on setup - it is very easy.
This is how it works:

Site A - subnet 10.10.10.0 /24    -  additional subnet (assigned to the VPN) 10.10.7.0/ 24
Site B - subnet 10.10.10.0 /24    -  additional subnet (assigned to the VPN) 10.10.8.0/ 24

The feature translates the first 3 octets, and passes the 4th octet to the the other side.

If someone on site B wants to access a server on site A at 10.10.10.12 they use the IP address 10.10.7.12 and it accesses just like it was local B.

If someone on site A wants to access a server on site B at 10.10.10.4 they use the IP address 10.10.8.4 and it accesses just like it was local to A.

You can have duplicate IP addresses - on at each side - and they can access each other through the translation.
It's very cool.
0
 
LVL 8

Accepted Solution

by:
dosdet2 earned 125 total points
ID: 33701937
You can find instructions on how to do this at the following URL.
It should work with any Sonicwall firewall that has Enhanced OS.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7759&p=t

0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33703959
dosdet2 -- I'll check that out --- unfortunately in this case, I'm connecting to a Cisco appliance....  but, who knows, it might have some information that gets me to the solution.   Thanks
0
 
LVL 33

Expert Comment

by:digitap
ID: 33709445
Something to keep in mind is that the sonicwall NATs BEFORE it sends to the tunnel and as it comes out.  So, you can NAT the other end as it comes out of the tunnel so you won't have to setup a NAT on their end.  I've done this to NAT a whole network to one masking IP.  I've also set this up so as to mask a specific subnet and leave all the others as is.  As indicated above, as long as you have the enhanced OS on your 3060 you'll be fine.  Go through the instructions provided by dosdet2 and respond with any questions.  Your situation is straight forward adn we'll get it.
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33718475
ok, I reviewed the instructions DOSSET2 posted....

I think my confusion is that I'm not sure which address to place in the tunnel.

The site gave me 2 nat'd addresses for me to use --- but now, I'm not sure if these are the addresses I use that points to them, or if their the addresses they're expecting to see from me....   I suspect it's the later of the two....

If that's the case --- then I think the part I'm still not sure of is where those IP's come into play.

I've set them up as address objects, and then created a group for them.

Based on my current VPN setup....   I have their gateway, and then the destinations are these 2 nat'd addresses they gave me.

Under ADVANCED then --- do I "apply nat policies", and if so ---
TRANSLATED LOCAL NETWORK = ?
TRANSLATED REMOTE NETWORK = ?

I have the NAT'd address group for local, and original for the the remote......OR for the remote, should I be using the "real" destination IP's?

0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33719013
Yes, You need to apply the nat policies.  It will use your data from these pages to create the policies / rules to make the VPN work.  
The translated local network should be the network object that you created in step 4 on the 1st page (which IP network is the local end of the VPN - left screen shot)

The translated remote network is the object created in the right screen shot.

On the sonicwall this will also create the NAT policies for you.

Maybe a little more explanation of what it actually does is in order.  
Assumptions for this example:
Site A subnet = 10.10.1.0 /24
local translated object = 192.168.1.0 /24
remote translated object = 192.168.2.0 /24

Site B subnet = 10.10.2.0 /24
local translated object = 192.168.2.0 /24
remote translated object = 192.168.1.0 /24

When a user at site A wants to access (ping) a device at site B with an IP address of 10.10.2.34, he would do a -> ping 192.168.2.34
The Sonicwall would send that request across the VPN and the other side would translate the IP address by replacing the first 3 octets (from 192.168.2 ) to match site B's local subnet (10.10.2).  It passes the 4th octet as is, so site B's network sees a packet going to 10.10.2.34

And reverse works too - Site B trying to access site A IPs would use 192.168.1.x and it would be translated at (at site A) to 10.10.1.x.   All 254 address (/24) are available from either site and any or all of site A's IP addresses could be duplicates of site B's IPs - making your configuration like this:

Site A subnet = 10.10.1.0 /24
local translated object = 192.168.10.0 /24
remote translated object = 192.168.20.0 /24

Site B Subnet = 10.10.1.0 /24
local translated object = 192.168.20.0 /24
remote translated object = 192.168.10.0 /24

Both sites could have mail-servers at 10.10.10.3 and you access your local mail server with 10.10.10.3 and the other side's mail-server with 192.168.(20 for site A / 10 for site B).3

I hope that makes sense.  To be honest, I don't know Cisco programming well enough to give you the commands to duplicate the translation at the Cisco side, but given Cisco's flexibility, there must be someone out there figure that out.

It is very slick though, ours is a Backup of our live system and to make yhr backup live, I don't have to change any private IP numbers.

0
 
LVL 33

Expert Comment

by:digitap
ID: 33719117
My guess is you're right about the nat'd IP addresses.  Question, are they only allowing two hosts through the tunnel to your network?

If the NAT'd IP addresses they gave you is to represent them, then you'll want to set this under the Destination Network as the Remote Translated.  Then, you'll go to the Advanced tab of the SA and set Translated Remote Network as Original.  They'll NAT their end and send it over the tunnel, so you don't need to do anything with it except tell the SA what IP to expect.

Have you identified the NAT'd network you want to translate your LAN network into?  How many hosts are going to traverse the tunnel to the other end?
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33719173
The solution I proposed above is intended to nat complete subnets.  It there are only two IP that should be natted then then my scenario above is probably not appropriate.  Sorry.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33719218
@dosdet2 :: I believe your solution is very complete and would only require a very moderate configuration change to be appropriate if the hosts allowed, ingress/egress, over the tunnel is specific.  I made an assumption that it was only two.
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33720552
dosdet2 -- I adjusted your document to account for only the 2 hosts instead of the whole subnet, so that was ok, no problem there...

digitap -- 2 hosts on my end, point to 1 host, plus a /27 subnet

ok --- I got the tunnel to come to life.... BUT....  I can't get any data thru from either end.

From my past setups, I'm thinking if something wasn't quite right with the network portions, then the tunnel wouldn't get to phase 2 and complete --- so --- at this point I think that portion is "ok".

As to the data passing -- by de-faulty when the tunnels are setup, they allow all traffic thru, and I changed them to be restricted like my others are.  It doesn't seem to be related to this part of the setup.

Is there additional routing setup that's required?    

I reviewed the instructions and notes --- seem to have covered everything from what I can tell.    

Can't do any network ping or trace -- they all respond the same ---
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 33

Expert Comment

by:digitap
ID: 33720574
so, you've identified the translated network and sent this to the other end?  also, you've created the address object(s) and specified that within the Advanced tab in the Local Translated drop down?  can the other side ping you?  is the other side restricting any traffic besides the hosts?  meaning, are they allowing ping through so you can test the connection?
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33721362
Based on my conversation with the other site, they're not restricting the use of PING or traceroute or the other specific ports I told them that were needed ---

They can't ping me either -- it's a two way failure.   Which I think is located on my end of the connection.

They even had someone on their end familiar with SonicWall, and they didn't understand what the issue might be.

You would think, the tunnel is live, so there's communication that way --- after that part, the connection shouldn't act any differently than any of the non-NAT tunnels.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33721372
Have you tried a tracert ?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33721418
well, in addition to nat, you do need firewall access rules.  what do your vpn to lan and lan to vpn firewall rules look like?
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33721480
Tracert, like ping just times out...



The rules are mutually setup I allow them to PING (among others), as well as my mirroring that setup going to them.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33721509
What IP does it timeout on.  The first one?  What IP are you pinging?
Don't ping the tunnel IP, ping (or tracert ) the destination (translated IP)

Can you list the IP networks that you setup as objects on your sonicwall (private) and what you are trying to ping?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33721512
Go to Log > Categories.  Make sure that you have debug on the type of logging and then check the box for each column in the categories section below.  Then, go back to your log and see if you get some feedback while performing a ping and while they are performing a ping.  If the traffic is being blocked, then you'll get a log entry of some type.

Can you post your VPN > LAN and LAN > VPN access rules here?
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33748208
ok -- think I have discovered the problem(s)....

The HOST ip's I was given are PUBLIC (remote site)
The NAT'd ip's I was given are PUBLIC (DOD!!!)

I know my own practice is to never use public addressing where private should be used --- I reviewed all my other tunnels (49 of em) they all use private IP's for the remote sites host addressing.

Am I wrong to think that the use of public IP's in this case is not proper?

I have a call into SonicWall now --- I convinced the company to get the support required as this was likely the tip of the iceberg --- Learned in the process that the firmware is at least 2 revs old, and 1 of those is a major update, so that doesn't help....  

My question now though is it proper use of IP addressing when the numbering in question is known to be publically available?

digitap -- on the logs --- nothing related to the IP's in question showed up!    This is what made me question the use of public addresses.    If I'm wrong in that view, then I'll continue....

At this point though --- I've asked the remote site to use 2 private IP's that *I* assigned in the off chance this is the issue.

Alternately --- is there a way to have my current subnet also "overlayed" with another one?

For example...

192.168.1.0/24 ----- is also known as   10.168.1.0/24   ?       Just trying to think out of the box.  This won't be the last time that NATing translations comes into play, I'm just looking at simplifying the usage.

0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 125 total points
ID: 33748457
I've never known the use of public IP addresses used internal to a VPN, so I don't think it would work.  My mind goes through the logic and I don't think it will work.  You were right to force them to use a private IP address.

Regarding your alternative, you could come up with a "masking" subnet.  Using your example above, 10.168.1.0/24, you could pick a single masking IP to make your entire network for a single host.  It would be exactly like what your router does with your internal network.  So, if you have VPN1, VPN2, VPN3; the masking IP addresses would be:

10.168.1.1; 255.255.255.255
10.168.1.2; 255.255.255.255
10.168.1.3; 255.255.255.255

The address objects representing your masking IP addresses would be set as hosts.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33749077

I don't know about the Cisco - I'm sure it could be done, but I know the Sonicwall could do that easily.  As long as there are different subnets in each tunnel, you should be fine.  This would have to be a hub & spoke layout.

Sounds interesting.  Keep us informed on how it progresses!
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33753336
I got them to give me a some private subnet addressing....   Not cool for accidental DOD network connections.... not these days --- NO sense of humor in that area...  None the less...  I'll adjust for the new numbering and see what happens...

0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33908753
ok, sorry no updates on this --- working on getting firmware and OS levels to the latest revs.... then I'll be back at this issue...
0
 
LVL 33

Expert Comment

by:digitap
ID: 33909086
cool...thanks for keeping us posted.
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 33918035
It appears that 99% of the issue is resolved --- by merely having the latest firmware installed the tunnel is now working almost as expected.   At least, PING goes thru, but the other ports I need for some reason aren't making it thru.   I've probably got another group to change.


Thanks all for the input --- the article that was posted here was the biggest bit of help.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33918098
you're welcome...thanks for the points!
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33918135
Remember that sonicwall treats every interface as independent as far as firewall rules (once they are removed from the `switch-port' status).  That might help with getting the rules set to get the other ports forwarding.
Thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now