Sonicwall site-site VPN with NAT
I am being asked to create a site-site VPN with a vendor. They indicate that my private network ID matches a network ID within their large enterprise, so they are wondering if it would be possible to NAT to the private IP of the machine on my side. I am unfamiliar with how to do this with a Sonicwall so I was wondering if anyone could point me in the right direction.
The site-site VPN allows the vendor to send HL7 formatted messages to a computer on my side of the VPN for a lab results interface that is part of an electronic medical records program.
The site-site VPN allows the vendor to send HL7 formatted messages to a computer on my side of the VPN for a lab results interface that is part of an electronic medical records program.
Do you mean that your NATed LAN (for example, 192.168.0.0/24) matches some segment on their network as well?
ASKER
Yes.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You would need to Create an address object for the public IP address and an address object for your target computer, then create a NAT rule that would take inbound traffic from your WAN interface to your public IP address to be directed to the address object of your target internal machine's address object on your LAN interface. I believe you would also need to check the box to create a reflexive policy.
I believe the NAT rule would look something like this:
Original Source: Any OR if you know the IP address that it would be originating from create an address object and enter that\
Translated Source: the address object of your public ip
Original Destination: the Address object for your public ip
Translated Destination: the address object of your target internal computer
Original Service: either a custom Service or Service Group that would cover the specific incoming traffic OR any (not recommended...)
Translated Service: original
Inbound Interface: WAN (the specific interface that your WAN is connected to)
Outbound Interface: LAN (the specific interface that your target internal computer is connected to)
Enable NAT Policy: Check
Create a reflexive policy: Check
You would then also need to ensure that you had a firewall rule in place that would allow the specified traffic to the address object from on your WAN interface to traverse to your specified address object on your LAN interface.
The firewall rule would look something like this:
Allow
From Zone: WAN
To Zone: LAN
Service: the Service Group specified in the NAT policy
Source: the Translated Source address object
Destination: the Translated Destination address object
Advanced Tab
Create a reflexive rule: Check
I believe the NAT rule would look something like this:
Original Source: Any OR if you know the IP address that it would be originating from create an address object and enter that\
Translated Source: the address object of your public ip
Original Destination: the Address object for your public ip
Translated Destination: the address object of your target internal computer
Original Service: either a custom Service or Service Group that would cover the specific incoming traffic OR any (not recommended...)
Translated Service: original
Inbound Interface: WAN (the specific interface that your WAN is connected to)
Outbound Interface: LAN (the specific interface that your target internal computer is connected to)
Enable NAT Policy: Check
Create a reflexive policy: Check
You would then also need to ensure that you had a firewall rule in place that would allow the specified traffic to the address object from on your WAN interface to traverse to your specified address object on your LAN interface.
The firewall rule would look something like this:
Allow
From Zone: WAN
To Zone: LAN
Service: the Service Group specified in the NAT policy
Source: the Translated Source address object
Destination: the Translated Destination address object
Advanced Tab
Create a reflexive rule: Check