?
Solved

NAT Route, Almost IP Spoofing

Posted on 2014-03-03
7
Medium Priority
?
426 Views
Last Modified: 2014-03-11
I have this very specialized PC that requires this very specialized setup.  Please see if you can help me out.

The PC has two NICs.  One connects to a Verzion network, let's say 64.xx.yy.zz   That part works fine!

The other NIC needs to do this:

1.  Connect to our internal 192.168.11.y network.  Easy, done.

2.  Connect, via Sonicwall VPN Client, to an external network.  Easy, done.

3.  When trying to connect to 192.168.4.x, traffic must appear to come from 10.42.102.55.   These originally ran on a leased line, but the organization is doing away with leased lines and wants us to go VPN.  I can ping the 192.168.4.20 interface, so I am hitting their host, however, their host says "I will only accept traffic from you on 10.42.102.55."  Hmmmm..how the heck do I do that?  I have tried a one to one NAT route in my sonicwall, but the only way to do it makes ALL traffic from the local 192.168.11.y appear to be coming from 10.42.102.55, and that breaks a lot of things.  What I need is for the sonicwall to have a rule that says "if 192.168.11.100 is trying to connect to 192.168.4.20, then make it appear as if the traffic is coming from 10.42.102.55".

In digging through Cisco manuals, they have something called "route maps" that accomplishes this.  Does the Sonicwall have something similar?
0
Comment
Question by:dougp23
7 Comments
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 800 total points
ID: 39903099
Take a look at the following to see if it does what you want.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3915
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39903327
How many other PCs on your 192.168.11 network use VPN to reach the 192.168.4 network?

Is it possible to add another NIC to the two you have with a different subnet.  You could then one-to-one NAT route that subnet.

What OS is your PC running and the remote system on the .4 net running?

- gurutc
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39903586
It's in nat in the sonicwall. You have to first make address objects for 10.42.102.55, and the single ip that you want to allow (or let me know if you want you can allow a group or subnet as that's not hard)
The rule is literally just like you described with original, source, translated source (this is the fake ip 10.42.102.55)
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 37

Accepted Solution

by:
bbao earned 1200 total points
ID: 39905295
if the SonicWALL is sitting between 192.168.11.100 and 192.168.4.20, then the following address objects and NAT policy seem to be needed per your requirement.

Address Objects:

PC1 Secondary IP: 192.168.11.100
PC1 NATed IP: 10.42.102.55
PC2 Primary IP: 192.168.4.20

NAT Policy:

Source - Original: PC1 Secondary IP
Source - Translated: PC1 NATed IP
Destination - Original: PC2 Primary IP
Destination - Translated: Original
Service - Original: Any
Service - Translated: Original

The Inbound Interface and Outbound Interface settings depend on your SonicWAL's port definitions on LAN, WAN and OPT etc.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39910135
Gurutc- 4 other computers in the 192.168.11.x range use the VPN for 192.168.4.x.  I have thought of adding another NIC, should I keep it in the 192.168.11.x range?  If I choose a new range (say 192.168.12.x) then the whole "default gateway" issue seems to crop up.  (The one that says only one def gw per PC for reliable traffic).

Thanks for the other comments, I am setting up a test box to see what I can do with this!
0
 
LVL 37

Expert Comment

by:bbao
ID: 39911273
adding another NIC is technically possible, why don't you simply give the 10.42.102.55 address directly to the NIC and connect the port directly to the 10.42.102.x subnet?

anyway, some constraints do apply. for example, the NIC should not be assigned with a default gateway.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39921352
bbao, I cannot add another NIC and connect directly to the 10.42.102.x subnet, as that subnet is only available over a leased frame circuit, which the compnay on the other end is doing away with, in favor of VPN connections.
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question