?
Solved

NAT Route, Almost IP Spoofing

Posted on 2014-03-03
7
Medium Priority
?
422 Views
Last Modified: 2014-03-11
I have this very specialized PC that requires this very specialized setup.  Please see if you can help me out.

The PC has two NICs.  One connects to a Verzion network, let's say 64.xx.yy.zz   That part works fine!

The other NIC needs to do this:

1.  Connect to our internal 192.168.11.y network.  Easy, done.

2.  Connect, via Sonicwall VPN Client, to an external network.  Easy, done.

3.  When trying to connect to 192.168.4.x, traffic must appear to come from 10.42.102.55.   These originally ran on a leased line, but the organization is doing away with leased lines and wants us to go VPN.  I can ping the 192.168.4.20 interface, so I am hitting their host, however, their host says "I will only accept traffic from you on 10.42.102.55."  Hmmmm..how the heck do I do that?  I have tried a one to one NAT route in my sonicwall, but the only way to do it makes ALL traffic from the local 192.168.11.y appear to be coming from 10.42.102.55, and that breaks a lot of things.  What I need is for the sonicwall to have a rule that says "if 192.168.11.100 is trying to connect to 192.168.4.20, then make it appear as if the traffic is coming from 10.42.102.55".

In digging through Cisco manuals, they have something called "route maps" that accomplishes this.  Does the Sonicwall have something similar?
0
Comment
Question by:dougp23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 800 total points
ID: 39903099
Take a look at the following to see if it does what you want.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3915
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39903327
How many other PCs on your 192.168.11 network use VPN to reach the 192.168.4 network?

Is it possible to add another NIC to the two you have with a different subnet.  You could then one-to-one NAT route that subnet.

What OS is your PC running and the remote system on the .4 net running?

- gurutc
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39903586
It's in nat in the sonicwall. You have to first make address objects for 10.42.102.55, and the single ip that you want to allow (or let me know if you want you can allow a group or subnet as that's not hard)
The rule is literally just like you described with original, source, translated source (this is the fake ip 10.42.102.55)
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 37

Accepted Solution

by:
bbao earned 1200 total points
ID: 39905295
if the SonicWALL is sitting between 192.168.11.100 and 192.168.4.20, then the following address objects and NAT policy seem to be needed per your requirement.

Address Objects:

PC1 Secondary IP: 192.168.11.100
PC1 NATed IP: 10.42.102.55
PC2 Primary IP: 192.168.4.20

NAT Policy:

Source - Original: PC1 Secondary IP
Source - Translated: PC1 NATed IP
Destination - Original: PC2 Primary IP
Destination - Translated: Original
Service - Original: Any
Service - Translated: Original

The Inbound Interface and Outbound Interface settings depend on your SonicWAL's port definitions on LAN, WAN and OPT etc.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39910135
Gurutc- 4 other computers in the 192.168.11.x range use the VPN for 192.168.4.x.  I have thought of adding another NIC, should I keep it in the 192.168.11.x range?  If I choose a new range (say 192.168.12.x) then the whole "default gateway" issue seems to crop up.  (The one that says only one def gw per PC for reliable traffic).

Thanks for the other comments, I am setting up a test box to see what I can do with this!
0
 
LVL 37

Expert Comment

by:bbao
ID: 39911273
adding another NIC is technically possible, why don't you simply give the 10.42.102.55 address directly to the NIC and connect the port directly to the 10.42.102.x subnet?

anyway, some constraints do apply. for example, the NIC should not be assigned with a default gateway.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39921352
bbao, I cannot add another NIC and connect directly to the 10.42.102.x subnet, as that subnet is only available over a leased frame circuit, which the compnay on the other end is doing away with, in favor of VPN connections.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question