Solved

NAT Route, Almost IP Spoofing

Posted on 2014-03-03
7
416 Views
Last Modified: 2014-03-11
I have this very specialized PC that requires this very specialized setup.  Please see if you can help me out.

The PC has two NICs.  One connects to a Verzion network, let's say 64.xx.yy.zz   That part works fine!

The other NIC needs to do this:

1.  Connect to our internal 192.168.11.y network.  Easy, done.

2.  Connect, via Sonicwall VPN Client, to an external network.  Easy, done.

3.  When trying to connect to 192.168.4.x, traffic must appear to come from 10.42.102.55.   These originally ran on a leased line, but the organization is doing away with leased lines and wants us to go VPN.  I can ping the 192.168.4.20 interface, so I am hitting their host, however, their host says "I will only accept traffic from you on 10.42.102.55."  Hmmmm..how the heck do I do that?  I have tried a one to one NAT route in my sonicwall, but the only way to do it makes ALL traffic from the local 192.168.11.y appear to be coming from 10.42.102.55, and that breaks a lot of things.  What I need is for the sonicwall to have a rule that says "if 192.168.11.100 is trying to connect to 192.168.4.20, then make it appear as if the traffic is coming from 10.42.102.55".

In digging through Cisco manuals, they have something called "route maps" that accomplishes this.  Does the Sonicwall have something similar?
0
Comment
Question by:dougp23
7 Comments
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 200 total points
Comment Utility
Take a look at the following to see if it does what you want.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3915
0
 
LVL 16

Expert Comment

by:gurutc
Comment Utility
How many other PCs on your 192.168.11 network use VPN to reach the 192.168.4 network?

Is it possible to add another NIC to the two you have with a different subnet.  You could then one-to-one NAT route that subnet.

What OS is your PC running and the remote system on the .4 net running?

- gurutc
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
It's in nat in the sonicwall. You have to first make address objects for 10.42.102.55, and the single ip that you want to allow (or let me know if you want you can allow a group or subnet as that's not hard)
The rule is literally just like you described with original, source, translated source (this is the fake ip 10.42.102.55)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 300 total points
Comment Utility
if the SonicWALL is sitting between 192.168.11.100 and 192.168.4.20, then the following address objects and NAT policy seem to be needed per your requirement.

Address Objects:

PC1 Secondary IP: 192.168.11.100
PC1 NATed IP: 10.42.102.55
PC2 Primary IP: 192.168.4.20

NAT Policy:

Source - Original: PC1 Secondary IP
Source - Translated: PC1 NATed IP
Destination - Original: PC2 Primary IP
Destination - Translated: Original
Service - Original: Any
Service - Translated: Original

The Inbound Interface and Outbound Interface settings depend on your SonicWAL's port definitions on LAN, WAN and OPT etc.
0
 
LVL 1

Author Comment

by:dougp23
Comment Utility
Gurutc- 4 other computers in the 192.168.11.x range use the VPN for 192.168.4.x.  I have thought of adding another NIC, should I keep it in the 192.168.11.x range?  If I choose a new range (say 192.168.12.x) then the whole "default gateway" issue seems to crop up.  (The one that says only one def gw per PC for reliable traffic).

Thanks for the other comments, I am setting up a test box to see what I can do with this!
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
adding another NIC is technically possible, why don't you simply give the 10.42.102.55 address directly to the NIC and connect the port directly to the 10.42.102.x subnet?

anyway, some constraints do apply. for example, the NIC should not be assigned with a default gateway.
0
 
LVL 1

Author Comment

by:dougp23
Comment Utility
bbao, I cannot add another NIC and connect directly to the 10.42.102.x subnet, as that subnet is only available over a leased frame circuit, which the compnay on the other end is doing away with, in favor of VPN connections.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now