NAT Route, Almost IP Spoofing

dougp23
dougp23 used Ask the Experts™
on
I have this very specialized PC that requires this very specialized setup.  Please see if you can help me out.

The PC has two NICs.  One connects to a Verzion network, let's say 64.xx.yy.zz   That part works fine!

The other NIC needs to do this:

1.  Connect to our internal 192.168.11.y network.  Easy, done.

2.  Connect, via Sonicwall VPN Client, to an external network.  Easy, done.

3.  When trying to connect to 192.168.4.x, traffic must appear to come from 10.42.102.55.   These originally ran on a leased line, but the organization is doing away with leased lines and wants us to go VPN.  I can ping the 192.168.4.20 interface, so I am hitting their host, however, their host says "I will only accept traffic from you on 10.42.102.55."  Hmmmm..how the heck do I do that?  I have tried a one to one NAT route in my sonicwall, but the only way to do it makes ALL traffic from the local 192.168.11.y appear to be coming from 10.42.102.55, and that breaks a lot of things.  What I need is for the sonicwall to have a rule that says "if 192.168.11.100 is trying to connect to 192.168.4.20, then make it appear as if the traffic is coming from 10.42.102.55".

In digging through Cisco manuals, they have something called "route maps" that accomplishes this.  Does the Sonicwall have something similar?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Take a look at the following to see if it does what you want.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3915

Commented:
How many other PCs on your 192.168.11 network use VPN to reach the 192.168.4 network?

Is it possible to add another NIC to the two you have with a different subnet.  You could then one-to-one NAT route that subnet.

What OS is your PC running and the remote system on the .4 net running?

- gurutc
Aaron TomoskyDirector of Solutions Consulting

Commented:
It's in nat in the sonicwall. You have to first make address objects for 10.42.102.55, and the single ip that you want to allow (or let me know if you want you can allow a group or subnet as that's not hard)
The rule is literally just like you described with original, source, translated source (this is the fake ip 10.42.102.55)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

IT Consultant
Commented:
if the SonicWALL is sitting between 192.168.11.100 and 192.168.4.20, then the following address objects and NAT policy seem to be needed per your requirement.

Address Objects:

PC1 Secondary IP: 192.168.11.100
PC1 NATed IP: 10.42.102.55
PC2 Primary IP: 192.168.4.20

NAT Policy:

Source - Original: PC1 Secondary IP
Source - Translated: PC1 NATed IP
Destination - Original: PC2 Primary IP
Destination - Translated: Original
Service - Original: Any
Service - Translated: Original

The Inbound Interface and Outbound Interface settings depend on your SonicWAL's port definitions on LAN, WAN and OPT etc.

Author

Commented:
Gurutc- 4 other computers in the 192.168.11.x range use the VPN for 192.168.4.x.  I have thought of adding another NIC, should I keep it in the 192.168.11.x range?  If I choose a new range (say 192.168.12.x) then the whole "default gateway" issue seems to crop up.  (The one that says only one def gw per PC for reliable traffic).

Thanks for the other comments, I am setting up a test box to see what I can do with this!
bbaoIT Consultant

Commented:
adding another NIC is technically possible, why don't you simply give the 10.42.102.55 address directly to the NIC and connect the port directly to the 10.42.102.x subnet?

anyway, some constraints do apply. for example, the NIC should not be assigned with a default gateway.

Author

Commented:
bbao, I cannot add another NIC and connect directly to the 10.42.102.x subnet, as that subnet is only available over a leased frame circuit, which the compnay on the other end is doing away with, in favor of VPN connections.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial