Solved

NAT Route, Almost IP Spoofing

Posted on 2014-03-03
7
420 Views
Last Modified: 2014-03-11
I have this very specialized PC that requires this very specialized setup.  Please see if you can help me out.

The PC has two NICs.  One connects to a Verzion network, let's say 64.xx.yy.zz   That part works fine!

The other NIC needs to do this:

1.  Connect to our internal 192.168.11.y network.  Easy, done.

2.  Connect, via Sonicwall VPN Client, to an external network.  Easy, done.

3.  When trying to connect to 192.168.4.x, traffic must appear to come from 10.42.102.55.   These originally ran on a leased line, but the organization is doing away with leased lines and wants us to go VPN.  I can ping the 192.168.4.20 interface, so I am hitting their host, however, their host says "I will only accept traffic from you on 10.42.102.55."  Hmmmm..how the heck do I do that?  I have tried a one to one NAT route in my sonicwall, but the only way to do it makes ALL traffic from the local 192.168.11.y appear to be coming from 10.42.102.55, and that breaks a lot of things.  What I need is for the sonicwall to have a rule that says "if 192.168.11.100 is trying to connect to 192.168.4.20, then make it appear as if the traffic is coming from 10.42.102.55".

In digging through Cisco manuals, they have something called "route maps" that accomplishes this.  Does the Sonicwall have something similar?
0
Comment
Question by:dougp23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 200 total points
ID: 39903099
Take a look at the following to see if it does what you want.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3915
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39903327
How many other PCs on your 192.168.11 network use VPN to reach the 192.168.4 network?

Is it possible to add another NIC to the two you have with a different subnet.  You could then one-to-one NAT route that subnet.

What OS is your PC running and the remote system on the .4 net running?

- gurutc
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39903586
It's in nat in the sonicwall. You have to first make address objects for 10.42.102.55, and the single ip that you want to allow (or let me know if you want you can allow a group or subnet as that's not hard)
The rule is literally just like you described with original, source, translated source (this is the fake ip 10.42.102.55)
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 37

Accepted Solution

by:
bbao earned 300 total points
ID: 39905295
if the SonicWALL is sitting between 192.168.11.100 and 192.168.4.20, then the following address objects and NAT policy seem to be needed per your requirement.

Address Objects:

PC1 Secondary IP: 192.168.11.100
PC1 NATed IP: 10.42.102.55
PC2 Primary IP: 192.168.4.20

NAT Policy:

Source - Original: PC1 Secondary IP
Source - Translated: PC1 NATed IP
Destination - Original: PC2 Primary IP
Destination - Translated: Original
Service - Original: Any
Service - Translated: Original

The Inbound Interface and Outbound Interface settings depend on your SonicWAL's port definitions on LAN, WAN and OPT etc.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39910135
Gurutc- 4 other computers in the 192.168.11.x range use the VPN for 192.168.4.x.  I have thought of adding another NIC, should I keep it in the 192.168.11.x range?  If I choose a new range (say 192.168.12.x) then the whole "default gateway" issue seems to crop up.  (The one that says only one def gw per PC for reliable traffic).

Thanks for the other comments, I am setting up a test box to see what I can do with this!
0
 
LVL 37

Expert Comment

by:bbao
ID: 39911273
adding another NIC is technically possible, why don't you simply give the 10.42.102.55 address directly to the NIC and connect the port directly to the 10.42.102.x subnet?

anyway, some constraints do apply. for example, the NIC should not be assigned with a default gateway.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39921352
bbao, I cannot add another NIC and connect directly to the 10.42.102.x subnet, as that subnet is only available over a leased frame circuit, which the compnay on the other end is doing away with, in favor of VPN connections.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question