Sonicwall NSA5600.

Hi,

We have an Sonicwall 5600 which is connected to the internet via it's X01 interface and a primary IP. We have been provided a number of IP addresses by our ISP but use no more than that first primary.

We have around 7 VPNs to various AWS instances that all use that same primary IP but we now need to initiate another tunnel using a different WAN IP.

Other than configuring another physical interface on the front of the Sonicwall, how can I achieve another sub-interface on the NSA5600 X01? I have tried Nat Policies for the VPN but it never translates from our original primary IP.

Any ideas?
LVL 1
SimonBrookAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskySD-WAN SimplifiedCommented:
What's the subnet mask on X1? That determines how many ips the sonicwall has available. So a /32 aka 255.255.255.255 is one ip.
To use those other ips for anything, you have to make an address object for each one you want to use.
0
SimonBrookAuthor Commented:
Hi Aaron,

X1 subnet mask is /28.

Address object on the additional IP has already been created as an address object.

Thanks,
0
Aaron TomoskySD-WAN SimplifiedCommented:
Disclaimer: I've only done this to push traffic from certain hosts in/out secondary wan ips, never tried it with vpn tunnels but it should work.

So on the new vpn policy, you have set the Local IKE ID as "IPv4 Address" and are using the secondary wan ip right?
And on the advanced tab, VPN Policy bound to: interface x1 (the default is zone wan)

Then I believe you need to need to add a nat rule, something like this should do it
og source: any
trans source: secondary wan ip address object
og dest: remote gateway ip address object
trans dest: original

that way any packets going to that remote gateway will come out the ip of your choosing.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

SimonBrookAuthor Commented:
found it was not possible with the sonicwalls to push VPN's down different interfaces.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Benjamin Van DitmarsCommented:
if you set the local IKE ID to the second ip addres. it will work.
only you need to add an arp entree and publish it to the interface of youre wan normaly X1.
i have used this alot and it works perfect
0
SimonBrookAuthor Commented:
Sonicwall worked with me and it was not possible.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.