SimonBrook
asked on
Sonicwall NSA5600.
Hi,
We have an Sonicwall 5600 which is connected to the internet via it's X01 interface and a primary IP. We have been provided a number of IP addresses by our ISP but use no more than that first primary.
We have around 7 VPNs to various AWS instances that all use that same primary IP but we now need to initiate another tunnel using a different WAN IP.
Other than configuring another physical interface on the front of the Sonicwall, how can I achieve another sub-interface on the NSA5600 X01? I have tried Nat Policies for the VPN but it never translates from our original primary IP.
Any ideas?
We have an Sonicwall 5600 which is connected to the internet via it's X01 interface and a primary IP. We have been provided a number of IP addresses by our ISP but use no more than that first primary.
We have around 7 VPNs to various AWS instances that all use that same primary IP but we now need to initiate another tunnel using a different WAN IP.
Other than configuring another physical interface on the front of the Sonicwall, how can I achieve another sub-interface on the NSA5600 X01? I have tried Nat Policies for the VPN but it never translates from our original primary IP.
Any ideas?
ASKER
Hi Aaron,
X1 subnet mask is /28.
Address object on the additional IP has already been created as an address object.
Thanks,
X1 subnet mask is /28.
Address object on the additional IP has already been created as an address object.
Thanks,
Disclaimer: I've only done this to push traffic from certain hosts in/out secondary wan ips, never tried it with vpn tunnels but it should work.
So on the new vpn policy, you have set the Local IKE ID as "IPv4 Address" and are using the secondary wan ip right?
And on the advanced tab, VPN Policy bound to: interface x1 (the default is zone wan)
Then I believe you need to need to add a nat rule, something like this should do it
og source: any
trans source: secondary wan ip address object
og dest: remote gateway ip address object
trans dest: original
that way any packets going to that remote gateway will come out the ip of your choosing.
So on the new vpn policy, you have set the Local IKE ID as "IPv4 Address" and are using the secondary wan ip right?
And on the advanced tab, VPN Policy bound to: interface x1 (the default is zone wan)
Then I believe you need to need to add a nat rule, something like this should do it
og source: any
trans source: secondary wan ip address object
og dest: remote gateway ip address object
trans dest: original
that way any packets going to that remote gateway will come out the ip of your choosing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you set the local IKE ID to the second ip addres. it will work.
only you need to add an arp entree and publish it to the interface of youre wan normaly X1.
i have used this alot and it works perfect
only you need to add an arp entree and publish it to the interface of youre wan normaly X1.
i have used this alot and it works perfect
ASKER
Sonicwall worked with me and it was not possible.
To use those other ips for anything, you have to make an address object for each one you want to use.