Sonicwall NSA5600.


We have an Sonicwall 5600 which is connected to the internet via it's X01 interface and a primary IP. We have been provided a number of IP addresses by our ISP but use no more than that first primary.

We have around 7 VPNs to various AWS instances that all use that same primary IP but we now need to initiate another tunnel using a different WAN IP.

Other than configuring another physical interface on the front of the Sonicwall, how can I achieve another sub-interface on the NSA5600 X01? I have tried Nat Policies for the VPN but it never translates from our original primary IP.

Any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskyDirector of Solutions ConsultingCommented:
What's the subnet mask on X1? That determines how many ips the sonicwall has available. So a /32 aka is one ip.
To use those other ips for anything, you have to make an address object for each one you want to use.
SimonBrookAuthor Commented:
Hi Aaron,

X1 subnet mask is /28.

Address object on the additional IP has already been created as an address object.

Aaron TomoskyDirector of Solutions ConsultingCommented:
Disclaimer: I've only done this to push traffic from certain hosts in/out secondary wan ips, never tried it with vpn tunnels but it should work.

So on the new vpn policy, you have set the Local IKE ID as "IPv4 Address" and are using the secondary wan ip right?
And on the advanced tab, VPN Policy bound to: interface x1 (the default is zone wan)

Then I believe you need to need to add a nat rule, something like this should do it
og source: any
trans source: secondary wan ip address object
og dest: remote gateway ip address object
trans dest: original

that way any packets going to that remote gateway will come out the ip of your choosing.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

SimonBrookAuthor Commented:
found it was not possible with the sonicwalls to push VPN's down different interfaces.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Benjamin Van DitmarsSr Network EngineerCommented:
if you set the local IKE ID to the second ip addres. it will work.
only you need to add an arp entree and publish it to the interface of youre wan normaly X1.
i have used this alot and it works perfect
SimonBrookAuthor Commented:
Sonicwall worked with me and it was not possible.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.