Sonicwall NSA 2400 setup help
Hello Experts,
I am replacing our Comcast Cable internet connection with a Comcast dedicated fiber connection at the end of the week and the setup of my Sonicwall NSA 2400 will be vastly different than it current settings. I am not familiar with the new settings that Comcast has sent me and was hoping for someone to give me a bit of guidance on how to configure the Sonicwall using the new Comcast IP allocations. They do not provide a gateway router just a switch so I have to use my Sonicwall as both a gateway/router and firewall. Below you will find the new settings that I have changed in the interest of security. The subnet masks are all valid and correct just the IP's have been changed. Please let me know how to best implement and configure my Sonicwall NSA 2400 with these new settings and thank you in advance for your advice and assistance.
P2P IP 55.200.164.128/30
Gateway 55.200.164.129
Customer Layer 3 device 55.200.164.130
P2P Subnet 255.255.255.252
Customer Usable
Network Address 55.200.164.160
Customer Allocation 55.200.164.160/27
Customer Useable IP’s 55.200.164.161 - 50.207.174.190
Broadcast Address 55.200.164.191
Customer Subnet 255.255.255.224
DNS Servers:
Primary 75.75.75.75
Secondary 75.75.76.76
I am replacing our Comcast Cable internet connection with a Comcast dedicated fiber connection at the end of the week and the setup of my Sonicwall NSA 2400 will be vastly different than it current settings. I am not familiar with the new settings that Comcast has sent me and was hoping for someone to give me a bit of guidance on how to configure the Sonicwall using the new Comcast IP allocations. They do not provide a gateway router just a switch so I have to use my Sonicwall as both a gateway/router and firewall. Below you will find the new settings that I have changed in the interest of security. The subnet masks are all valid and correct just the IP's have been changed. Please let me know how to best implement and configure my Sonicwall NSA 2400 with these new settings and thank you in advance for your advice and assistance.
P2P IP 55.200.164.128/30
Gateway 55.200.164.129
Customer Layer 3 device 55.200.164.130
P2P Subnet 255.255.255.252
Customer Usable
Network Address 55.200.164.160
Customer Allocation 55.200.164.160/27
Customer Useable IP’s 55.200.164.161 - 50.207.174.190
Broadcast Address 55.200.164.191
Customer Subnet 255.255.255.224
DNS Servers:
Primary 75.75.75.75
Secondary 75.75.76.76
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Keep in mind that the Sonicwall only uses one WAN ip address. Your new configuration provides for 32 (29 useable), so what do you do with the others?
If they are NAT'ed through the Sonciwall, then you have to change all those NATS as well.
If they are NAT'ed through the Sonciwall, then you have to change all those NATS as well.
ASKER
Yes we have a bunch of publically facing machines that will use their own public IP addresses for remote access. Those IP's will be configured through the interface wizard to NAT to the affected workstations. Yes I will have to do a ton of re-configuration for this new connection setup. I am not looking forward to doing that at all. We do have two NSA 2400 firewalls currently in service to supply the needed public IP's through two Comcast Business cable modems. I will be consolidating the two into just one firewall with this new connection configuration.
For those NAT's on the firewall you are going to keep in service, you should only have to change the WAN ip by editing the config. A printout of the other firewall NAT's should give you a place to start in adding the new ones.
Also keep in mind that there could be firewall rules that apply to the connections serviced by these NAT's. For example a web server on the LAN, and thereby only providing access on ports 80 and 443. You will have to check for this on the ones that are to be moved to the one Sonicwall.
I would be careful using the Wizard where only editing is required since this will create all new items without removing/changing the old ones. This would be helpful for the items moved from one Sonicwall to the other, but not for changes on the one you are keeping.
Also keep in mind that there could be firewall rules that apply to the connections serviced by these NAT's. For example a web server on the LAN, and thereby only providing access on ports 80 and 443. You will have to check for this on the ones that are to be moved to the one Sonicwall.
I would be careful using the Wizard where only editing is required since this will create all new items without removing/changing the old ones. This would be helpful for the items moved from one Sonicwall to the other, but not for changes on the one you are keeping.
ASKER
I completely understand what you are saying but it is exceedingly difficult to go through all of the existing NAT rules and be sure that you have edited all of them properly. Starting from scratch is really a much easier approach I think. Most of the rules are in regards to RDP connections which I am hopefully going to ditch completely as I hate having all of those ports open to the internet. We are constantly being barraged with attempts to break into those workstations that have open ports and the only thing keeping them from being successful is strong passwords which as you know is not something to count on. I am hoping to move everyone to LogMeIN or a similar product to alleviate the open port issues.
Have you considered using the SSLVPN features of the Sonciwall. This would provide for RDP and other remote access, and is much simpler for end users verses LogMeIn.
Since the NSA2400 is obsolete and the specs are no longer online, I don't know how many VPN connections it supports, but I suspect at least 15 concurrent ones.
Since the NSA2400 is obsolete and the specs are no longer online, I don't know how many VPN connections it supports, but I suspect at least 15 concurrent ones.
ASKER
To be frank I have not messed with the SSLVPN at all and would not have a clue on where to start in order to utilize that functionality? If you could point me in the direction of some good info or just walk me through how it could be used in order to connect via RDP I would be eternally grateful.
You get one or two included SSLVPN licenses with the Sonicwall, so you have those already. You can check under Licenses on the Sonciwall to see how many you have. Additional licenses can be added fairly cheaply.
This will tell you how to configure and use it.
https://support.software.dell.com/sonicwall-nsa-series/kb/sw10657
This will tell you how to configure and use it.
https://support.software.dell.com/sonicwall-nsa-series/kb/sw10657
ASKER
Here is what it says under licenses.
It looks like I have plenty of licenses Max: 127 and I only have like 40 remote workers.
It looks like I have plenty of licenses Max: 127 and I only have like 40 remote workers.
What it says is that you have 2 licensed copies, and can purchase up to a maximum of 127 total.
ASKER
I have gotten it working but the problem is can I use the same LAN subnet in the SSLVPN configuration that is used on my actual LAN? I mean I get an IP address from the net extender client in the 192.168.2.x subnet but is that going to conflict with IP addresses that are already handed out on that subnet via my Active Directory DHCP server? I tried to use a different subnet in the client routing portion of the setup and then I created a route to my X0 subnet but I still cannot reach anything on my 192.168.2.x subnet from the client subnet 192.168.4.x? I also do not see any DHCP leases on the Sonicwall so are these some type of virtual DHCP leases? Help please.
ASKER
2 licensed copies means I only have two concurrent connections allowed?
Yes, only two concurrent connections. You would need to buy additional licenses as needed. MSRP for a 10 user pack is $345.
Normally what you do is reserve a set of addresses on your DHCP server that are not handed out by it. Then you use that range of addresses to specify what the Sonicwall hands out for the SSLVPN connection. Since you are using 192.168.2.x you could assign the range say from 200 to 250 to the Sonicwall, and reserve that on the DHCP server.
If you want to use VLAN's you can, but they have to be known to the Sonicwall. You would have to assign them to an Address Object, then include them on the SSLVPN Client Settings, and also on the SSLVPN tab for the user.
Normally what you do is reserve a set of addresses on your DHCP server that are not handed out by it. Then you use that range of addresses to specify what the Sonicwall hands out for the SSLVPN connection. Since you are using 192.168.2.x you could assign the range say from 200 to 250 to the Sonicwall, and reserve that on the DHCP server.
If you want to use VLAN's you can, but they have to be known to the Sonicwall. You would have to assign them to an Address Object, then include them on the SSLVPN Client Settings, and also on the SSLVPN tab for the user.
ASKER
I have tested this and it is slower than can be. That won't fly with my users and is what I have seen in the past in regards to VPN's in general just being very slow performing. I think I am going to go with a third party solution to get people connected remotely as long as I can get the powers that be to agree to it. Thanks for your help very much I appreciate it immensely. I can get LogMeIN for a little more than what it will cost me to purchase all the licenses I will need for the SSLVPN so it doesn't make any sense to me to go with that solution when it seems to be extremely low performance.
One parting thought, you might want to wait until the new circuit is in and test the SSLVPN again.
On a heavily loaded circuit the SSLVPN will be much slower. On a fast circuit the SSLVPN will be just a bit slower due to the encryption on the tunnel. Keep in mind that when using the SSLVPN all traffic is encrypted.
On a heavily loaded circuit the SSLVPN will be much slower. On a fast circuit the SSLVPN will be just a bit slower due to the encryption on the tunnel. Keep in mind that when using the SSLVPN all traffic is encrypted.
ASKER
10-4 understood! Going from a cable internet 50/10 to a dedicated fiber 50/50 not sure if that will make much difference.
ASKER