Sonicwall NSA 2400 setup help

Hello Experts,
                           I am replacing our Comcast Cable internet connection with a Comcast dedicated fiber connection at the end of the week and the setup of my Sonicwall NSA 2400 will be vastly different than it current settings. I am not familiar with the new settings that Comcast has sent me and was hoping for someone to give me a bit of guidance on how to configure the Sonicwall using the new Comcast IP allocations. They do not provide a gateway router just a switch so I have to use my Sonicwall as both a gateway/router and firewall. Below you will find the new settings that I have changed in the interest of security. The subnet masks are all valid and correct just the IP's have been changed. Please let me know how to best implement and configure my Sonicwall NSA 2400 with these new settings and thank you in advance for your advice and assistance.

P2P IP      55.200.164.128/30
Gateway      55.200.164.129
Customer Layer 3  device      55.200.164.130
P2P Subnet      255.255.255.252
Customer Usable
Network Address      55.200.164.160
Customer Allocation      55.200.164.160/27
Customer Useable IP’s      55.200.164.161 - 50.207.174.190
Broadcast Address      55.200.164.191
Customer Subnet      255.255.255.224
DNS Servers:
Primary      75.75.75.75
Secondary 75.75.76.76
HKVP9IT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

carlmdCommented:
What part is it that you don't understand. Just change the WAN X1 settings to those that you show above.

Zone: WAN
IP Assignment: Static
IP Address: 55.200.164.161
Subnet Mask: 255.255.255.224
Default Gateway: 55.200.164.129
DNS server 1: 75.75.75.75
DNS server 2: 75.75.76.76
DNS server 3:
Comment: Default WAN

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HKVP9IT ManagerAuthor Commented:
Well they said I would have to setup two different configurations? I am not sure what they meant by that?
carlmdCommented:
Keep in mind that the Sonicwall only uses one WAN ip address. Your new configuration provides for 32 (29 useable), so what do you do with the others?

If they are NAT'ed through the Sonciwall, then you have to change all those NATS as well.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

HKVP9IT ManagerAuthor Commented:
Yes we have a bunch of publically facing machines that will use their own public IP addresses for remote access. Those IP's will be configured through the interface wizard to NAT to the affected workstations. Yes I will have to do a ton of re-configuration for this new connection setup. I am not looking forward to doing that at all. We do have two NSA 2400 firewalls currently in service to supply the needed public IP's through two Comcast Business cable modems. I will be consolidating the two into just one firewall with this new connection configuration.
carlmdCommented:
For those NAT's on the firewall you are going to keep in service, you should only have to change the WAN ip by editing the config. A printout of the other firewall NAT's should give you a place to start in adding the new ones.

Also keep in mind that there could be firewall rules that apply to the connections serviced by these NAT's. For example a web server on the LAN, and thereby only providing access on ports 80 and 443. You will have to check for this on the ones that are to be moved to the one Sonicwall.

I would be careful using the Wizard where only editing is required since this will create all new items without removing/changing the old ones. This would be helpful for the items moved from one Sonicwall to the other, but not for changes on the one you are keeping.
HKVP9IT ManagerAuthor Commented:
I completely understand what you are saying but it is exceedingly difficult to go through all of the existing NAT rules and be sure that you have edited all of them properly. Starting from scratch is really a much easier approach I think. Most of the rules are in regards to RDP connections which I am hopefully going to ditch completely as I hate having all of those ports open to the internet. We are constantly being barraged with attempts to break into those workstations that have open ports and the only thing keeping them from being successful is strong passwords which as you know is not something to count on. I am hoping to move everyone to LogMeIN or a similar product to alleviate the open port issues.
carlmdCommented:
Have you considered using the SSLVPN features of the Sonciwall. This would provide for RDP and other remote access, and is much simpler for end users verses LogMeIn.

Since the NSA2400 is obsolete and the specs are no longer online, I don't know how many VPN connections it supports, but I suspect at least 15 concurrent ones.
HKVP9IT ManagerAuthor Commented:
To be frank I have not messed with the SSLVPN at all and would not have a clue on where to start in order to utilize that functionality? If you could point me in the direction of some good info or just walk me through how it could be used in order to connect via RDP I would be eternally grateful.
carlmdCommented:
You get one or two included SSLVPN licenses with the Sonicwall, so you have those already. You can check under Licenses on the Sonciwall to see how many you have. Additional licenses can be added fairly cheaply.

This will tell you how to configure and use it.

https://support.software.dell.com/sonicwall-nsa-series/kb/sw10657
HKVP9IT ManagerAuthor Commented:
Here is what it says under licenses.
sslvpn.JPG
It looks like I have plenty of licenses Max: 127 and I only have like 40 remote workers.
carlmdCommented:
What it says is that you have 2 licensed copies, and can purchase up to a maximum of 127 total.
HKVP9IT ManagerAuthor Commented:
I have gotten it working but the problem is can I use the same LAN subnet in the SSLVPN configuration that is used on my actual LAN? I mean I get an IP address from the net extender client in the 192.168.2.x subnet but is that going to conflict with IP addresses that are already handed out on that subnet via my Active Directory DHCP server? I tried to use a different subnet in the client routing portion of the setup and then I created a route to my X0 subnet but I still cannot reach anything on my 192.168.2.x subnet from the client subnet 192.168.4.x? I also do not see any DHCP leases on the Sonicwall so are these some type of virtual DHCP leases? Help please.
HKVP9IT ManagerAuthor Commented:
2 licensed copies means I only have two concurrent connections allowed?
carlmdCommented:
Yes, only two concurrent connections. You would need to buy additional licenses as needed. MSRP for a 10 user pack is $345.

Normally what you do is reserve a set of addresses on your DHCP server that are not handed out by it. Then you use that range of addresses to specify what the Sonicwall hands out for the SSLVPN connection. Since you are using 192.168.2.x you could assign the range say from 200 to 250 to the Sonicwall, and reserve that on the DHCP server.

If you want to use VLAN's you can, but they have to be known to the Sonicwall. You would have to assign them to an Address Object, then include them on the SSLVPN Client Settings, and also on the SSLVPN tab for the user.
HKVP9IT ManagerAuthor Commented:
I have tested this and it is slower than can be. That won't fly with my users and is what I have seen in the past in regards to VPN's in general just being very slow performing. I think I am going to go with a third party solution to get people connected remotely as long as I can get the powers that be to agree to it. Thanks for your help very much I appreciate it immensely. I can get LogMeIN for a little more than what it will cost me to purchase all the licenses I will need for the SSLVPN so it doesn't make any sense to me to go with that solution when it seems to be extremely low performance.
carlmdCommented:
One parting thought, you might want to wait until the new circuit is in and test the SSLVPN again.

On a heavily loaded circuit the SSLVPN will be much slower. On a fast circuit the SSLVPN will be just a bit slower due to the encryption on the tunnel. Keep in mind that when using the SSLVPN all traffic is encrypted.
HKVP9IT ManagerAuthor Commented:
10-4 understood! Going from a cable internet 50/10 to a dedicated fiber 50/50 not sure if that will make much difference.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.