Link to home
Start Free TrialLog in
Avatar of Daniel Flores Olmos
Daniel Flores OlmosFlag for Mexico

asked on

How to configure AT&T Netgate with Sonicwall Firewall

Hi:

I have a Sonicwall TZ210 with 60 nodes but our new corporate sends me an AT&T Netgate to connect my network (192.168.4.x) with their network (10.10.10.x).

I must say I already have a Site to Site (DHCP over VPN) with another bench office (192.168.5.x).

Somebody sends me a Microsoft Visio file with the supposed configuration (attached).

How can I get:

1.- The 2 branches working normally as today
2.- Include AT&T Netgate to connect with the corporate
NetgateConf.PNG
Avatar of J Spoor
J Spoor
Flag of Netherlands image

as the SonicWALL is already doing VPN you can't hook up the Netgate to the SonicWALL, unles syou have multiple public IP addresses?

Are you forced to use the Netgate? Why not use the SonicWALL?


View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
Avatar of Daniel Flores Olmos

ASKER

Corporate is confomed by about 300 locations, we've just joined the group but they use AT&T for their links not Sonicwall.

And yes... I have multiple addresses..(20) I0m using only one.
Then do the following

configure the Netgate with it's LAN port on your 192.168.4.0/24 network
configure the SonicWALL with a DMZ port, say 192.168.5.254/24
configure the Netgate with it's WAN port on that DMZ network, say with 192.168.5.253 and .254 as a default gateway

configure the following NAT policies
1
source = any
translated soruce = original
destination = second public IP
translated destination 182.168.5.253 (Netgate)
service - any
translated service original
2
source = 192.168.5.253
translated source = second public IP
destination = any
translated destination = original
service = any
translated service = original

create a firewall rule
from WAN to DMZ
allow
sorce = any
destination = second public IP used for the NAT policies

then create a route on the SonicWALL
source = any
destination = 10.10.10.0/24
gateway = netgate LAN ip
interface = X0
JSpoor:

Thank you so much for your suggestion. I've been stucked whit this because ATT&T delivers the Netgate with Admin account preset and (I don't know why) they will not give me the admin credentials, so, I'm with the hands tired. Do you have any other suggestion that doesn't requires changing the Netgate parameters?

Thanks.
do you know the LAN and WAN IP of the netgate?
working on it!!
Yes, I have both IP's
is the netgate's LAN in your 192.168.4.x range?

if so

hookup it's LAN port on a switch to your X0, then on the SonicWALL create a static route for 10.10.10.x poiting to the Netgate's LAN IP, then hang the WAN IP of the netgate on say X2.
Create a one-to-one NAT usin gone of your public IP's to the Netgate WAN port.
the Netgate LAN is 10.66.0.254.
then create an X2 DMZ stle interface, hook it up there.
then create the formentioned route with gatewau 10.66.0.254

is the netgate's VPN configured for 10.66.0.x or your origingal 192.168.4.x ?
well, I have a load balancing with X2 and X3 so, I'll connect the netgate in X4.

The netgate is configured for 10.66.0.x, I have made tests making ping to other IP's with 10.66.1.x, 10.66.2.x, etc and it works [netgate connected directly to my ISP Cisco 1800 series modem].
so you will need a nat policy as well

src= X0 subnet
t src = X4 subnet
(make sure both are /24)
dst = 10.10.10.0/24
t dst = orginal

and
src - 10.10.10.0/24
t src = original
dst = X4 Subnet
t dst = X0 subnet

this will hide your 192.168.4.x behind 10.66.0.x :)
Questions:

1.- Why 10.10.10.0 if the netgate segment is 10.66.0.0?
2.- In the combo of original sources, it doesn't appears the X0 Subnets, it only appears from x2 and forward
3.- In the Original Destination, how can I get the 10.10.10.0 appears? it only appears text options.
10.10.10 is the destination, on the other side of the VPN?

if X0 subnet is not available, create a custom object for 192.168.4.0/24

it sounds like the VPN is setup for 10.66.0.x to 10.10.10.x

and not for 192.168.4.x

hence the two NAT policies to hide your 192.168.4.0 behind 10.66.0.0 :)

you will have to create an address object for 10.10.10.0/24 to use both in the NAT policies as well as in the static route.
Hi Jspoor:

Look, let´s start again:

My actual segment is: 194.168.4.x. In order to connect to the corporate network, they sent me an AT&T Netgate configured with 10.66.0.x segment. They asked me to connect the netgate to my network (it implicates to configure my Sonicwall in order to work) and keep my actual segment (192.168.4.x) but with the ability to connect to 10.66.0.x. But, in the pings they have asked me to do, they told me the AD IP is: 10.10.10.2 (I suppose the 10.66.0.x segment is VPN with 10.10.10.2, not sure).

So, I have connected a 5 port network switch to my E1 ISP and one ethernet cable from the switch to the Netgate, other ethernet cable from that switch to the Sonicwall and another ethernet cable from the netgate to a laptop with 10.66.0.100 IP; that way, in the corporate, they are able to ping the 10.66.0.254 (netgate) but not the 10.66.0.100 (laptop) IP, and the laptop are not able to ping any IP outside but 10.66.0.254 (I have tried to ping 10.10.10.2 and nothing).

I have tried what you told me but I couldn't because there's something missing in the instructions that doesn't matchs with my Sonicwall options.

What can I do?
Another thing:

I'm not expert in Sonicwall configuration, may you tell me step by step how to create address objects/address groups/Nat policies, etc?

Sorry for the inconvenience. Thanks.
I'll do this tomorrow, also draw up a little diagram
Thank you so much; I have called Sonicwall and they said it is not possible to get that configuration. ;(
it is, trust me
ASKER CERTIFIED SOLUTION
Avatar of J Spoor
J Spoor
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
May you connect remotely?
Unfortunately I can't do that.

I suggest you take this content and contact SonicWALL support to help implement this.
Sonicwall answer this:

Dear Daniel,


For my part not much to review the sonicwall this drawing traffic making nat the interface is needed, from then on there is not much we can do as traffic leaving the sonicwall is no longer handled by us, if you still want to review it should be the other week as I go on vacation and arrive until Monday.  ;(
this was the best solution, the problem was at AT&T netgate and then  have aplies this configuration and works.