Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SD-WAN integration using backhauled internet through a Sonicwall NSA 3600 series

Posted on 2016-09-21
7
Medium Priority
?
531 Views
Last Modified: 2016-11-22
Greetings,

We're getting ready to implement an SD-WAN solution with our in-place Sonicwall NSA 3600 (running SonicOS Enhanced 6.2.6.0-20n).  Our Sonicwall currently does all our packet inspection/Gateway AV/AS and application control.  We're currently configured in a more or less traditional way.  LAN on X0 (HQ LAN) , WAN on X1 and we've added a zone called FIBER on X4 which is a layer 2 transport service for site to site communication.   We use X4 to pre-inspect branch site data before it get's access to the HQ LAN/servers  or is routed to the internet.

We're re-configuring each site on the transport service to use two internet connections instead and each site will have it's own SD-WAN box.  The SD-WAN provider supports "backhaul internet to HQ" so we can funnel  internet traffic into our Sonicwall, like we are currently. You can configure the LAN switch ports on our SD WAN solution to be specific VLANs so we're using 2 ports for "LAN" traffic and 2 ports for "internet" traffic on the HQ unit in an attempt to "route in and route out" of the Sonicwall to get usage of it's security services.

Here's our biggest catch/complication:  To get the most out of our SD-WAN's monitoring capabilities, we need to Not NAT our WAN traffic (although the SD-WAN will NAT for us before hitting the internet).  Unfortunately, the Sonicwall has a default NAT rule for the WAN interface to hide your traffic behind your internet IP.  You can't change it or delete it.  To further complicate matters, you can't specify an interface with a default gateway unless it's part of the WAN zone.  You also can't create a new zone and establish a different 0.0.0.0/0 route to get away from the NAT problem  - at least not without enabling advanced routing which is far beyond my skill in networking.

It appeared Layer 2 Bridging or Layer 3 splicing (the only 2 options that seem to still exist at this stage in SonicOS) would be our solution as it bypasses the NAT issue altogether.  When I called Dell Sonicwall support for clarification, I was informed, "you can't route to interfaces that are part in a bridge pair".  That statement seems to be at odds with what I've read online and he further compounded it with." 'Layer 3 transparency/splice' also can't be routed to" (it says Layer 3??).

I've tried some experimenting with a TZ215 on SonicOS 5.9 but it seems like I'm fighting that model more often than I'm configuring it.

In short - for what we're trying to do, what would be the best approach that would get our FIBER LAN traffic and our HQ LAN traffic inspected through the Sonicwall, WITHOUT NAT to our "WAN" interface (or whatever we have to create) ?  Pre-inspecting the branch site data before it hits the LAN is nice, but it's not absolutely required, it's definitely in the "nice to have" category.  The big key is getting to our "WAN" with NAT - OFF.  Individual site protocol/application traffic will already be monitored through its individual SD-WAN box so the big kicker is we can't get protocol/application breakdown from our SD-WAN for our HQ LAN because of the NAT issue.

Is there a better way to do this?  Was the Dell technician correct?  What's the best way to go about this?
0
Comment
Question by:Member_2_6375190
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:J Spoor
ID: 41810170
If you don't want NAT, but still want to use WAN zone, you can disable the NAT policies, just don't delete them.

say your X4 is the fiber and you make it WAN zone, find the NAT policies that look like

soruce any
translated source X4 IP

just disable those :)



View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 

Author Comment

by:Member_2_6375190
ID: 41810980
Except the one I need to disable is on the WAN zone and I was assured by the Dell technician (who wasn't entirely accurate to begin with) that you can't disable that one or delete it AND if you go look at the Default NAT policies their check boxes are grayed out and the enabled column is just green circle check marks.  You can't even open them.  It does look like however it IS possible to create one as a higher priority maybe

Can I make a NAT policy that will supersede the built-in WAN zone NAT policy that will keep LAN (x0) traffic from being translated out the WAN (x1) interface?  

I either need a way to disable it on the LAN to WAN zone by either Transparent Mode (L3 Splice), Layer 2 Bridge Mode, turning on "Expert Mode Settings: Use Routed Mode - Add NAT policy to prevent outbound/inbound translation" from LAN to WAN (x1 is my only choice for this setting) or IF I can supersede the default policy with one that explicitly stops translation.

OR

I need a way to make a 0.0.0.0/0 route on a zone that is NOT the WAN zone because only WAN zone interfaces have a "default gateway" setting and that automatically establishes the "default gateway" and "secondary default gateway" routes (if you have 2 WAN zone based interfaces configured).
0
 
LVL 9

Expert Comment

by:J Spoor
ID: 41811015
if you delete the default NAT's they get re-added. you CAN disable them !!!

You can also optionally on the X0 and other lan / dmz interfaces on the advanced tab enable the routed mode to the X4 WAN, this will add No-NAT policies.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:Member_2_6375190
ID: 41811680
What weren't aware of is the dell article that tells you how to "Enable the ability to disable auto-added NAT policy " on the /diag.html page.  I had posed this very question in many ways but my boss came across it.

With that said, this option doesn't exist in our TZ-215 (only class 6 and up).

We DO have 2 NSA 3600's in a HA active/standby pair.  Is it possible to temporarily take one out of the HA and use it as a standalone for testing?  More importantly: can we put it back in as the HA standby when we're done?
0
 
LVL 9

Accepted Solution

by:
J Spoor earned 2000 total points
ID: 41812001
You shouldn't need a diag page option for that...

Just go into the nat policies and untick the enable box.

Or use the Routed Mode option instead :)
0
 

Assisted Solution

by:Member_2_6375190
Member_2_6375190 earned 0 total points
ID: 41813244
I started to post a screen cap of the rules I can't disable and then found the specific rule that i need to disable doesn't show up under the "default" filter - it's auto-added but can be disabled.  

For sake of full disclosure however:

1.  Disabling it didn't actually make the traffic Truly Un-NATed.  All traffic still showed as coming from the same IP (this is on a tz215 - I have not yet tried the diag.html option on the NSA3600 to see if I  need to disable some of the "green checkmark" rules as well - you can't even get usage statistics from these rules!)
2. Using "routed mode" on an interfaces advanced creates a New NAT rule, 1 higher priority than the one I was disabling in number 1 and STILL doesn't truly disable NAT, still shows as coming from a singular IP address.
3. Layer 2 Bridged mode DOES however truly disable NAT - its functionally a little odd but it's mostly just different.  I can talk "directly" out the WAN interface and the source IP's are un-translated but both the LAN zone and WAN zone (x0 and x1) have the same IP address which means your upstream subnet (default gateway) has to be on the same subnet.  I can also still route from a "regular mode zone" to the "bridge pair" (there's an option to disable routing to this interface, but in my case we need it to be able to be routed to).  Essentially the Dell technician I spoke with was completely incorrect about the basic functionality of L2 Bridge mode or didn't understand our requirements/aims.

We're still interested in trying to truly disable NATing without going to L2 Bridge mode just  because it's more natural feeling not using the bridge and there have been scattered issues related to it in some firmware revisions.  Trying to not deviate to far from the "norm" helps avoid encountering firmware issues.

We're about to move to the production system and we'll use the "Internal Settings" button on the /diag.htm page to enable "the ability to disable auto-added NAT rules" .  We want the SW to operate as normally as possible - if I end up with a better solution that L2 Bridge, I'll post it.
0
 

Assisted Solution

by:Member_2_6375190
Member_2_6375190 earned 0 total points
ID: 41839339
In the long run, so as to "not going against the natural grain", we've opted to stay in standard routed mode, although the  disabling of NAT rules will be vitally important in the near future.

The primary reason is that we'll be moving most of our security services to to a cloud firewall/security inspection service.  To get level of detail that we want - we'll have to disable NAT (or at least the 1 to many default rule provided by the WAN zone) to get individualized unrout-able IP addresses moving into the IPSEC/GRE tunnel for inspection.   If we don't disable NAT before hitting the tunnel, it's all going to show as the MAC/IP of our external Sonicwall interface when we stream the logs back in to our UTM appliance instead of workstations/servers/switches etc.

Either way this information was useful.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question