Solved

SD-WAN integration using backhauled internet through a Sonicwall NSA 3600 series

Posted on 2016-09-21
7
40 Views
Last Modified: 2016-11-22
Greetings,

We're getting ready to implement an SD-WAN solution with our in-place Sonicwall NSA 3600 (running SonicOS Enhanced 6.2.6.0-20n).  Our Sonicwall currently does all our packet inspection/Gateway AV/AS and application control.  We're currently configured in a more or less traditional way.  LAN on X0 (HQ LAN) , WAN on X1 and we've added a zone called FIBER on X4 which is a layer 2 transport service for site to site communication.   We use X4 to pre-inspect branch site data before it get's access to the HQ LAN/servers  or is routed to the internet.

We're re-configuring each site on the transport service to use two internet connections instead and each site will have it's own SD-WAN box.  The SD-WAN provider supports "backhaul internet to HQ" so we can funnel  internet traffic into our Sonicwall, like we are currently. You can configure the LAN switch ports on our SD WAN solution to be specific VLANs so we're using 2 ports for "LAN" traffic and 2 ports for "internet" traffic on the HQ unit in an attempt to "route in and route out" of the Sonicwall to get usage of it's security services.

Here's our biggest catch/complication:  To get the most out of our SD-WAN's monitoring capabilities, we need to Not NAT our WAN traffic (although the SD-WAN will NAT for us before hitting the internet).  Unfortunately, the Sonicwall has a default NAT rule for the WAN interface to hide your traffic behind your internet IP.  You can't change it or delete it.  To further complicate matters, you can't specify an interface with a default gateway unless it's part of the WAN zone.  You also can't create a new zone and establish a different 0.0.0.0/0 route to get away from the NAT problem  - at least not without enabling advanced routing which is far beyond my skill in networking.

It appeared Layer 2 Bridging or Layer 3 splicing (the only 2 options that seem to still exist at this stage in SonicOS) would be our solution as it bypasses the NAT issue altogether.  When I called Dell Sonicwall support for clarification, I was informed, "you can't route to interfaces that are part in a bridge pair".  That statement seems to be at odds with what I've read online and he further compounded it with." 'Layer 3 transparency/splice' also can't be routed to" (it says Layer 3??).

I've tried some experimenting with a TZ215 on SonicOS 5.9 but it seems like I'm fighting that model more often than I'm configuring it.

In short - for what we're trying to do, what would be the best approach that would get our FIBER LAN traffic and our HQ LAN traffic inspected through the Sonicwall, WITHOUT NAT to our "WAN" interface (or whatever we have to create) ?  Pre-inspecting the branch site data before it hits the LAN is nice, but it's not absolutely required, it's definitely in the "nice to have" category.  The big key is getting to our "WAN" with NAT - OFF.  Individual site protocol/application traffic will already be monitored through its individual SD-WAN box so the big kicker is we can't get protocol/application breakdown from our SD-WAN for our HQ LAN because of the NAT issue.

Is there a better way to do this?  Was the Dell technician correct?  What's the best way to go about this?
0
Comment
Question by:Member_2_6375190
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:JSpoor
Comment Utility
If you don't want NAT, but still want to use WAN zone, you can disable the NAT policies, just don't delete them.

say your X4 is the fiber and you make it WAN zone, find the NAT policies that look like

soruce any
translated source X4 IP

just disable those :)



View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 

Author Comment

by:Member_2_6375190
Comment Utility
Except the one I need to disable is on the WAN zone and I was assured by the Dell technician (who wasn't entirely accurate to begin with) that you can't disable that one or delete it AND if you go look at the Default NAT policies their check boxes are grayed out and the enabled column is just green circle check marks.  You can't even open them.  It does look like however it IS possible to create one as a higher priority maybe

Can I make a NAT policy that will supersede the built-in WAN zone NAT policy that will keep LAN (x0) traffic from being translated out the WAN (x1) interface?  

I either need a way to disable it on the LAN to WAN zone by either Transparent Mode (L3 Splice), Layer 2 Bridge Mode, turning on "Expert Mode Settings: Use Routed Mode - Add NAT policy to prevent outbound/inbound translation" from LAN to WAN (x1 is my only choice for this setting) or IF I can supersede the default policy with one that explicitly stops translation.

OR

I need a way to make a 0.0.0.0/0 route on a zone that is NOT the WAN zone because only WAN zone interfaces have a "default gateway" setting and that automatically establishes the "default gateway" and "secondary default gateway" routes (if you have 2 WAN zone based interfaces configured).
0
 
LVL 5

Expert Comment

by:JSpoor
Comment Utility
if you delete the default NAT's they get re-added. you CAN disable them !!!

You can also optionally on the X0 and other lan / dmz interfaces on the advanced tab enable the routed mode to the X4 WAN, this will add No-NAT policies.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Member_2_6375190
Comment Utility
What weren't aware of is the dell article that tells you how to "Enable the ability to disable auto-added NAT policy " on the /diag.html page.  I had posed this very question in many ways but my boss came across it.

With that said, this option doesn't exist in our TZ-215 (only class 6 and up).

We DO have 2 NSA 3600's in a HA active/standby pair.  Is it possible to temporarily take one out of the HA and use it as a standalone for testing?  More importantly: can we put it back in as the HA standby when we're done?
0
 
LVL 5

Accepted Solution

by:
JSpoor earned 500 total points
Comment Utility
You shouldn't need a diag page option for that...

Just go into the nat policies and untick the enable box.

Or use the Routed Mode option instead :)
0
 

Assisted Solution

by:Member_2_6375190
Member_2_6375190 earned 0 total points
Comment Utility
I started to post a screen cap of the rules I can't disable and then found the specific rule that i need to disable doesn't show up under the "default" filter - it's auto-added but can be disabled.  

For sake of full disclosure however:

1.  Disabling it didn't actually make the traffic Truly Un-NATed.  All traffic still showed as coming from the same IP (this is on a tz215 - I have not yet tried the diag.html option on the NSA3600 to see if I  need to disable some of the "green checkmark" rules as well - you can't even get usage statistics from these rules!)
2. Using "routed mode" on an interfaces advanced creates a New NAT rule, 1 higher priority than the one I was disabling in number 1 and STILL doesn't truly disable NAT, still shows as coming from a singular IP address.
3. Layer 2 Bridged mode DOES however truly disable NAT - its functionally a little odd but it's mostly just different.  I can talk "directly" out the WAN interface and the source IP's are un-translated but both the LAN zone and WAN zone (x0 and x1) have the same IP address which means your upstream subnet (default gateway) has to be on the same subnet.  I can also still route from a "regular mode zone" to the "bridge pair" (there's an option to disable routing to this interface, but in my case we need it to be able to be routed to).  Essentially the Dell technician I spoke with was completely incorrect about the basic functionality of L2 Bridge mode or didn't understand our requirements/aims.

We're still interested in trying to truly disable NATing without going to L2 Bridge mode just  because it's more natural feeling not using the bridge and there have been scattered issues related to it in some firmware revisions.  Trying to not deviate to far from the "norm" helps avoid encountering firmware issues.

We're about to move to the production system and we'll use the "Internal Settings" button on the /diag.htm page to enable "the ability to disable auto-added NAT rules" .  We want the SW to operate as normally as possible - if I end up with a better solution that L2 Bridge, I'll post it.
0
 

Assisted Solution

by:Member_2_6375190
Member_2_6375190 earned 0 total points
Comment Utility
In the long run, so as to "not going against the natural grain", we've opted to stay in standard routed mode, although the  disabling of NAT rules will be vitally important in the near future.

The primary reason is that we'll be moving most of our security services to to a cloud firewall/security inspection service.  To get level of detail that we want - we'll have to disable NAT (or at least the 1 to many default rule provided by the WAN zone) to get individualized unrout-able IP addresses moving into the IPSEC/GRE tunnel for inspection.   If we don't disable NAT before hitting the tunnel, it's all going to show as the MAC/IP of our external Sonicwall interface when we stream the logs back in to our UTM appliance instead of workstations/servers/switches etc.

Either way this information was useful.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now