SonicWALL to Cisco ASA mixed NAT encrypted domains in a single VPN policy

SonicWALL VPN to Cisco ASA
On the Cisco side there are two subnets (172.16.0.16/29 and 10.0.0.0/22)
On the SonicWALL side there are two subnets (192.168.0.0/24 and 10.0.0.0/24)
Three subnets total - 172.168.0.16/29 - 192.168.0.0/24 - 10.0.0.0/22 and /24

Without using NAT in the policy the Cisco side is able to ping 192.168.0.1 (remote gateway).  The SonicWALL side is able to ping 172.16.0.17 (remote gateway of subnet 1) but cannot ping 10.0.0.254 (remote gateway of subnet 2) because the SonicWALL is also managing the same subnet locally.

I know when you try to set up a VPN where the subnets on both sides match (in this case 10.0.0.0) you need to use NAT tables, but how do you set up a VPN where you link multiple networks where only one subnet overlaps?

Local 192.168.0.0/24
Local 10.0.0.0/24   --> NAT 10.100.0.0/24

Remote 172.16.0.16/29
Remote 10.0.0.0/22 --> NAT 10.200.0.0/22

The problem is (at least on my SonicWALL side) the NAT is either on or off for the policy, and the subnets are grouped and cannot be specified individually in a single policy.  I specify the X0 Subnet (192.168.0.0/24) as my local network, and an address group object that includes both encrypted domains (172.16.0.16/29 & 10.200.0.0/22).  Only the 10.200.0.0/22 subnet is NAT though.

I theorized that I could specify 172.18.0.16/29  on the SonicWALL and have the Cisco ASA side 172.18.0.29 --> NAT 172.16.0.16/29.  

In reverse I would suspect that the Cisco ASA must also do the same for the 192.168.0.0/24 network or can you mix NAT and non-NAT encrypted domains?
LVL 3
WiReDWolfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi WiReDWolf,

Without using NAT in the policy the Cisco side is able to ping 192.168.0.1 (remote gateway).  The SonicWALL side is able to ping 172.16.0.17 (remote gateway of subnet 1) but cannot ping 10.0.0.254 (remote gateway of subnet 2) because the SonicWALL is also managing the same subnet locally.
To overcome this you need to configure NAT over VPN, which means you are going to have to create Translated Networks, thereby translating Site A's shared subnet from 10.100.0.0/24 to a virtual subnet, e.g. 10.200.0.0/24 and then translate Site B's shared subnet from 10.100.0.0/24 to virtual subnet, e.g. 10.200.0.0/24. Here's how:
1. You need to create Address Objects on both sides for the Translated Networks on both firewalls;
2. Enable Apply NAT Policy option on both sides of the tunnel; and
3. Initiate a ping to bring up the tunnel if it is not already up.

So here is how it would look.
On your SonicWALL you would create the following Address Objects:
a. Site A Translated Subnet, LAN, 10.100.0.0/24
b. Site B Translated Subnet, VPN, 10.200.0.0/24

Then on the SonicWALL VPN you'd need to create an Object Group to include the Site B Translated Subnet or possible use X0 subnets (if is included in that depending on your architecture), or Firewalled subnets (depending on your requirements) and select that for the Remote Network under the Network tab of the VPN policy.

Under the Advanced tab click on Apply NAT Policies, then select Site A Translated Subnet for the Translated Local Network and Original for the Translated Remote Network.

Then you'd do the same on the ASA except the ASA's local network will be 10.100.0.0/24 and so on.

Let me know how it goes!
0
WiReDWolfAuthor Commented:
Hello Blue Street Tech,

I mentioned that I knew I would have to NAT the overlapping subnet, but the question is when I turn on NAT in the SonicWALL Policy, can I mix a NAT and non-NAT subnet group?

SonicWALL (Local )      Local (Translated)        VPN Tunnel        Remote (Translated)        Cisco (Remote)
192.168.0.0/24              n/a                                                       n/a                                     n/a
10.0.0.0/24                      10.100.0.0/24            NAT                 10.200.0.0/22                     10.0.0.0/22
n/a                                      n/a                                                        n/a                                     172.16.0.16/29
0
WiReDWolfAuthor Commented:
Perhaps I should clarify

In the VPN Policy in the NETWORK tab

Local Network is set to X0 Subnet
Remote Network is set to REMOTE SITE VPN [a group with two subnets (172.168.0.16/29 & 10.200.0.0/22)]

In the VPN Policy in the ADVANCED tab
CHECK - Apply NAT Policies
  Translated Local Network -  Local Translated [10.100.0.0/24]
  Translated Remote Network - REMOTE SITE VPN [a group with two subnets (172.168.0.16/29 & 10.200.0.0/22)]

I have no need to NAT either 192.168.0.0/24 or 172.16.0.16/29, but with NAT enabled for the VPN Policy it seems 192.168.0.0/24 cannot ping 172.16.0.16/29.

As soon as I turn off Apply NAT Policies, 192.168.0.0/24 can ping 172.16.0.16/29.  But now I have the 10.0.0.0 subnet conflict again.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

WiReDWolfAuthor Commented:
I suspect if we have one subnet with NAT, we have to NAT all of them.  Except I'm not sure what you would NAT with such dissimilar networks.

SonicWALL (Local )      Local (Translated)       VPN Tunnel        Remote (Translated)        Cisco (Remote)
192.168.0.0/24             10.150.0.0/24             NAT                      ?                                          ?
10.0.0.0/24                    10.100.0.0/24             NAT                     10.200.0.0/22                    10.0.0.0/22
?                                      ?                                    NAT                     10.180.0.0/29                    172.16.0.16/29

That or set up multiple tunnels, but I've never tried that and I'm not even sure the SonicWALL would allow two different tunnels to the same endpoint.
0
Blue Street TechLast KnightCommented:
I see. I missed that portion as I was going into a meeting. In this case, you need to do this in the NAT Policies outside of the VPN Policy. Have you done the same NAT over VPN for the ASA side?
0
WiReDWolfAuthor Commented:
I don't have any control over the Cisco side.  Different tech in a different time zone.  He's gone home already.  He hasn't set up the NAT on his side yet.  I know he knows to do this for the overlapping subnet (he suggested Second NAT when I pointed out the problem).

I'm still thinking that the issue is with NAT on we resolve the overlapping subnet but lose the connectivity with the other two subnets, and with NAT off we lose connectivity with the overlapping subnets.  We need all the subnets to talk to one another.  

The question is can you mix the VPN NAT policy with non-NAT subnets.
0
WiReDWolfAuthor Commented:
Ok I think I may have solved this myself.

I realized when I was looking in the VPN Policy --> Advanced
Translated Local Network was set to ONLY the Local Translated object (subnet 10.100.0.0/24) -  which excluded the X0 Subnet.  

Even though in the VPN Policy --> Network the Choose Local Network from List is set to X0 Subnet, the Advanced tab with the Translated Local Network must override that setting.

SonicWALL - Network - Address Objects
- Create new group "LOCAL VPN"
- add "Local Translated"
- add "X0 Subnet"

Open SonicWALL VPN Policy
Network - Choose Local Network from list - LEAVE as X0 Subnet (192.168.0.0/24)
Network - Choose Destination network from list - REMOTE SITE VPN (10.200.0.0/22; 172.16.0.16/29)
Advanced - CHECK Apply NAT Policies
   Translated Local Network:  LOCAL VPN (10.100.0.0/24; 192.168.0.0/24)
   Translated Remote Network:  REMOTE SITE VPN (10.200.0.0/22; 172.16.0.16/29)

The tech on the other end hasn't updated his end yet, but it seems you can mix the NAT and non-NAT destinations provided you remember to include the non-NAT destination in the same group as the NAT destination.

Will validate tomorrow when the other tech does his end.
0
Blue Street TechLast KnightCommented:
The question is can you mix the VPN NAT policy with non-NAT subnets.
Yes, but, as I previously stated, you need to do this in the NAT Policies section outside of the VPN Policy because if you put it in the VPN Policy it will only do on or the other as you have found. Also, you need to do this on both sides of the VPN.

Advanced - CHECK Apply NAT Policies
   Translated Local Network:  LOCAL VPN (10.100.0.0/24; 192.168.0.0/24)
   Translated Remote Network:  REMOTE SITE VPN (10.200.0.0/22; 172.16.0.16/29)
This is essentially only a one-to-one NAT Policy. Therefore it will not work!

So the NAT Policies in your SonicWALL would be as such:

Inbound

Original Source: Remote Translated (10.200.0.0/24)
Translated Source: Original
Original Destination: Local Translated (10.100.0.0/24)
Translated Destination: LAN Subnet 3 (10.0.0.0/24)
Original Service: Any
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

Outbound

Original Source: LAN Subnet 3 (10.0.0.0/24)
Translated Source: Local Translated (10.100.0.0/24)
Original Destination: Remote Translated (10.200.0.0/24)
Translated Destination: Original
Original Service: Any
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

You'd do the same on the ASA side except the ASA's Local Translated would be 10.200.0.0/24 and the Remote Translated would be 10.100.0.0/24.

Does this make sense?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WiReDWolfAuthor Commented:
Ok, it makes sense that you would create your NAT policies outside of VPN Policy.  I'm still having trouble envisioning the flow of traffic though.

Let's say my PC is 192.168.0.52 and I want to hit a printer over the VPN at 10.0.0.75.  If I send ANYTHING to 10.0.0.X it's going to end up on my local phone network unless I put in a NAT rule that says anything sent from 192.168.0.0/24 is to be translated to 10.100.0.0/22, sent over the VPN to 10.200.0.0/22 then translated to 10.0.0.0/22.

How would I ever connect to my phone system?  Any NAT rule outside of the VPN Policy would disrupt my ability to communicate with my VOICE LAN.

The rules you provided would work except my data network is not 10.0.0.0/24, it's 192.168.0.0/24.

So the rules would look like this:

Inbound
Original Source: Remote Translated (10.200.0.0/22)
Translated Source: Original
Original Destination: Local Translated (10.100.0.0/24)
Translated Destination: LAN Subnet 1 (192.168.0.0/24)
Original Service: Any
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

Outbound
Original Source: LAN Subnet 1 (192.168.0.0/24)
Translated Source: Local Translated (10.100.0.0/24)
Original Destination: Remote Translated (10.200.0.0/22)
Translated Destination: Original
Original Service: Any
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

The phone system network on my side only causes a problem because it overlaps with the other side of the VPN data network.  I am not interested in having any data sent from the remote site to my phone system, I want it directed back to my data network.

Two things occur to me at this point:
  1. The difference in size between the two 10.0.0.0 subnets will cause a problem (22-bit vs 24-bit) with NAT
[list=2]I don't really need to do any NAT on my side at all[/list]

On the Cisco ASA side they would need to set up their rules:

Outbound 192.168.0.0/24 --> NAT 10.0.0.0/22 to 10.200.0.0/22
Inbound 192.168.0.0/24 --> NAT 10.200.0.0/22 to 10.0.0.0/22

On the SonicWALL:  Encrypted domains become 172.16.0.16/29 and 10.200.0.0/22
On the CIsco: Encrypted domain becomes 192.168.0.0/24

They set up their NAT policies as above to perform the translations outside of the VPN.  

Am I wrong?
0
WiReDWolfAuthor Commented:
Blue Street Tech,

I had the tech at the remote site set up their NAT policies as I've indicated above and it worked exactly how I'd hoped.  Your input to set up the NAT Policies outside of the VPN policy helped me determine that I was overthinking the process and that I really didn't need to NAT anything on my side.

In the end the Cisco ASA side created NAT policies that directed 192.168.0.0/24 <----> 10.200.0.0/22 [10.0.0.0/22]

The printer on the 192.168.0.0/24 side is now available to the Terminal Server on the 10.0.0.0/22 side.
0
Blue Street TechLast KnightCommented:
Awesome! Glad I could help and thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.