Sonicwall Site to Site VPN on additional Static IP

tbs_mnp
tbs_mnp used Ask the Experts™
on
I need to setup a site-to-site VPN tunnel on my sonicwall.
My WAN interface has IP x.x.x.150
I have a range of 30 addresses I use for other NAtd objects (like email)

I want to use x.x.x.140 as the main IP address for this new VPN site-to-site tunnel.
So i want my peer to connect to this IP.

I need help. not sure how to make sonicwall do this. I thought maybe i needed to NAT inbound traffic to this external IP but wasnt sure where to translate it to.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You should be able to go to the DHCP section of your Sonic Wall setup.

Determine the IP range for DHCP.

Now give your Tunnel IP a static address outside of that.

The Tunnel setup should allow access to a subnet inside your system.

Author

Commented:
my DHCP addresses are fine.  this shouldnt effect my site-to-site tunnel.  those addresses are used for Global VPN client users.

So right now my external WAN IP is x.x.x.130

I want to use external IP x.x.x.140 instead of 130 as my site-to-site for this new connection. so when my peer sets up a connection to me, they use x.x.x.140. this address is an additional static IP within the range of what i have with comcast.

im not sure how to get sonicwall to do this.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If the IP address is outside of the DHCP range, you should not have to do anything. Just use it.  That works for our VPN Settings
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
so when a client makes a tunnel connection to your VPN that is not the default IP on your WAN interface... they are simple entering in the other static ip you assign to the tunnel on your end?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
In our tunnels, there is an External IP address at each end.

Then there is a subnet inside so people using the tunnel can access any resource. The tunnel users get the IP of the resource. That is how we do it.

Author

Commented:
Correct. but what i am talking about- is lets say that you have two tunnels.

tunnel A: Customer is given the WAN IP ending in .130 of your sonicwall device
tunnel B: customer is given another static ip from your internet provider ending in .140

how does your sonicwall know to make a VPN tunnel connection off the .140 address that is not defined anywhere on the sonicwall appliance?

For example. If i want email traffic to come through on a different external static IP - i need to put a NAT rule in saying hey, if email comes in to this address ending in .145, translate it to my internal email server.

How does VPN tunnel coming in know what to do if using a static IP other than default VPN IP address on sonicwall.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Multiple people can VPN into one tunnel.

But we do not set up 2 tunnels in the same office (company).  People can access the VPN and then access the resources they are allowed to.

2 tunnels would set up conflicts and we do not try to isolate this way.

Author

Commented:
what conflicts would exist if i wanted to isolate a tunnel for specific traffic ?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You would have to set up multiple DHCP scopes that are separate and not overlapping.

Then you have to be sure you can set up multiple tunnels on one external IP going to separate scopes.

This is a lot more complex that assigning and controlling internal resources.

Author

Commented:
DHCP shouldnt be in the equation though right? im not assigning addresses to anybody.

i have a local resource of say 192.168.1.0 and a remote destination of 10.0.0.0

All i want to change is when peer connects to me that they do it on a different WAN IP Address than my default one. a separate tunnel.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If you assign one single address internally to the tunnel endpoint (255.255.255.255.255 mask) the user is stuck not being able to do anything. I suppose you could do this, but we would not.

Author

Commented:
there is not a single internal address- there is an entire subnet range.. what i am talking about is the external address used when a peer makes a connection. i want this to be a differnet IP address other than what is used by default in sonicwall for VPN connections
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You are confusing this from my perspective

there is not a single internal address- there is an entire subnet range..

You need two ranges for two separate tunnels.

Author

Commented:
lets take away the local and remote sources for just a second. i have ranges for both.

lets say you were to setup a site to site vpn to my sonicwall right now. the gateway address i would give you is our default WAN interface IP..... I want to do something so i can give you an IP address other than that one. this ip address is part of the static range i own from comcast.


so example below-
Default WAN interface IP - x.x.x.130
Additional, new VPN, IP- x.x.x.140 (this is what i want you to connect to when you enter in your primary gateway for the tunnel)
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I do not understand why?  Give someone an IP address so they cannot go farther. There is nothing to grasp here

Author

Commented:
so if i was to ask you to connect to my VPN site to site tunnel- what is the first thing you are going to ask me for?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Once I get there, what can I do? Where can I go?

Author

Commented:
this is my whole point though. im not concerned about where you can go and what you can do.. i have that part figured out.

i want the gateway IP address youre going to ask me for to be different than the static on one my end assigned to the WAN interface port on my sonicwall.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I have worked with many clients and many VPNs.  I would be very confused if I had a tunnel to your organization . I cannot see a purpose to it.

Author

Commented:
this isnt confusing.. a site to site tunnel is very simple. you connect to a IP address. you define a local and remote network and youre done. agreed?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
No. Site to site tunnels are easy. I have them running here. But I get resources of the subnet at the other end for ALL tunnels. Having just a single IP endpoint normally means the subnet mask was entered wrong and otherwise has no purpose.

Author

Commented:
im not saying have one single endpoint.

you have one EXTERNAL IP address that a peer would tie the VPN tunnel to correct? then within that connection- multiple tunnels to multiple subnets.

Author

Commented:
my question has nothing to do with the resources but the connection of the site-to-site tunnel itself.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
There is a single External IP of course. That is how you connect a tunnel.  

If you want another External IP you need another router (or a router with more than one separate IP address).

We do this by having different remote IP addresses coming to the same external IP.

We use a separate External IP only for testing VPN tunnels.

Author

Commented:
SIDE A:
External IP: 77.123.122.43 (also default WAN INTERFACE IP OF A SONICWALL)
Internal LAN: 192.168.1.0

SIDE B:
External IP: 89.44.233.11(also default WAN INTERFACE IP OF A SONICWALL)
Internal LAN: 10.0.0.0

in this scenerio. how does SIDE B use a different external IP address for a VPN site-to-site connection?
SIDE B has a range of external addresses, 89.44.233.11-50. SIDE B wants SIDE A to connect to them using an address ending with .12

how does sonicwall do this
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
connection of the site-to-site tunnel itself.

I interpreted your earlier questions as having some access which is why I thought of internal resources .  Sorry if that confused things.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
in this scenario. how does SIDE B use a different external IP address for a VPN site-to-site connection?

You would set up another tunnel.  My box (Cisco) allows about 50 site to site tunnels.

Author

Commented:
what is throwing me off with the sonicwall appliance -is i dont get to chose the external ip address i want the tunnel to use- its assuming the WAN interface IP address.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
what is throwing me off with the sonicwall appliance -is i dont get to chose the external ip address

I think that is correct. You Sonic Wall (or any other router I know of) only has the one external IP address. You need another router for another IP address.

Author

Commented:
thats what im starting to read online. is that i cannot tie VPNS to another IP other than the WAN Primary IP. i think im just going to continute using that primary IP for my VPN. thanks
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Just use your primary IP (we do that), control who accesses, and what they get. What you are reading is correct.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thank you. This was a very interesting thread. I enjoyed working with you and learned stuff at the same time.

Good luck

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial