Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Can I configure a NAT over VPN on a NSA 3500 with SonicOS 5.8

Hello, I hope somebody could help me with this technical issue: I was assigned to work with a SonicWALL NSA 3500 (with SonicOS Enhanced firmware). This device has currently over 63 active Site to Site VPNs, and all of them are established using the physical local LAN connected to the NSA (X0 Subnet = /24) as the Local Network.

Now, I am asked to establish a new VPN but using a different Local Network (  as the Local Network, I guess this would mean to implant a NAT of the real physical local LAN connected to the NSA (X0 Subnet = /24 to this "virtual LAN" ... Is this possible on the SonicWALL NSA 3500 (with SonicOS Enhanced firmware).?, If so, How can I configure it?

Thanks in advance for the help.

Category: High End Firewalls


  • Options
    AjishlalAjishlal Community Legend ✭✭✭✭✭


    Let me try to understand your scenario; You have NSA3500 unit with 2 LAN Subnet (One is virtual LAN) which you need to add into the new IPSEC VPN Tunnel? If this is the scenario, YES possible. Otherwise please elaborate little more about your exact requirement.

  • Options
    sluquesluque Newbie ✭

    Hi Ajishlal, I will try to elaborate better the situation. This is a small control centre which have only one LAN subnet ( on which are connected the SCADA servers, this only LAN is connected to a SonicWALL NSA 3500 on their X0 LAN port (with IP, therefore there is only one X0 Subnet.

    Then the NSA 3500's X1 WAN port is connected to a Internet service with a static public IP, and several VPN are established with report sites (plants) to get the real time telemetry data for this control centre.

    All this NSA 3500's existing VPNs to the remote sites (plants) are configured using this only X0 Subnet = as the Local Network (and the Remote Networks are the corresponding to each site or plant).

    So far so good, buy now, a new VPN with a new remote site must to be establish, but this site cannot use this NSA 3500's Local Network as their Remote Network (on their firewall) and is requesting us to make a NAT between the NSA 3500's X0 Subnet Local Network to a "virtual subnet" they have defined, in order to establish the VPN with their site or plant.

    In others words, they are asking us to establish the VPN with this LAN they defined (Local Network for the control centre , Remote Network for the plant) and not with the standard 3500's X0 Subnet =

    Obviously, I cannot change the existing control centre X0 Subnet =, and cannot implement an additional control centre LAN just for them, therefore the only way, if this would be possible, could be to make a NAT > into the VPN.

    My question is then, Is this possible on the SonicWALL NSA 3500 (with SonicOS Enhanced firmware).?, If so, How can I configure it?

    Best regards and thanks for your concern.

    Santiago Luque

  • Options
    AjishlalAjishlal Community Legend ✭✭✭✭✭


    Yes it is possible. Before we start make sure the below option is available in your existing VPN policy.

    If its not available required to upgrade the firmware.

    For your above scenario, we required to MAP your X0 subnet to new subnet

    Step 1: SITE A Configuration (NSA 3500)

    Need to create a address object for the new subnet:

    1) Navigate to address object page and create the address object as same as below;

    1.1) Create subnet for your Remote Site (Site B). For example

    1.2) Navigate to VPN Page & create new VPN policy for your above requirement;

    1.3) Once above configuration finish, Select the "Network" & configure as same as below;

    1.4) Once above configuration finish, navigate to Proposals and configure your IKE proposal configuration.

    1.5) Once your done the proposals configuration, Navigate to "Advanced" menu & configure as same as below;

    1.6) Once you apply above configuration, Automatically NAT Policy will create. For verify, Navigate to Network --> NAT Policies;

    2) Step 2 SITE B Configuration

    2.1) Create Address object for SITE A (New Subnet

    2.2)Navigate to VPN Page & create new VPN policy

    Step -1


    Step-3 : Configure your Proposal:


    Once you done above steps check your both location Site to Site VPN is Green;

    SITE A:

    SITE B:

    Recommended both subnet should be in same class; But in your scenario both subnets are different class.

    SITE A : is Mapped to (maximum 14Hosts)

    How to do the Test:

    In order to connect the Server having IP in SITE A where your NSA 3500, from SITE B, Use the NAT'ed IP of

  • Options
    sluquesluque Newbie ✭


    Thanks very much for your detailed answer, I really appreciate it.

    First of all, regarding the VPN Policy - Advanced Tab, yes, this NSA 35000's  SonicOS Enhanced firmware does have the "Apply NAT Policies" option, therefore I followed your instructions, step by step.

    However on the step 1.3 I have configured the "Network" Tab as below:

    In your example you put "LAN Subnets", therefore I guess you meaning the (only one) Control Centre's LAN (used on all VPNs) which is defined as the "X0 Subnet" on "Firewall > Address Objects":

    Is this configuration correct?, Or do I have to create a "Address Group" including this "X0 Subnet"  and the virtual "New Subnet"

    Then, the Remote Networks is the SITE B local network as you defined in your example:


    And then on step 1.5) is where I had problems, First, I Enabled the "Apply NAT Policies:" and configured the "Translated Local Network:" with the virtual "New Subnet" as you instructed:

    But when I tried to configure the "Translated Remote Network:", I understood "Original" you meant Control Centre's LAN but this "X0 Subnet" is not listed:

    Last, but not least, the "2) Step 2 SITE B Configuration" cannot apply in this case, because the SITE B (the plant) is not in my area of scope, this site B will use, a  Fortinet - FG-60F - FortiGate 60F firewall and is going to be configured by the plant's technicians and they only told me their "Local Networks" configuration will be the virtual "New Subnet"

    Remember that the final goal is to establish the VPN with SITE B using the virtual "New Subnet" as if would be my real local LAN, instead of using the Control Centre's LAN ("X0 Subnet"). In other words, SITE B is asking me to translate ("X0 Subnet") to virtual "New Subnet"

    Best regards.

  • Options
    AjishlalAjishlal Community Legend ✭✭✭✭✭

    Is this configuration correct?, Or do I have to create a "Address Group" including this "X0 Subnet" and the virtual "New Subnet" --> X0 Subnet is fine.


    I hope the above solution will help you to resolve your pblm.

    NB: The challenges is I mentioned above, as per the virtual subnet you can map only 14 Host.

Sign In or Register to comment.