Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Route Base VPN

dihegovdihegov Newbie ✭
in High End Firewalls

Please any assistance here would be appreciated since im not too familiar with Sonicalls.


Running code 7NA6500. Created all VPN/IPsec tunnel configuration via CLI. This being a route policy a tunnel-interface vpn was created and attached the VPN profile to the GRE tunnel.

IPsec/GRE and BGP comes up and routes are being exchange. Able to ping the destination host right from the firewall sourcing the ping from X1 which has the source of the IP that im trying to NAT from lan to the destination hosts.


By the way the VPN policy - i did not checked the NAT policy under the advanced tab in the VPN policy. THe reason why i didnt enable or checked is bc i had created a NAT policy to:


LAN ==> source "translate" to the IP that is facing the outside interface => Destination host => everything is original or any. Interfaces i have it as LAN to any even did LAN to both GRE tunnels. No luck here...


What else from a NAT configuration needs to be done? IF enabling NAT on the VPN Policy do i still need NAT rules under the NAT policies?


How can i check the NAT stats if they are hitting, How do i check the global routing table from CLI ?

Category: High End Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    Older versions did not support route-based VPNs to 3rd party devices but that text has since been removed from modern KB articles. It is safe to assume it is supported.

    You are correct, it does not say it is not supported. It simple states 'when advanced routing is not needed'. Which in my opinion means it's not supported...

Answers

  • dihegovdihegov Newbie ✭

    No response? Please your thoughts are valuable here!

    PDF Documentation doesnt talk about any of this topic

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    You're throwing words around and it's very confusing. How is the WAN configured on the Sonicwall (static IP)? Do you control the other end of the VPN tunnel? What is your end goal? It sounds like you want to apply NAT to VPN tunnel traffic, but again your post is very confusing.

  • dihegovdihegov Newbie ✭
    edited September 2022

    My apologies for the confusion but wanted to provide as much as data as possible.


    WAN link is static configured with a /28. Default route to the ISP provider.

    The other side of the tunnel is AWS - As far as control? Protocols and IPsec proposals as well as BGP configurations. Please note that all three are up; IPsec, GRE and BGP peerings. Just routing thru the firewall that is not working, something with the NAT policy that is not right. If i ping from the firewall to an end host sourcing the outside interface of the firewall since is the same IP as the source translate IP in the NAT config, it works. So routing is working but not if i ping from the lAN.

    The end goal is to route traffic from LAN behind the SonicWall to AWS hosts traversing the sonicwall and routing thru the GRE tunnels. NAT should be configured as one of the IPs in the /28, preferred as the outside interface IP.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited October 2022

    If I am reading correctly you want to NAT over a tunnel interface. Im not sure thats supported. Also according to the below article, using Advanced Routing over a tunnel interface is not supported.

    https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-tunnel-interface-vpn-route-based-vpn/170505633799556/

    You might want to consider utilizing a different method for tunneling to AWS.

  • dihegovdihegov Newbie ✭

    Thank you for the update. Will be trying no NAT and recalculate. What's odd is that BGP does come up and routes are being exchanged on both ends. This should be considered going forward - which is the reason why most technologies are going this route to allow multicast routing over a GRE tunnel.


    I appreciate the response and taking the time in looking at the issue.

  • dihegovdihegov Newbie ✭
    edited October 2022

    My apologies but the documentation does not state that dynamic routing is not supported. It states::(This is an example where the Tunnel Interface is an Unnumbered interface without a borrowed interface IP. This is used when Advanced Routing is not needed and only static routes are used for remote networks.))


    * It states when advanced routing is not needed and only static routes are used for remote networks...

    I guess the big ask here is. Are route-based VPNs supported with 3rd party platforms? Or is only supported between Sonicwalls?


  • dihegovdihegov Newbie ✭
    edited October 2022

    My apologies on the previous thread. I had added a # "usually add those symbols as bullet points" and came out as bolded. Wanted to clarify that I wasn't implying anything like typing in CAPS, if you know what I mean. -


    Do you mind confirming internally if the NAT Policy is not supported for route-based VPNs?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    i can try to test a NAT policy over a tunnel interface, but have you considered using the Sonicwall AWS integration to create the VPN?

    https://www.sonicwall.com/support/knowledge-base/aws-integration-with-sonicwall-sonicos-6-5-x/181024232124532/


  • dihegovdihegov Newbie ✭
    edited November 2022

    Thank you for the assistance

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    For future reference:

    NAT over a route-based VPN does function to AWS. You'll have to NAT using an IP address not set on any interface on the Sonicwall.

Sign In or Register to comment.