Route Base VPN
Please any assistance here would be appreciated since im not too familiar with Sonicalls.
Running code 7NA6500. Created all VPN/IPsec tunnel configuration via CLI. This being a route policy a tunnel-interface vpn was created and attached the VPN profile to the GRE tunnel.
IPsec/GRE and BGP comes up and routes are being exchange. Able to ping the destination host right from the firewall sourcing the ping from X1 which has the source of the IP that im trying to NAT from lan to the destination hosts.
By the way the VPN policy - i did not checked the NAT policy under the advanced tab in the VPN policy. THe reason why i didnt enable or checked is bc i had created a NAT policy to:
LAN ==> source "translate" to the IP that is facing the outside interface => Destination host => everything is original or any. Interfaces i have it as LAN to any even did LAN to both GRE tunnels. No luck here...
What else from a NAT configuration needs to be done? IF enabling NAT on the VPN Policy do i still need NAT rules under the NAT policies?
How can i check the NAT stats if they are hitting, How do i check the global routing table from CLI ?
TKWITS Community Legend ✭✭✭✭✭
Older versions did not support route-based VPNs to 3rd party devices but that text has since been removed from modern KB articles. It is safe to assume it is supported.
You are correct, it does not say it is not supported. It simple states 'when advanced routing is not needed'. Which in my opinion means it's not supported...0
No response? Please your thoughts are valuable here!
PDF Documentation doesnt talk about any of this topic
You're throwing words around and it's very confusing. How is the WAN configured on the Sonicwall (static IP)? Do you control the other end of the VPN tunnel? What is your end goal? It sounds like you want to apply NAT to VPN tunnel traffic, but again your post is very confusing.
My apologies for the confusion but wanted to provide as much as data as possible.
WAN link is static configured with a /28. Default route to the ISP provider.
The other side of the tunnel is AWS - As far as control? Protocols and IPsec proposals as well as BGP configurations. Please note that all three are up; IPsec, GRE and BGP peerings. Just routing thru the firewall that is not working, something with the NAT policy that is not right. If i ping from the firewall to an end host sourcing the outside interface of the firewall since is the same IP as the source translate IP in the NAT config, it works. So routing is working but not if i ping from the lAN.
The end goal is to route traffic from LAN behind the SonicWall to AWS hosts traversing the sonicwall and routing thru the GRE tunnels. NAT should be configured as one of the IPs in the /28, preferred as the outside interface IP.
If I am reading correctly you want to NAT over a tunnel interface. Im not sure thats supported. Also according to the below article, using Advanced Routing over a tunnel interface is not supported.
You might want to consider utilizing a different method for tunneling to AWS.
Thank you for the update. Will be trying no NAT and recalculate. What's odd is that BGP does come up and routes are being exchanged on both ends. This should be considered going forward - which is the reason why most technologies are going this route to allow multicast routing over a GRE tunnel.
I appreciate the response and taking the time in looking at the issue.
My apologies but the documentation does not state that dynamic routing is not supported. It states::(This is an example where the Tunnel Interface is an Unnumbered interface without a borrowed interface IP. This is used when Advanced Routing is not needed and only static routes are used for remote networks.))
* It states when advanced routing is not needed and only static routes are used for remote networks...
I guess the big ask here is. Are route-based VPNs supported with 3rd party platforms? Or is only supported between Sonicwalls?
My apologies on the previous thread. I had added a # "usually add those symbols as bullet points" and came out as bolded. Wanted to clarify that I wasn't implying anything like typing in CAPS, if you know what I mean. -
Do you mind confirming internally if the NAT Policy is not supported for route-based VPNs?
i can try to test a NAT policy over a tunnel interface, but have you considered using the Sonicwall AWS integration to create the VPN?
Thank you for the assistance
For future reference:
NAT over a route-based VPN does function to AWS. You'll have to NAT using an IP address not set on any interface on the Sonicwall.