Nsa3650 3 LAN servers, same ports, 1 WAN IP interface
I have a situation where CBS Network needs to access 3 of their racks we house here. They say they can only connect to 2 at a time out of the 3; the 2 they can connect to randomizes, it's never the same two. I suspect it's due to a port issue. Each rack has an assigned VLAN IP; 10.1.130.13, 23, and 24. Same mask, same gateway. I've copied their instructions below. The only thing I've done is create NAT rules for each rack for outgoing traffic only. I created a service group for the ports below, ESP, GRE, Ike Traversal and Ike Key Exchange. A packet capture shows only ports 500 and 4500 used for each of the 3 racks.
My question is, how do I grant access to 3 individual racks with one WAN interface when the 3 connections utilize the same ports shown below?
The VPN connection requires “GRE over IPSEC” traffic between the assigned LAN1 IP address and two CBS Network IP addresses. This means your Local Network must allow bi-directional traffic on ESP (IP Protocol 50), NAT-T-IKE (UDP Port 500, UDP Port 4500), to both 126.96.36.199 and 188.8.131.52. Note: Make sure your LAN gateway is properly programmed into the ARC.
For a site with multiple racks at a ‘hub’, are there special IP considerations?
Yes. There are some special considerations for the IP Network Address Translator (NAT) at a hub location with multiple racks.
In the CBS Rack, the GRE/IPSec tunnels cannot share addresses. The NAT/Reverse-NAT arrangement between the Rack address and the Internet address must be one-to-one.
If your site has already dedicated a routable IP address to each current CBS rack, then the new racks, using GRE/IPSec tunneling, can use the same existing dedicated routable IP addresses.
Mr_Klaatu SonicWall Employee
It is not possible to NAT/port forward single/one WAN IP to 3 different target IP's (10.1.130.13, 23, and 24) on the Ports (GRE over IPSEC). If you do so, the result will be random connection to the target IP's. You would need any one of the following to resolve this issue:-
- Use 3 separate WAN IP's to NAT/port forward to 3 different target IP's (10.1.130.13, 23, and 24)
- Use 3 separate custom ports for (GRE over IPSEC), but this requires the sending and receiving application to process traffic on customer ports, which is cumbersome and might not even be possible in most vendor situations. Thus the above option 1 is best recommended.
WENYEngineering Newbie ✭
Thank you, I appreciate your knowledge. Using packet monitor I was able to verify traffic on the other public IP's I assigned to the NAT rules.0
Thank you MR_KLAATU,
What you explained is what I suspected so I appreciate that clarification. We have a range of WAN IP's available that are not in use; is it as simple as adding the WAN IP's as an address object and then add to the NAT rules, or do I have to assign them as an interface, etc ?
Yes, just NAT them.
If the public IPs are in the same subnet as the firewall's interface, then the firewall will respond to ARP queries as appropriate and handle the traffic [but you won't see entries in the Sonicwall's ARP cache, maybe they fixed this in Gen7]. If the IPs are routed to the firewall's interface IP then the firewall will handle the traffic.