split dns proxy traffic dropped when nat policy applies on an ipsec vpn tunnel subnet
Model: NSA 3600
Firmware Version: SonicOS Enhanced 6.5.4.8-89n
Safemode Version: SafeMode 6.1.0.11
Sonicwall:
X0 LAN 192.168.0.1/24
X1 WAN
X2 LAN 192.168.50.1/24
ipsec vpn tunnel config:
Sonicwall subnets 192.168.50.0/24 and 192.168.0.0/24 (nat to 192.168.51.0/24) <--ipsec vpn tunnel--> 172.20.x.x subnets on 3rd party firewall where dns server for split domain is hosted
Pointing Sonicwall dns proxy at a remote dns server over ipsec vpn tunnel to resolve an internal split dns domain works fine when there is only the X2 subnet (192.168.50.0/24) subnet included in the tunnel subnets and no nat. The traffic traverses the remote destination firewall as expected originating from X2 interface ip 192.168.50.1.
When the 192.168.0.0/24 subnet is added to the tunnel via a network group in place of single network and nat'd as 192.168.51.0/24 via the Advanced >> "Apply NAT policies" option in the vpn policy, LAN to LAN network traffic flows correctly between each side for both subnets 192.168.50.x and the nat'd 192.168.51.x but dns proxy traffic for the split domain is dropped at the sonicwall and never reaches the 3rd party firewall at the remote side where the dns server resides.
If "apply nat policies" is turned off and the tunnel is reverted to just the 192.168.50.x subnet, dns proxy is functional again. Is anyone aware of a solution to get dns proxy traffic from the Sonicwall interface ip to its destination dns server while nat is in effect on the other subnet?
Example of dns proxy traffic being sent to tunnel when this is ithe only subnet in tunnel config and no nat:
Ethernet Header
Ether Type: IP(0x800), Src=[***], Dst=[***]
IP Packet Header
IP Type: UDP(0x11), Src=[192.168.50.1], Dst=[172.20.x.x]
UDP Packet Header
Src=[63829], Dst=[53], Checksum=0xbaab, Message Length=39 bytes
Application Header
DNS:
Value:[0]
Consumed, Module Id:20 1:2)
Example of dns proxy traffic dropped when nat subnet is included in tunnel networks:
Ethernet Header
Ether Type: IP(0x800), Src=[***], Dst=[***]
IP Packet Header
IP Type: UDP(0x11), Src=[192.168.50.1], Dst=[172.20.x.x]
UDP Packet Header
Src=[52796], Dst=[53], Checksum=0xb7bf, Message Length=46 bytes
Application Header
DNS:
Value:[0]
DROPPED, Drop Code: 448(SA not found on lookup by SPI for outbound pkt), Module Id: 20(ipSec), (Ref.Id: _264_krugeQevgqpQwvrwv) 1:2)
Answers
It's complicated...
You cannot individually specify which network the NAT applys to over the VPN, it's all or none.
That said no matter what you attempt to do with NAT-ing the Sonicwall itself will ALWAYS send its own traffic out an interface with the interface IP. The NAT will never apply to the DNS traffic generated by the Sonicwall itself.
While this is failing, packet monitor showed dropped dns requests from X2 interface ip 192.168.50.1 which is the subnet not being nat'd on the tunnel. Both subnets (nat'd and not nat'd) are set in the vpn policy config as a network group but vpn traffic rules were created only for the X0 subnet under the Rules -- NAT Policies screen.
The 192.168.50.1 X2 ip is responsive to remote ping from a source across the tunnel and "X2 ip" is allowed as a source from lan to any for dns traffic under Rules -- Access Rules. Another vendor has a cli method to select routing and origin nat ip for system-originated traffic. Is there possibly a Sonicwall equivalent to force dns requests from the X2 ip to ipsec vpn subnets through a tunnel sa its subnet falls under?
The workaround used for now is a Windows dns server on the local X0 subnet with stub zones pointed at the primary dns server at the other end of the ipsec tunnel and Sonicwall dns proxy pointed at that local server for the dns split domains.
"Another vendor has a cli method to select routing and origin nat ip for system-originated traffic. Is there possibly a Sonicwall equivalent to force dns requests from the X2 ip to ipsec vpn subnets through a tunnel sa its subnet falls under?"
Not that I am aware of, but that doesnt mean it doesnt exist.