How to configure SonicWall to communicate with SD-WAN VeloCloud Solution ?
JeroLefe
Newbie ✭
Hi,
Below, my situation:
LAN PC - 192.168.0.x /24 connected to SonicWall X0 192.168.0.254 # Default Zone "LAN"
LAN PC - 192.168.0.x /24 have access to Internet via SonicWall X1 WAN Interface
SonicWall X2 10.10.11.1 was connected to the GE2 Interface of the SD-WAN VeloCloud Solution, IP 10.10.11.254
I have created a Zone "SD-WAN" on the SonicWall for the X2 - 10.10.11.1
LAN PC - 192.168.0.x must communicate with the remote Server 100.124.x.x behind the SD-WAN VeloCloud Solution
The Service Provider of the VeloCloud SD-WAN Solution asked that the X2 must be NATed to the IP 10.237.6.254 /25
What NAT, routing, ACL rules should I put in place for this to work?
Best Answers
-
OptionsCORRECT ANSWERArkwright
All-Knowing Sage ✭✭✭✭
Your source subnet should be X0 not X2, because the X0 network is where the traffic of interest is originating from, right?
0 -
OptionsCORRECT ANSWERArkwright
All-Knowing Sage ✭✭✭✭
Translated destination should be "Original" because you aren't translating the destination, right? I.e. the destination is already correct when the client sends the packet.
It does seem a bit unusual to be NATing between clients and a server in this kind of arrangement. We would never NAT our clients to the server we host for them. But it could work.
Why a metric of 10 for this route? It may not make any difference but as this is presumably your preferred route then the metric should be 1.
0 -
OptionsCORRECT ANSWERJeroLefe
Newbie ✭
FInally, there was an issue of routing from the SD-WAN to the SonicWall, host provider fix it and now, it's OK, we can join the remote server from the LAN 192.168.0.x over the SD-WAN connection.
0
Answers
I will try to help.
Sonicwall firewalls expect a direct connection to the public internet, meaning their WAN interface expects to have a publicly routable IP address. Any traffic going out an interface in the WAN zone will be NAT'd to the IP address on the interface of the Sonicwall.
By putting a Sonicwall firewall behind another device that NATs an ISPs connection, you are creating a 'double NAT' situation unless you explicitly tell the Sonicwall not to NAT traffic received on its 'internal' interfaces.
The diagram provided indicates the 'VeloCloud' device is behind the ISP NAT device as well. Is this VeloClouds recommended configuration?
This seems like a very convoluted setup for simple connectivity needs.
Indeed, the client accesses a remote server via an IPSec VPN but apparently, the latter is not stable enough, which is why the host provided an SD-WAN box which must be connected to the Internet therefore via the router Customer Internet.
The host provider requests that the network flow that arrives to it be addressed in 10.237.6.128 /25, this is a request required by the host provider.
Here is the NAT I created for this:
ORIGINAL
—————
Source: X2 Subnet (10.10.11.x)
Destination: Remote Server (100.124.x.x)
Service: Any
Inbound Interface: Any
Outbound Interface: Any
TRANSLATED
———————
Source: X2 Translate (10.237.6.128 /25)
Destination: Remote Server (100.124.x.x)
Service: Original
And here is the routing that I set up so that when the PCs on the LAN wish to reach the Remote Server (100.124.x.x), that they pass through the X2 interface (10.10.11.x) connected to the box SD-WAN:
Source: Any
Destination: Remote Server (100.124.x.x)
Service: Any
App: Any
Interface: X2
Gateway: GE2 interface of the SD-WAN Box (10.10.11.254)
Metric: 10
I have tried to change the Source Subnet with X0 for the NAT but it's seems that's not running.
Thanks ArkWright for this precisions.
I confirm to you we aren't translating the destination. In the meantime, I have already change the Translated Destination to "Original" but no effects.
I set the metric of 10 because all others routing policies have a metric of 20 but I have change to 1 on your advice.
Start with the basics. Can the Sonicwall ping the VeloCloud IP address? Have you done a packet capture on the Sonicwall to see what interface the traffic is going out?
Yes the SonicWall can ping the VeloCloud and the traffic going out via the X2
Does your NAT rule have any hits? Your Access rule have hits?