Can I configure a NAT over VPN on a NSA 3500 with SonicOS 5.8
Hello, I hope somebody could help me with this technical issue: I was assigned to work with a SonicWALL NSA 3500 (with SonicOS Enhanced 5.8.1.12-65o firmware). This device has currently over 63 active Site to Site VPNs, and all of them are established using the physical local LAN connected to the NSA (X0 Subnet = 172.21.18.0 /24) as the Local Network.
Now, I am asked to establish a new VPN but using a different Local Network (172.23.128.80/28) as the Local Network, I guess this would mean to implant a NAT of the real physical local LAN connected to the NSA (X0 Subnet = 172.21.18.0 /24 to this "virtual LAN" 172.23.128.80/28 ... Is this possible on the SonicWALL NSA 3500 (with SonicOS Enhanced 5.8.1.12-65o firmware).?, If so, How can I configure it?
Thanks in advance for the help.
Answers
@sluque
Let me try to understand your scenario; You have NSA3500 unit with 2 LAN Subnet (One is virtual LAN) which you need to add into the new IPSEC VPN Tunnel? If this is the scenario, YES possible. Otherwise please elaborate little more about your exact requirement.
Hi Ajishlal, I will try to elaborate better the situation. This is a small control centre which have only one LAN subnet (172.21.18.0/24) on which are connected the SCADA servers, this only LAN is connected to a SonicWALL NSA 3500 on their X0 LAN port (with IP 172.21.18.250), therefore there is only one X0 Subnet.
Then the NSA 3500's X1 WAN port is connected to a Internet service with a static public IP, and several VPN are established with report sites (plants) to get the real time telemetry data for this control centre.
All this NSA 3500's existing VPNs to the remote sites (plants) are configured using this only X0 Subnet = 172.21.18.0/24 as the Local Network (and the Remote Networks are the corresponding to each site or plant).
So far so good, buy now, a new VPN with a new remote site must to be establish, but this site cannot use this NSA 3500's Local Network 172.21.18.0/24 as their Remote Network (on their firewall) and is requesting us to make a NAT between the NSA 3500's X0 Subnet Local Network 172.21.18.0/24 to a "virtual subnet 172.23.128.80/28" they have defined, in order to establish the VPN with their site or plant.
In others words, they are asking us to establish the VPN with this LAN they defined 172.23.128.80/28 (Local Network for the control centre , Remote Network for the plant) and not with the standard 3500's X0 Subnet = 172.21.18.0/24
Obviously, I cannot change the existing control centre X0 Subnet = 172.21.18.0/24, and cannot implement an additional control centre LAN 172.23.128.80/28 just for them, therefore the only way, if this would be possible, could be to make a NAT 172.21.18.0/24 > 172.23.128.80/28 into the VPN.
My question is then, Is this possible on the SonicWALL NSA 3500 (with SonicOS Enhanced 5.8.1.12-65o firmware).?, If so, How can I configure it?
Best regards and thanks for your concern.
Santiago Luque
@sluque
Yes it is possible. Before we start make sure the below option is available in your existing VPN policy.
If its not available required to upgrade the firmware.
For your above scenario, we required to MAP your X0 subnet to new subnet 172.23.128.80/28.
Step 1: SITE A Configuration (NSA 3500)
Need to create a address object for the new subnet:
1) Navigate to address object page and create the address object as same as below;
1.1) Create subnet for your Remote Site (Site B). For example 10.20.20.0/24
1.2) Navigate to VPN Page & create new VPN policy for your above requirement;
1.3) Once above configuration finish, Select the "Network" & configure as same as below;
1.4) Once above configuration finish, navigate to Proposals and configure your IKE proposal configuration.
1.5) Once your done the proposals configuration, Navigate to "Advanced" menu & configure as same as below;
1.6) Once you apply above configuration, Automatically NAT Policy will create. For verify, Navigate to Network --> NAT Policies;
2) Step 2 SITE B Configuration
2.1) Create Address object for SITE A (New Subnet 172.23.128.0)
2.2)Navigate to VPN Page & create new VPN policy
Step -1
Step-2
Step-3 : Configure your Proposal:
Step-4
Once you done above steps check your both location Site to Site VPN is Green;
SITE A:
SITE B:
Recommended both subnet should be in same class; But in your scenario both subnets are different class.
SITE A :172.21.18.0/24 is Mapped to 172.23.128.0/28 (maximum 14Hosts)
How to do the Test:
In order to connect the Server having IP 172.21.18.5 in SITE A where your NSA 3500, from SITE B, Use the NAT'ed IP of 172.23.128.5
Hi AJISHLAL,
Thanks very much for your detailed answer, I really appreciate it.
First of all, regarding the VPN Policy - Advanced Tab, yes, this NSA 35000's SonicOS Enhanced 5.8.1.12-65o firmware does have the "Apply NAT Policies" option, therefore I followed your instructions, step by step.
However on the step 1.3 I have configured the "Network" Tab as below:
In your example you put "LAN Subnets", therefore I guess you meaning the (only one) Control Centre's LAN 172.21.18.0/24 (used on all VPNs) which is defined as the "X0 Subnet" on "Firewall > Address Objects":
Is this configuration correct?, Or do I have to create a "Address Group" including this "X0 Subnet" 172.21.18.0/24 and the virtual "New Subnet" 172.23.128.0/28?
Then, the Remote Networks is the SITE B local network as you defined in your example:
And then on step 1.5) is where I had problems, First, I Enabled the "Apply NAT Policies:" and configured the "Translated Local Network:" with the virtual "New Subnet" 172.123.128.80/28 as you instructed:
But when I tried to configure the "Translated Remote Network:", I understood "Original" you meant Control Centre's LAN 172.21.18.0/24 but this "X0 Subnet" is not listed:
Last, but not least, the "2) Step 2 SITE B Configuration" cannot apply in this case, because the SITE B (the plant) is not in my area of scope, this site B will use, a Fortinet - FG-60F - FortiGate 60F firewall and is going to be configured by the plant's technicians and they only told me their "Local Networks" configuration will be the virtual "New Subnet" 172.123.128.80/28.
Remember that the final goal is to establish the VPN with SITE B using the virtual "New Subnet" 172.123.128.80/28 as if would be my real local LAN, instead of using the Control Centre's LAN 172.21.18.0/24 ("X0 Subnet"). In other words, SITE B is asking me to translate 172.21.18.0/24 ("X0 Subnet") to virtual "New Subnet" 172.123.128.80/28.
Best regards.
Is this configuration correct?, Or do I have to create a "Address Group" including this "X0 Subnet" 172.21.18.0/24 and the virtual "New Subnet" 172.23.128.0/28? --> X0 Subnet is fine.
1.5)
I hope the above solution will help you to resolve your pblm.
NB: The challenges is I mentioned above, as per the virtual subnet you can map only 14 Host.