Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register
Options

How do I route remote VPN device through default gateway with NAT like SSLVPN

bretdbretd Newbie ✭
in Entry Level Firewalls

(TZ500; Firmware SonicOS Enhanced 6.5.4.12-101n) I have a device (192.168.3.200) on a remote network (192.168.3.0/24) connected to the TZ500 via IPSecVPN site-to-site tunnel. I would like to route the WAN traffic from the single device through the VPN tunnel to the TZ500 default gateway and out to the WAN with NAT, such that the remote device traffic appears to come from the TZ500 (rather than its own router), in the same way SSLVPN traffic to the TZ500 does. I thought I had a handle on the set-up but apparently not.

Category: Entry Level Firewalls
Reply
Tagged:

Answers

  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭
    https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-tunnel-all-internet-traffic-over-site-to-site-vpn/170504924710971/


    The above could work but you would end up with everything in the 192.168.3.0 network using it.

    If you want more fine-grained control over who uses the site-site as a default route, then you need a tunnel-mode VPN with static routes, and NAT policies at the TZ500 end to NAT the traffic appropriately.

  • Options
    bretdbretd Newbie ✭

    "a tunnel-mode VPN with static routes, and NAT policies at the TZ500 end to NAT the traffic appropriately": This is what I am attempting; I believe I have the remote site set to direct all traffic from the device (192.168.3.200) only through the TZ500. I have created a Route on the TZ500, as well as a NAT policy and a Security policy to allow traffic from VPN to WAN, but either I have 1 or more of the TZ500 settings incorrect, 1 or more settings is being overridden by a pre-existing higher priority rule, or I don't have the route on the remote network router properly set (the remote router is a different mfg, but I have confirmation from a forum for that vendor/router that the route & permissions are correct.

    If all else fails, however, routing all traffic from 192.168.3.0/24 through the tunnel and out the TZ500 would be a 2nd best solution (which, if you're willing to indicate in addition to or in lieu of the aforementioned more complicated solution, I would also like to hear--I believe it largely consists of altering the network policies for the IPSec VPN tunnel network on both ends of the tunnel from 10.2.10.0/24--our current main subnet--to 0.0.0.0/0, while keeping the remote network policy 192.168.3.0/24, correct?)

  • Options
    bretdbretd Newbie ✭

    Addendum:

    On the TZ500, there is

    an access rule from VPN to WAN, source Any, destination Any, Service Any, Action Allow, users All

    a NAT policy from original source 192.168.3.200 translated to X1 IP, destination Any to destination Original, service Any to service Original, inbound interface Any to outbound interface X1

    a route policy from Source 192.168.3.200 to destination Any, service Any, app N/A, TOS/Mask Any, route Standard, gateway X1 Default Gateway, interface X1, Metric 1, priority 9

  • Options
    bretdbretd Newbie ✭

    Additional addendum:

    On the remote site, there is

    an access rule from LAN1 to IPSec_VPN, source 192.168.3.200, destination Any, service Any, user Any, Action Allow

    a route from source 192.168.3.200 destination Any, service Any, next hop IPSec_VPN-tunnel

    no NAT/SNAT policy for the 192.168.3.200 beyond the router default to the WAN

Sign In or Register to comment.