Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

VPN NAT Question - Multiple Public IP address

ITRAD43ITRAD43 Newbie ✭
in Mid Range Firewalls

I was wondering if anyone know how to have multiple public IP address in a VPN tunnel. When I enable the NAT policy in my VPN tunnel and add in multiple public IP address it doesn't work. I also double check that my NAT policy and they look correct also.

Category: Mid Range Firewalls
Reply

Answers

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    What are you trying to do?

    Are you trying to translate the addresses of the traffic traversing the tunnel?

    Or are you trying to allow the tunnel to connect to/from multiple public IPs?

  • ITRAD43ITRAD43 Newbie ✭

    I am trying to allow the tunnel to connect to and from multiple public ip address.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    In that case, I don't think you can handle this with policies NAT on the firewall itself.

    There are a few ways to achieve this:

    • You can have up to two Gateway IP [or FQDN] entries per "normal" site-site tunnel. Only one will be active at a time
    • You can multiple active "tunnel-mode" tunnels, but only one IP or FQDN entry per tunnel, and they must be bound to a specific interface locally
    • You can just specify an IP of 0.0.0.0

  • ITRAD43ITRAD43 Newbie ✭

    Thanks for the information, what if I am going to translate the addresses of the traffic traversing the tunnel.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    I suggest translating any local traffic to single address. Remote side can be to multiple IPs in a group.

    A note, when you enable NAT on the VPN tunnel, it will automatically create the appropriate NAT rules. You don't need to manually create them.

  • ITRAD43ITRAD43 Newbie ✭
    edited January 29

    That is really odd since WatchGuard VPN tunnels I can have NAT and DAT to multiple locations using Public IP address directly in the tunnel. The answer is really not going to help me since I need to access resources on their sides from two different resources on myside.

  • jst3751jst3751 Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/23058#Comment_23058

    If you are trying to use one tunnel between one location on say sideA and multiple locations on sideB, that is never going to work. A VPN tunnel is point to point.

    If you are trying to create a VPN tunnel between pointA and pointB and say pointA has multiple WAN connections, you would configure the VPN tunnel with one or two gateways, either IP or FQDN.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Share some sanitized screenshots of the tunnel config, and a brief description of the address objects used.

  • ITRAD43ITRAD43 Newbie ✭

    I hope this might help show what I am trying to do.

    image.png

    Above is from a Watchguard VPN Tunnel the Local side are my resources that need access to resources on the vendor side. As you can see these are DAT and NAT so that the vendor side doesn't see my private IP addresses.

    The goal is to take this information above and apply it to a SonicWALL firewall. From my research I found an article from SonicWALL, and it looks like I only need to do is create Inbound and Outbound NATs in the SonicWALL firewall like this:

    SVR01 - Is a resources on myside

    Networks Group is the Address Group for the resources on the vendor side.

    image.png

    Then in the VPN Tunnel I should only have my Subnet and then the IP addresses on the remote resources side.

    image.png

    Then under the Advanced option leave the Apply NAT Policies Off:

    image.png

    Let me know if that is correct or not.

Sign In or Register to comment.