Applying a NAT policy to a Sonicwall VPN Tunnel

I recently had an opportunity to setup something that I’ve never configured before. I had to build a site to site VPN with a vendor into a network that used the same IP scheme as one of the vendor’s subnets. Normally the IPs on either side of the tunnel are different, in this case the vendor already had a subnet in their network with the same IP address range as our internal subnet, so this wouldn’t allow us to build a tunnel between the two sides wouldn’t route the traffic to the other, both would think the traffic is local.

We decided that we would mask my client’s internal subnet to some other range so that the internal subnet wouldn’t interfere with the subnet that the vendor had internally.

Let me break this down into numbers that make some sense:

  • Our local subnet was 192.168.1.0/24
  • The Vendor’s subnet was 10.0.0.0/24 (but they also had a subnet in their network for 192.168.1.0/24, which is why this would not work, our traffic would  get to them, but wouldn’t make it back out over the VPN on the way back)
  • We decided that we would mask our 192.168.1.0/24 subnet as 192.168.254.0/24

Here is how the router was Setup:

First we needed to make some Address Objects in the Sonicwall

1)      Expand “Network” in the Sonicwall’s left hand pane

2)      Click on “Address Objects”, and Create the following Address Objects:

  • Name: Vendor Network,  Zone: VPN, Network: 10.0.0.0, Netmask: 255.255.255.0
  • Name: Local Network, Zone: LAN, Network: 192.168.1.0, Netmask: 255.255.255.0
  • Name: Masked Local Network, Zone: VPN, Network: 192.168.254.0, Netmask: 255.255.255.0

Next we need to build the VPN Tunnel

1)      Next Expand “VPN” in the Sonicwall’s left hand pane

2)      Click on “Add..” to create a new VPN

3)      Fill in a Name,  IPSec Primary Gateway, Shared Secret and then click the “Network” tab

4)      Under the Section “Local Networks” select “Local Network” from the drop down list

5)      Under the Section “Remote Networks” select “Vendor Network” from the drop down list, and then click on the “Advanced” tab

6)      Select the box for “Keep Alive” and the box for “Apply NAT Policies”

7)      Change “Translated Local Network:” to “Masked Local Network” using the drop down selection box

8)      Change “Translated Remote Network:” to “Original” using the drop down Selection box and press OK (note: we did not go over the proposals tab because it’s not relevant to this configuration)

Finally we’ll need to setup some one-to-one NAT rules to allow traffic from our Vendor to our desired Server(s). Note: This section may not be needed, when I configured this we were actually bringing 3 different subnets into the tunnel using just a single masked subnet, so I ended up needing to do this, but it’s possible that you won’t need to do this if you’re only using a single subnet on each side, so check to make sure the tunnel is routing traffic properly before moving forward with these steps.

1)      Expand “Network” in the Sonicwall’s left hand pane

2)      Click on “NAT Policies” in the Sonicwall’s left hand pane

3)      Here is where things can get a little tricky, basically we need to make a rule for each object that needs to be accesses by the vendor’s subnet. Let’s assume it’s only our one server, which happens to be 192.168.1.10. If you’ve got more than one server, you can create multiple rules

4)      Click “Add…” to start a new NAT rule and enter the following:

  • Original Source: Vendor Network
  • Translated Source: Original
  • Original Destination: 192.168.254.10 (remember this is coming FROM the vendor to the Masked Address)
  • Translated destination: 192.168.1.10
  • Original Service: Any
  • Translated Service: Original

Once this rule is created your vendor should be able to access you server at IP address 192.168.1.10 by using the IP address of 192.168.254.10.

This is a confusing configuration, so email me if you have any questions, and good luck.

15 thoughts on “Applying a NAT policy to a Sonicwall VPN Tunnel

  1. medIT

    Good read – We have setup several of these time to time – Nat policies with redirected subnets are fun… Even more fun when you have 10+ networks that are all routing separate networks with access rules. What a lot of readers might find is they are unable to do this if they have a standard edition of SonicOS. Must have Enhanced OS to follow these instructions.

    Reply
  2. Master Quan

    I understand wanting to mask a network because both are using the same network, but we are not. Here is question and how do I do this on a Sonicwall

    Example
    Finance
    IP 67.211.135.201
    Local 10.120.130.8 /29
    Remote 65.130.92.24
    I need to translate the
    local 10.120.130.9 to our internal AD server 172.25.28.140
    local 10.120.130.10 to our internal AD server 172.25.28.141

    How would this be done?

    Reply
  3. Chris

    I need to do something like this. On the vendor side, they will be pointing back to two servers. So your direction is good for that. However, from my side I need to web to management interfaces on that side to other devices. Is it as simple as going to the device at 10.0.0.x? Or do I need to create the same NAT policies for each device with a Mgt GUI?

    Reply
  4. NYNET

    This is exactly what I was looking for. I have been trying to setup a VPN tunnel to a vendor that had the same local IP range as our network. This was so easy once it was explained correctly. Thanks a bunch.

    Reply
  5. Pingback: How To Fix Sonicwall Error Range And Gateway Are On Different Subnets in Windows

  6. Scott Drew

    Thanks for this….I have the EXACT same scenario. I have an NSA 3500 on my side, and this was EXACTLY what I was looking for. Quick question regarding access. I will be doing what you said by masking our LAN with a different private IP/subnet, and I ONLY want the remote side(“Vendor”) to have access to three servers. After I create one-to-one NATs for each server will that be ALL they can access, even if they try and access or ping one of our actual/original IPs? I need to limit them to just three servers. Thanks.

    Reply
  7. BringIT

    What about NAT for global VPN client (home / remote users)? I inherited an internal Class C .1/24 network with an ever expanding need for remote access and about every user has the same network along with about every hotel (or at least where the boss seems to stay).

    One one hand, my thought is to change the internal network and to avoid additional rules and overhead with NAT but the quick part of me is looking for the fast fix.

    Reply
    1. Sean LaBrie

      I would create a sub interface vlan off of X0, it can be any vlan you want besides 1, and then give it an address space of /24 or /23 if you need more than 254 VPN users at once. Then adjust your global vpn routes. Any resource they need access to in the 192.168.1.x range you can set a route with a x.x.x.x/32, which will solve your issues. Moving the VPN users off into their own subnet will free up space on the 192.168.1.x network, and putting the /32 routes for resources remote users need access to will result in the traffic at their house taking the VPN instead of using the local interface if they have the same address space at home.

      Reply
  8. Joven D.

    Hi,

    Thanks for this. I was able to solve my problem. But I have question on NAT from Local to Vendor. What is the policy need to create?

    As of now, I follow your one to one NAT (your Vendor to you desire local server) and it’s working fine. But how about the reverse (desire local server to Vendor server)? Assuming that in Vendor side they allow the access on mask IP segment.

    Thanks. This is helpful by the way 🙂

    Reply
    1. Sean LaBrie

      The only thing you need to do is re-create an exact NAT rule, but switch the source and destination addresses, that will NAT traffic to a different IP as it leaves your network bound for the vendor.

      Reply
      1. Joven D.

        Hi,

        Thanks for prompt response.

        I made this NAT base on what you said:

        – Original Source: 192.168.1.100 (Desire Server)
        – Translated Source: 172.17.101.10 (Masked Address)
        – Original Destination: Vendor Network
        – Translated destination: Original
        – Original Service: Any
        – Translated Service: Original

        But I cannot get any response. I’m trying to PING one of the Vendor Server using my desire server.

        Is my NAT policy created correct?

        Thanks.

        Reply
  9. khan

    site A:
    192.168.171.0/24
    Masked subnet 192.168.172.0/24

    site B:
    192.168.151.0/24
    also using subnet 192.168.171.0 /24 for other vpn
    server 1: 192.168.151.13
    server 2: 192.168.151.10
    server3: 192.168.151.168

    My requirement is:

    1. Site A all user should access have access only to site B servers server 1 , server 2 , server 3.

    2. Site B users should not have access to Site A except server1 ,server 2 ,server 3 (by default these 3 will get access to site A)

    Please explain how can i restrict the Site B users to access site A,
    I have done nat over VPN

    Reply
  10. Marc Lee

    Hi Sean,

    as we have spoken over the phone earlier, I try to build a VPN tunnel between two offices, but they are having the same subnets, 10.168.xx.xx, can you show me how to do this?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *