Overlapping Subnet & NAT

[Semperfi2004]

Does anyone know if you can do the following;
I have a NS208, and it is setup on a Lan to Lan IKE VPN to a Sonicwall 230.
My issue is overlapping subnets. Both sites are using the same subnet. Changing the subnet, wouldn't be an option.
All the NATing will have to be done on the NS208 side. Sonicewall says, 230 can't do NATing in standard mode.
below is what I tried doing, any ideas, examples, etc.. would be greatly appreciated.
thank you in advance.

PC - xxx.xxx.0.1
NS208 - 1.1.1.1
I've tried setting up the following:
1. Created the lan to lan VPN.
2. created a tunnel.x with 10.10.10.0/24
Created MIP 10.10.10.1 -> xxx.xxx.0.1
3. tried to Bind a custom zone to tunnel.x and applied
to the IKE VPN (that didn't work)
4. created policy trust to untrust
10.10.10.0/24 -> xxx.xxx.0.1
to
SW230 - 2.2.2.2
PC - xxx.xxx.0.1

 

[metro305]

I have my NS training manual and firewall book and have yet to do this BUT I am willing to help. Each the above referenced sources have specifics aboue such a scenario. I will post details when I get some more info.

-metro305

 

[Semperfi2004]

thank you, I've been working on this all day. LOL. I seem to be getting know where.

 

[Yarzie]

Hi there, you need to NAT before you tunnel across the vpn.
create a tunnel interface with an IP address eg xx.xxx.x.x/16 and give it a range which isn't either of the the source or destination.

set interface "tunnel.2" mip 10.250.0.0 host xxx.xxx.0.0 netmask 255.255.0.0 vr "trust-vr"

We NAT from Class C to Class A and back again.

Set the rest of the VPN, IKE, gateway up as normal but assign this tunnel interface.

You can then set up a policy based NAT to translate all your traffic to a MIP which is one of the tunnel interface range.

You can do this for outbound traffic as well.

Its a bit of a bind and there is a Netscreen document that covers it. Took me several days to work it out.

 

[Semperfi2004]

Hey Varzie, thank you for the information. I did as you suggested. But, I tried applying the "2Sonic" to the policy and it wouldn't allow me. giving me error "vpn 2sonic is on zone untrust"
below is my Config. Does it make any sense ? thank you.


set interface "tunnel.1" zone "Trust"
set interface ethernet1 ip xxx.xxx.x.x/23
set interface ethernet6 ip x.x.x.x/29
set interface tunnel.1 ip xx.xxx.x.x/16
set interface "tunnel.1" mip xx.xxx.0.0 host xxx.xxx.0.0 netmask 255.255.0.0 vrouter "trust-vr"
set address "Trust" "VPN_ACCESS" xxx.xxx.0.0 255.255.254.0
set ike p2-proposal "P2Sonic" no-pfs esp 3des sha-1 second 28800
set ike gateway "Sonic_GW" address 3.3.3.3 Main outgoing-interface "ethernet6" preshare "PreshareKey" proposal "pre-g2-3des-sha"
set vpn "2sonic" gateway "Sonic-GW" no-replay tunnel idletime 0 proposal "P2Sonic"
set vpn "2Sonic" id 439 bind interface tunnel.1
set policy id 543 from "Trust" to "Untrust" "VPN_ACCESS" "MIP(10.250.0.0/16)" "ANY" permit log
set route 3.3.3.3/32 interface ethernet6 gateway 2.2.2.2

 

[Yarzie]

I have my policies set this way

set policy id 975827 from "Trust" to "Untrust" "Any" "MIP(xx.xxx.x.x/16)" "ANY" Permit log

I then have a reverse policy which maps untrust back to trust.

Have you set up vpn 2 sonic as an object in a different zone?

Do you get the VPN phase 2 working so the VPN is up?

 

[Semperfi2004]

VPN-ACCESS" is actually 192.xxx.x.xxx/xx and not 192.xxx.x.y/zz, my bad.
as shown here:
set address "Trust" "VPN_ACCESS" 192.xxx.x.y 255.255.254.0

as far as reverse policy, on the Sonic Wall. The Sonic 230 with a standard OS, from what I was told, can't create policies like that (trust to untrust or untrust to trust). It can only allow you to create a VPN and allow certian traffic in.
For example: you can create a VPN and say, allow 192.xxx.a./aa from gateway 4.4.4.4.. With the appropriate Phase one and two. etc.. thats about it...
Sonicwall says, you have the "enhanced version OS", to do any NATing or create any advanced policies.

Creating a seperate Zone, I have not. I did try that once, but gave up on that. Do I need to setup a Zone for 2sonic and apply that to the VPN ?

Right now, My Phase1 has a mismatch key I think. I am getting the following error.

Rejected an IKE packet on ethernet6 from 65.x.xxx.xxx:xxx to 12.yyy.yyy.yyy:yyy with cookies 4b186dd28052355b and 68fdfa9199c6d5e8 because received a packet with a message ID before Phase 1 authentication was done.
Rejected an IKE packet on ethernet6 from 65.x.xxx.xxx:xxx to 12.xxx.xxx.xxx:xxx with cookies 4b186dd28052355b and 68fdfa9199c6d5e8 because Phase 1 negotiations failed. (The preshared keys might not match.).
info IKE<65.x.xxx.xxx> Phase 1: Responder starts MAIN mode negotiations.

Thank you for your Help.

 

[Semperfi2004]

Hey Yarzie - sorry about that, I had to have Tek-Tips made a change, I accidentally put in some External IP address. I am now getting Phase 1 up, but still having an issue with the whole VPN.

"VPN-ACCESS" is actually 192.168.0.128/27 and not 192.168.0.0/23, my bad.
as shown here:
set address "Trust" "VPN_ACCESS" 192.168.0.0 255.255.254.0

as far as reverse policy, on the Sonic Wall. The Sonic 230 with a standard OS, from what I was told, can't create policies like that (trust to untrust or untrust to trust). It can only allow you to create a VPN and allow certian traffic in.
For example: you can create a VPN and say, allow 192.168.1.1/24 from gateway 4.4.4.4.. With the appropriate Phase one and two. etc.. thats about it...
Sonicwall says, you have the "enhanced version OS", to do any NATing or create any advanced policies.

Creating a seperate Zone, I have not. I did try that once, but gave up on that. Do I need to setup a Zone for 2sonic and apply that to the VPN ?

Phase one is working now.

Thank you for your Help.

 

[Yarzie]

You shouldn't need to set up a separate zone as the VPN is bound to the virtual router and the interface on the public side.

Ideally you need to be able to create another MIP on the Sonicwall to MAP the inside addresses to a tunnel interface address or at least NAT once to a single address on the tunnel interface, if you can't do that then I don't think you'll be able to route the traffic without changing one of the ranges.