Networking

VPN

SonicOS Enhanced: Using a Secondary Public IP Range for NAT

Introduction
When the ISP has allocated two public IP address ranges, special configuration is required to allow the SonicWALL to use the secondary public IP address range for one-to-one NATs. This document describes the two possible configuration methods.

Network Diagram:
Eth0/0: 10.50.26.1 172.16.6.0/24 X1:10.50.26.6 ISP has assigned 2 public IP ranges: 10.50.26.0/24 and 10.50.27.0/24 172.16.6.100 smtp server 172.16.6.200 web server PRO 3060

Configuration
Method A: Create a static route on the upstream router
Method A is much simplier than Method B. Configure the router with a static route to 10.50.27.0/24 with a gateway of the SonicWALLs WAN IP address 10.50.26.6. On a Cisco router, enter the following command in configuration mode: router(config)# ip route 10.50.27.0 255.255.255.0 10.50.26.6 This static route will tell the router to send all packets destined for the 10.50.27.0/24 network to the SonicWALLs WAN IP address. The router will not send ARP requests for the 10.50.27.0/24 network.

Method B: Configure a published ARP entry and create a static route on the SonicWALL
The second method is lengthier and involves configuring a public ARP entry and static route on the SonicWALL. In addition, the upstream router must be configured to send ARP request out the interface that is connected to the SonicWALLs X1 interface.

1. Create a published ARP entry from Network > ARP

Choose any IP address from the secondary IP range. In this example, the IP address 10.50.27.1 is used. Select X1 as the interface. When Published Entry is selected, the MAC Address field is automatically populated with the MAC Address of the selected interface, X1. 2. Create a static route to 10.50.27.0/24 Address Object for 10.50.27.0/24

Route Policy Syntax from Network Routing

Configuring a published ARP entry and the static route will allow the SonicWALL to answer ARP requests destined for the 10.50.27.0/24 network. SonicWALL now sees the 10.50.27.0/24 network as directly connected to the X1 interface.

Note: To deploy Method B, the upstream router must be configured to send ARP requests for the 10.50.27.0/24 network out the Ethernet 0/0 interface. This interface is connected to the X1 interface of the SonicWALL. The Cisco router command is as follows:
router(config)#ip route 10.50.27.0 255.255.255.0 ethernet0/0

Create One-to-One NAT for the SMTP server: The next step after using either Method A or B is to create a one-to-one NAT policy and access rule for the SMTP server. The SMTP server at 172.16.6.100 will be NATed to 10.50.27.100 1. Create a public and a private address object for the SMTP server

2. Configure an Inbound NAT Policy under Network > NAT Policies

3. Create an Access Rule allowing inbound SMTP access

Troubleshooting
From a test PC on the Internet, run a simple telnet test by issuing the command telnet 10.50.27.100 25 with the command prompt. If the mail banner appears, then the connection is working. If a connection cannot be established, start the packet trace utility from System>Diagnostics. Enter IP address of test PC and run the telnet test again. There are 3 possible outcomes: 1. If packets are not received from the X1 interface, then there is likely a routing problem with the upstream router or beyond. Troubleshoot with the ISP. 2. If packets are received from the X1 interface but not sent out the X0 interface, check the NAT and Access Rules Policies 3. If packets are received from the X1 interface and sent out the X0 interface, but return packets from the server are not received on the X0 interface, check the routing table on the server using route print from the command prompt. Also, check outbound NAT and Access Rules.

Hint: To further simplify the troubleshooting process, change the Service in the NAT Policy and Access Rule Policy to
ANY.

Related Documents
For more information, refer to the following SonicWALL Technotes on www.sonicwall.com/support/documentation: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. SonicOS Standard/ Enhanced: Using the Secondary IP Gateway Feature SonicOS Enhanced: Configuring the SonicWALL DHCP for GVC Configuring the SonicWALL DHCP for GVC Configuring Port Forwarding with the SonicWALL Terminating the WAN GroupVPN and Using VPN Access in SonicOS Enhanced Terminating the WAN GroupVPN to the LAN/DMZ using SonicOS Standard Typical DMZ Setups with FTP, SMTP, and DNS Servers

Using the SonicOS Enhanced Wizard To Configure a Public Server

Common Issues with GVC Network Browsing with IP Helper NetBIOS Relay Creating One-to-One NAT Policies in SonicOS Enhanced SonicOS Enhanced: Three Types of Network Modes

Document Last Updated: 11/06/06