SA 540 routable ip on inside interface

Unanswered Question
Feb 24th, 2010

I have a client who recently purchased an SA 540 to replace an old Sonicwall, they had a vpn connection with a medical software company on the old device.  The software company says the inside interface of the vpn needs to be a routable (outside ip) as opposed to the usual inside being a private address.  My understanding is that the inside address of my side of vpn would be an outside address that would then be natted to the server.  A friend of mine who is vey experienced with Cisco says this can be done on the ASA devices as he has had to do it with several financial companies vpns to his company but not sure about SA 540 as he has never seen one.  Does anyone know if this can be done on SA boxes and if so how to configure it.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 02/25/2010 - 12:11


You can assign a public IP address to the SA's inside interface as well as the ASA's inside interface.

You can also NAT on both units.

What exactly is going to be the purpose of having the inside address a routable address?


chabomb24 Thu, 02/25/2010 - 12:26

This is a requirement from the medical software company, I think they got tired of dealing with a bunch of internal ips being the same from all of their clients.  Anyway they require the vpn to look like its coming from a routable ip on the internal side which is not how I have always done it.

Usually the vpn gateway is the external ip and the internal lan is some private ip like 192.168.x.x but he is saying the inside has to be one of our outside ip addresses for the vpn.  So if my wan interface is 201.100.25.x and my internal is usually 10.0.0.x  and the internal server is really on a 10.0.0.x address how can I configure the vpn to show the internal lan to be 201.100.25.x when it is not really that and still get it to the server?  The medical company said that we could even use a fake address as it is not being used for anything but the vpn and they would input the address on their side I think they have a Cisco concentrator.

I hope this makes sense as it is confusing to me.

Federico Coto F... Thu, 02/25/2010 - 12:31

It sounds like they want to communicate with your side via the VPN, but to public IP addresses.

If this is the case, it is not necessary to have the inside configured with public IP addresses. You can just NAT the VPN traffic, so that when the traffic reaches their end, it goes with the routable IP that they need.

In other words, they will think they are talking to a public IP via the VPN, while you're just performing NAT on the appropiate devices that will go through the tunnel.

Makes sense?



This Discussion