I have a new client that is having trouble with their network setup. They were running with a 1721 router as their only device connecting them to the Internet and things worked fine. They decided they needed a firewall so bought a sonicwall and put it between the 1721 and the LAN. Once they did this they needed to port forward some traffic to the LAN. This is where they found they are double NATting their traffic. Setup:
Internet --> 1721 (external IP is dynamic from ISP, internal 10.0.0.1/24) --> FW (external 10.0.0.10/24, internal 192.168.0.1/24) --> LAN (192.168.0.0/24)
FW is set as the gateway for network PCs. Because they have no static external IPs they are having to double NAT. NAT on FW from 192.168.0.x -> 10.0.0.10 and then NAT on the 1721 10.0.0.10 -> dynamically assigned external interface IP.
I cannot figure out a way to only NAT on one device. They want to NAT on the FW but then they are trying to pass 10.0.0.0/24 traffic out to the world which won't work and if we only NAT on the 1721 I can't figure out how to get traffic to the router from the firewall over the 10.0.0.0/24 network connecting them. Doing a double NAT allows traffic to pass but I'm not sure how I can configure port forwarding for some of the internal PCs. I've never setup a network that did not have external static IPs available. All help is greatly appreciated.
So disable NAT on the FW and just keep the NAT on the router. Traffic would pass through the FW as 192.168.0.x and then get NAT'd to the dynamic external IP. The to get traffic back to the LAN I would add this to the router?
ip route 192.168.0.0 0.0.0.255 10.0.0.10
In order to allow port forwarding for LAN PCs would I use the following on the router (for PC at 192.168.0.5)?
ip nat inside source static tcp 192.168.0.5 Dialer1
Personally i also prefer to do the NAT on the firewall but unless you can get an IP subnet from the ISP eg a /29 to use between the router and the FW you are limited with what you can do.