Support
Community

Thanks for getting back to me.  I had seen that post about setting up nat-t for the sonicwall.  After talking about it yesterday, what I need to do it policy based routing to a Cymphonix across the VPN tunnel.  So the VPN tunnel is now looking for HTTP/HTTPS traffic going specifically to that host.  There is a default route to the Comcast public IP with a track so that it will fail to the OSPF default route in the event that Comcast goes out.  I seem to be getting close to what I need, but the ping to 4.2.2.3 is not currently working over the Comcast route.  Any advice would be appreciated!  My current config is:

!

probe isComcastUp icmp-echo

  destination 4.2.2.3

  source-address 172.X.X.X

  period 5

  tolerance consecutive fail 4 pass 2

  no shutdown

!

track "ifComcastUp"

  snmp trap state-change

  test if probe isComcastUp

  no shutdown

!

!

!

ip crypto

!

crypto ike policy 16

  initiate main

  respond anymode

  local-id address 75.X.X.X

  nat-traversal v1 disable

  nat-traversal v2 force

  peer 67.X.X.X

  attribute 16

    encryption aes-128-cbc

    authentication pre-share

    group 2

    lifetime 86400

!

crypto ike remote-id address 67.X.X.X preshared-key SUPER_SECURE_PW ike-policy 16 crypto map vpn-set 16 nat-t v1 disable nat-t v2 force

!

crypto ipsec transform-set TS-16 esp-aes-128-cbc esp-sha-hmac

  mode tunnel

!

crypto map vpn-set 16 ipsec-ike

  match address VPN-Selector16

  set peer 67.X.X.X

  set transform-set TS-16

  set pfs group2

!

!

!

interface switchport 0/24

  no shutdown

  switchport access vlan 75

!

!

interface vlan 1

  ip address  172.X.X.X  255.255.255.0

  ip ffe

  ip access-policy Private

  ip route-cache express

  no shutdown

!

interface vlan 75

  ip address  75.X.X.X  255.255.255.248

  ip ffe

  ip mtu 1500

  ip access-policy Public

  crypto map vpn-set

  no rtp quality-monitoring

  no awcp

  no ip route-cache express

  no shutdown

!

!

!

router ospf

  network 172.X.X.X 0.0.0.255 area 0

!

!

!

ip access-list extended nat-acl

  remark NAT Outbound

  permit ip any  any

!

ip access-list extended private-acl

  permit ip any  any

!

ip access-list extended protect-wan-acl

  remark Allow ICMP and Admin Access

  permit icmp any  host 75.X.X.X

  permit tcp 67.X.X.X 0.0.0.31  host 75.X.X.X eq ssh

  permit tcp 67.X.X.X 0.0.0.31  host 75.X.X.X eq https

!

ip access-list extended self

  permit ip any  any     log

!

ip access-list extended VPN-Selector16

  remark Encrypt Web traffic to Colo NSA-240

  permit tcp any  host 172.X.X.X eq www

  permit tcp any  host 172.X.X.X eq https

  deny   tcp any  any eq www

  deny   tcp any  any eq https

!

!

!

ip policy-class Private

  allow list self self

  allow list private-acl policy Private stateless

  allow list tunnel-acl policy Tunnel stateless

  allow list VPN-Selector16 stateless

  nat source list nat-acl interface vlan 75 overload

!

no ip policy-class Public rpf-check

!

ip policy-class Public

  allow list protect-wan-acl

  allow list VPN-Selector16

  allow reverse list VPN-Selector16

!

!

ip route 0.0.0.0 0.0.0.0 75.X.X.X 15 track ifComcastUp

ip route 4.2.2.3 255.255.255.255 75.X.X.X 10

Don't know how I missed that.  Thank you again!  In my haste, I was copying/modifying in notepad and then uploading to the router.

I have nothing to add for the moment, since currently I'm waiting to hear back from Cymphonix on how to use their box as a web proxy.  I've been told it can be done, but I see no options on the web manager to enable it.

Since I have nothing else to do, and feel fairly confident that the policy based routing for the VPN should be all that I need to get going for this, I'm going to mark your answer as correct.  Thanks again for the help!