TechNote. Configuring SonicOS for Amazon VPC

(1)

SonicOS

Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C

Network Security

Configuring SonicOS for Amazon VPC

TechNote

Overview

This TechNote describes how to connect a Dell SonicWALL firewall to the Amazon Virtual Private Cloud (VPC) via a static policy-based VPN or dynamic route-based VPN.

SonicOS for Amazon VPC is a Network Security feature that enables network administrators to configure a Dell SonicWALL Security Appliance firewall in a VPC on Amazon Web Services (AWS), providing an easy-to-use cloud computing platform that is suitable for individuals and organizations of all sizes.

Two VPN types are supported by SonicOS, depending on the SonicOS release:

VPN Type Version of SonicOS

Static policy-based VPN

(2)

2 Configuring SonicOS for Amazon VPC

P/N 232-001156-00 Rev C

TechNote

(3)

P/N 232-001156-00 Rev C

TechNote

System or Network Requirements / Prerequisites

SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following versions of SonicOS: • SonicOS 5.8.1.8 and higher

• SonicOS 5.9.0.0 and higher • SonicOS 6.1.1.0 and higher

SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following Dell SonicWALL products running SonicOS 5.8 or 5.9:

• NSA 220 / 220W • NSA 240 • NSA 2400 • NSA 250M / 250MW • NSA 3500 • NSA 4500 • NSA 5000 • NSA E5500 • NSA E6500 • NSA E7500 • NSA E8500 • NSA E8510 • TZ 100 / 100 Wireless • TZ 105 / 105 Wireless • TZ 200 / 200 Wireless • TZ 205 / 205 Wireless • TZ 210 / 210 Wireless • TZ 215 / 215 Wireless

SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following Dell SonicWALL products running SonicOS 6.1 or higher:

• NSA 2600 • NSA 3600 • NSA 4600 • NSA 5600 • NSA 6600 • SuperMassive 9200 • SuperMassive 9400 • SuperMassive 9600

Deployment Considerations

• No special license is needed, but you must have a current support contract for SonicOS 5.8.1.8. • The SonicWALL firewall for Amazon VPC is not supported on the NSA 2400MX.

• The SonicWALL firewall for Amazon VPC does not support a secondary customer VPN gateway on a secondary WAN interface, in the same VPC. VPNs are deployed on one interface only in a single VPC. • The SonicWALL firewall for Amazon VPC cannot be deployed behind a NAT device. Amazon does not

support NAT traversal.

(4)

P/N 232-001156-00 Rev C

TechNote

Configuring Amazon VPC with a Policy-Based VPN

To configure a policy-based VPN between the Dell SonicWALL firewall and the Amazon Virtual Private Cloud (VPC), perform the following tasks:

• Amazon Web Services Configuration Tasks 1. Initializing the VPC

2. Creating the Subnet

3. Creating the Virtual Private Gateway

4. Attaching the Virtual Private Gateway to the VPC 5. Creating a Customer Gateway

• SonicOS Configuration Tasks

1. Configuring the Tunnel Interface VPN Policy 2. Configuring a Static Route

Amazon Web Services Configuration Tasks

To create a Virtual Private Cloud on Amazon Web Services (AWS), perform the tasks in this section on the AWS portal:

Initializing the VPC

(5)

P/N 232-001156-00 Rev C

TechNote

2. Go to Services > VPC.

(6)

P/N 232-001156-00 Rev C

TechNote

3. In the left column, click Your VPCs.

4. Click the Create VPC button.

5. In the CIDR Block: box, enter the network IP address. For example, enter 10.0.0.0/16.

(7)

P/N 232-001156-00 Rev C

TechNote

Creating the Subnet

7. In the left column, click Subnets.

8. Click the Create Subnet button.

9. In the CIDR Block: box, enter the subnet IP address. For example, enter 10.0.1.0/24.

(8)

P/N 232-001156-00 Rev C

TechNote

Creating the Virtual Private Gateway

11. In the left column, click Virtual Private Gateways.

(9)

P/N 232-001156-00 Rev C

TechNote

Attaching the Virtual Private Gateway to the VPC

14. Select the Virtual Private Gateway you just created.

15. Click the Attach to VPC button. 16. Select the VPC you created.

(10)

P/N 232-001156-00 Rev C

TechNote

Creating a Customer Gateway

18. In the left column, click Customer Gateways.

19. Click the Create Customer Gateway button.

20. In the Routing box, select Static.

21. In IP Address box, enter the WAN IP address of the SonicWALL appliance. For example, enter 192.0.2.1.

(11)

P/N 232-001156-00 Rev C

TechNote

To create a VPN:

23. In the left column, click Route Tables.

24. Select the appropriate Route Table.

25. In the second row of the Route Table, in the Destination column, enter 0.0.0.0/0 in the box. 26. Click the Add button.

27. In the left column, click VPN Connections.

(12)

P/N 232-001156-00 Rev C

TechNote

29. In the Virtual Private Gateway list, select the appropriate Virtual Private Gateway.

30. In the Customer Gateway list, select the appropriate Customer Gateway. 31. Select the Use static routing option.

32. In the IP Prefix box, enter the prefix of the interface on the protected subnet of the SonicWALL appliance. For example, 192.168.0.0/16.

33. Click the Yes, Create button.

34. Click the Static Routes tab to add more subnets.

(13)

P/N 232-001156-00 Rev C

TechNote

36. Select the appropriate VPN connection.

37. Click Download Configuration.

38. In the Vendor list, select Generic. 39. In the Platform list, select Generic.

40. In the Software list, select Vendor Agnostic. 41. Click the Yes, Download button.

42. Save the text file to your PC.

(14)

P/N 232-001156-00 Rev C

TechNote

SonicOS Configuration Tasks

To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical

interface from the firewall to the remote AWS gateway. Configuring the Tunnel Interface VPN Policy To configure a tunnel interface VPN policy:

1. In the SonicOS management interface on your Dell SonicWALL appliance, go to VPN > Settings.

(15)

P/N 232-001156-00 Rev C

TechNote

3. Click the General tab.

4. In the Policy Type list, select Tunnel Interface.

5. In the Authentication Method list, select IKE using Preshared Secret. 6. In the Name box, type the name of your policy.

7. In the IPsec Primary Gateway Name or Address box, enter the matching identity address from the text file that you downloaded from AWS. The matching identity address is the IP address of the Amazon Virtual Gateway.

(16)

P/N 232-001156-00 Rev C

TechNote

9. Click the Proposals tab.

10. In the Exchange list, select Main Mode.

11. In the DH Group list, select the value that matches the group value from the AWS text file. For example, Group 2.

12. In the Encryption list, select the value that matches the encryption value from the AWS text file. For example, AES-128.

13. In the Authentication list, select the value that matches the authentication value from the AWS text file. For example, SHA1.

(17)

P/N 232-001156-00 Rev C

TechNote

15. Click the Advanced tab.

16. Select the Enable Keep Alive option (box should be checked).

17. In the VPN Policy bound to list, select the appropriate interface (the WAN interface on the SonicWALL Security Appliance). For example, Interface X1.

(18)

P/N 232-001156-00 Rev C

TechNote

Configuring a Static Route

To configure a static route:

19. In the SonicOS management interface on your Dell SonicWALL appliance, go to Network > Routing. 20. Under Route Policies, click the Add button.

21. In the Source list, select Any.

22. In the Destination list, select the appropriate subnet. For example, 10.30.1.0.

(This is the protected subnet on the AWS VPC. If it does not appear in the list, you must first create it. See “To create a Subnet:” in the Configuring the AWS VPC section.)

23. In the Service list, select Any.

24. In the Gateway list, select Default Gateway.

25. In the Interface list, select the name of your VPN policy. 26. Select the Auto-add Access Rules option.

(19)

P/N 232-001156-00 Rev C

TechNote

Configuring Amazon VPC with a Dynamic Route-Based VPN

To configure a dynamic route-based VPN between the Dell SonicWALL Firewall and the Amazon Virtual Private Cloud (VPC), perform the following tasks:

• Amazon Web Services Configuration Tasks 1. Initializing the VPC

2. Creating the Subnet

3. Creating the Virtual Private Gateway

4. Attaching the Virtual Private Gateway to the VPC 5. Creating a Customer Gateway

• SonicOS Configuration Tasks

1. Configuring the Tunnel Interface VPN Policy 2. Configure Routing

Amazon Web Services Configuration Tasks

To create a Virtual Private Cloud on Amazon Web Services (AWS), perform the tasks in this section on the AWS portal:

Initializing the VPC

(20)

P/N 232-001156-00 Rev C

TechNote

2. Go to Services > VPC.

(21)

P/N 232-001156-00 Rev C

TechNote

3. In the left column, click Your VPCs.

4. Click the Create VPC button.

5. In the CIDR Block: box, enter the network IP address. For example, enter 10.0.0.0/16.

(22)

P/N 232-001156-00 Rev C

TechNote

Creating the Subnet

7. In the left column, click Subnets.

8. Click the Create Subnet button.

9. In the CIDR Block: box, enter the subnet IP address. For example, enter 10.0.1.0/24.

(23)

P/N 232-001156-00 Rev C

TechNote

Creating the Virtual Private Gateway

11. In the left column, click Virtual Private Gateways.

(24)

P/N 232-001156-00 Rev C

TechNote

Attaching the Virtual Private Gateway to the VPC

14. Select the Virtual Private Gateway you just created.

15. Click the Attach to VPC button. 16. Select the VPC you created.

(25)

P/N 232-001156-00 Rev C

TechNote

Creating a Customer Gateway

18. In the left column, click Customer Gateways.

19. Click the Create Customer Gateway button.

20. In the Routing box, select Dynamic.

21. In the BGP ASN text-field, enter your BGP ASN number.

22. In IP Address box, enter the WAN IP address of the SonicWALL appliance. For example, enter 192.0.2.1.

(26)

P/N 232-001156-00 Rev C

TechNote

To create a VPN:

24. In the left column, click Route Tables.

25. Select the appropriate Route Table.

26. In the second row of the Route Table, in the Destination column, enter 0.0.0.0/0 in the box. 27. Click the Add button.

28. In the left column, click VPN Connections.

(27)

P/N 232-001156-00 Rev C

TechNote

30. In the Virtual Private Gateway list, select the appropriate Virtual Private Gateway.

31. In the Customer Gateway list, select the appropriate Customer Gateway.

32. In the IP Prefix box, enter the prefix of the interface on the protected subnet of the SonicWALL appliance. For example, 192.168.0.0/16.

33. Click the Dynamic Routes tab to add more subnets.

(28)

P/N 232-001156-00 Rev C

TechNote

35. Select the appropriate VPN connection.

36. Click Download Configuration.

37. In the Vendor list, select Generic. 38. In the Platform list, select Generic.

39. In the Software list, select Vendor Agnostic. 40. Click the Yes, Download button.

41. Save the text file to your PC.

(29)

P/N 232-001156-00 Rev C

TechNote

SonicOS Configuration Tasks

To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical

interface from the firewall to the remote AWS gateway.

Note: VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP configuration.

Configuring the Tunnel Interface VPN Policy To configure a tunnel interface VPN policy:

1. In the SonicOS management interface on your Dell SonicWALL appliance, go to VPN > Settings.

(30)

P/N 232-001156-00 Rev C

TechNote

3. Click the General tab.

4. In the Policy Type list, select Tunnel Interface.

5. In the Authentication Method list, select IKE using Preshared Secret. 6. In the Name box, type the name of your policy.

7. In the IPsec Primary Gateway Name or Address box, enter the matching identity address from the text file that you downloaded from AWS. The matching identity address is the IP address of the Amazon Virtual Gateway.

(31)

P/N 232-001156-00 Rev C

TechNote

9. Click the Proposals tab.

10. In the Exchange list, select Main Mode.

11. In the DH Group list, select the value that matches the group value from the AWS text file. For example, Group 2.

12. In the Encryption list, select the value that matches the encryption value from the AWS text file. For example, AES-128.

13. In the Authentication list, select the value that matches the authentication value from the AWS text file. For example, SHA1.

(32)

P/N 232-001156-00 Rev C

TechNote

15. Click the Advanced tab.

16. Select the Enable Keep Alive option (box should be checked).

17. In the VPN Policy bound to list, select the appropriate interface (the WAN interface on the SonicWALL Security Appliance). For example, Interface X1.

(33)

P/N 232-001156-00 Rev C

TechNote

Configure Routing

19. In the SonicOS management interface, navigate to the Network > Interfaces page.

20. Click the Add Interface drop-down menu, then select Tunnel Interface.

21. In the General tab, select the following options: • Zone – VPN

(34)

P/N 232-001156-00 Rev C

TechNote

23. Navigate to the Network > Routing page.

24. In the Routing Mode drop-down menu, select Advanced Routing. 25. In the BGP drop-down menu, select Enable (configure with CLI).

26. Log in to the Dell SonicWALL firewall console command line interface (CLI). 27. Perform the following:

• Execute the conf command to enter the configuration mode.

• Execute the routing command to enter the routing configuration mode. • Execute the bgp command to enter the bgp configuration mode.

• Execute the following commands: router bgp 65011

network 192.168.168.0/24

neighbor 169.254.253.5 remote-as 7224 neighbor 169.254.253.5 timers 10 30 neighbor 169.254.253.5 default-originate

neighbor 169.254.253.5 soft-reconfiguration inbound

(35)

P/N 232-001156-00 Rev C

TechNote

28. After the firewall learns the route from the Amazon VPC, navigate to the Firewall > Access Rules page in the SonicOS management interface.

29. Add a following firewall rule:

(36)

P/N 232-001156-00 Rev C

TechNote

Configuring the VPC for Deployment in Elastic Compute Cloud

This section provides the steps for creating the VPC instance and deploying the VPC on an AWS virtual server for Elastic Compute Cloud (EC2).

To configure your EC2 settings: 1. Go to Services > EC2.

(37)

P/N 232-001156-00 Rev C

TechNote

3. Click Launch Instance.

(38)

P/N 232-001156-00 Rev C

TechNote

5. Under the Quick Start tab, choose one of the Amazon Machine Images (AMIs) and click Select. (Select whichever system you like from the list of AMIs. For example, Amazon Linux AMI.)

The Request Instances Wizard dialog appears.

6. In the Number of Instances box, enter the number of instances you want. 7. In the Instance Type list, select Medium.

(39)

P/N 232-001156-00 Rev C

TechNote

9. Select the VPC option.

10. In the Subnet list, select the appropriate subnet. 11. Click the Continue button.

12. In the IP Address box, enter the IP address of your VPC instance. For example, if the subnet IP address is 10.0.1.0/24, the IP address for the VPC instance could be 10.0.1.7.

13. Click the Continue button.

(40)

P/N 232-001156-00 Rev C

TechNote

Note: A metadata tag consists of a case-sensitive key/value pair, which is used to simplify the administration of your EC2 infrastructure.

15. In the Key Name box, enter a key name for the key/value pair tag. 16. In the Value box, enter a value for the key/value pair tag.

17. Click the Continue button.

18. In the name box, enter a name for your key pair. 19. Click Create & Download your key pair. 20. Click the Continue button.

(41)

P/N 232-001156-00 Rev C

TechNote

22. Select the Choose one or more of your existing Security Groups option.

(42)

P/N 232-001156-00 Rev C

TechNote

25. Click the Launch button.

26. Click the Close button. 27. Go to Services > VPC.

28. In the left column, click Security Groups.

29. In the lower pane, click the Inbound tab to configure an inbound rule. To configure an inbound rule:

(43)

P/N 232-001156-00 Rev C

TechNote

Glossary of Terms

The following abbreviations are used in this document: • AWS – Amazon Web Services

• EC2 – Elastic Compute Cloud • VPC – Virtual Private Cloud

TechNote. Configuring SonicOS for Amazon VPC

Configuring SonicOS for Amazon VPC

TechNote

Contents

Overview

TechNote

TechNote

System or Network Requirements / Prerequisites

Deployment Considerations

TechNote

Configuring Amazon VPC with a Policy-Based VPN

Amazon Web Services Configuration Tasks

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

SonicOS Configuration Tasks

TechNote

TechNote

TechNote

TechNote

TechNote

Configuring Amazon VPC with a Dynamic Route-Based VPN

Amazon Web Services Configuration Tasks

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

SonicOS Configuration Tasks

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

Configuring the VPC for Deployment in Elastic Compute Cloud

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

TechNote

Glossary of Terms