Solved

SonicWall SOHO3 one-to-one NAT configuration

Posted on 2004-09-28
7
1,259 Views
Last Modified: 2010-05-18
My company's LAN has a SonicWall SOHO3 that serves as a NAT/Firewall/VPN appliance. There is a web server behind it running Windows 2000 Server / IIS 5 for a custom ASP application (live site). The previous IT person had a Redhat 9 server running as webserver, FTP server, and mail server outside the firewall. I would like that LINUX box to be inside the firewall for obvious reasons. This LINUX box HAS TO RUN the apache web server ! There are perl scripts written exclusively for linux and they will not run on Windows. This is also a live server and can not be taken down for too long. It has been relying on the Linux firewall for protection until now.

We have a T1 line with multiple IP addresses and I wanted to implement One-to-One NAT so that if the request was for IP 206.111.111.5 (example) then SonicWall would do port forwarding to multiple LAN PCs including the port 80 request for HTTP to the Windows 2000 server, FTP requests to come to my workstation etc..., if the request was for IP 206.111.111.8 (example) it would forward all requests, HTTP, FTP, SMTP, POP to the LINUX server.

Is this a working solution? Has anyone implemented it? Any other solutions?
0
Comment
Question by:Brainstormer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 5

Accepted Solution

by:
idyllicsys earned 500 total points
ID: 12204825
Very easy. Create a ruile the appropriate rules on the SOHO3 to forward the traffic to private IP of the Linux after you move it. Then turn on one to one NAT and set the Public IP to 206.111.111.8 and the private IP to whatever you set the new inside IP too (same as in the rules, ex. 10.0.0.2) and set the range to one.

That's it
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12220629
I was hoping someone had implemented this sucessfully using One-To-One NAT. I know the procedure to put the server behind the firewall. I guess I will bring a spare PC and test that first with a different public IP address, if that works great I will move the live server.

A question I came up is: Is One-To-One NAT a DMZ form (for many PCs) or does the SonicWall provide any protection????? Logic suggests this is a DMZ :-(

Are there any alternatives?
0
 
LVL 5

Assisted Solution

by:idyllicsys
idyllicsys earned 500 total points
ID: 12307748
I have used One to One NAT many times. In the SonicWall configuration, it only maps the Public IP to the Private IP. You still need to setup the specific rules to access the services you want to expose.
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 6

Author Comment

by:Brainstormer
ID: 12346694
My company is changing ISP. The whole IP block will change with it. I will report of my sucess/failure once I perform the transition. This is a great opportynity/risk to try this.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12474649
I still have not figured out how to split the webserver issue.

Server A - Windows 2000, IIS running a ASP app in port 80- public IP #1 using port forwarding from Sonicwall. This IP is used for all NAT PCs behind the firewall.
Server B - Linux, Apache running HTML/Perl scripts in port 80 - Public IP #2 using 1-to-1 NAT.

I can access Server 2 from the internet if HTTP is served in any port other than 80. Port forwarding 80 only works for the 1st entry, which is Server A.

I want:

if IP #1 or domain_aaa_.com -> Server A
if IP #2 or domain_bbb_.com -> Server B

when both servers are behind SonicWall SOHO3.

I am thinking about deploying a Reverse Proxy server (apache or squid) in the linux box (Server B) at port 80 which will forward all HTTP requests to:

Server A, port 80 if for domain example_aaa_.com
Server B, port 8080 if domain is example_bb_.com

Any suggestions are welcome at this point. The reverse proxy is a last resort as ASP and Perl do not cache well and I don't think they work properly with a reverse proxy server.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12618021
well, this is my solution to this. It's not perfect, but it works.

Move the linux server behind the firewall.
Modify internet DNS to point both websites to same IP
Forward all HTTP traffic from that external IP port 80 to the LINUX server
Run SQUID as a reverse proxy on port 80. Modify the internal DNS or /etc/hosts file so squid redirects information based on domain header in HTTP request.

If domain_aaa_.com -> Server A:8000 (Windows 2000, IIS)
If domain_bbb_.com -> Server B:8000 (linux, apache)

implement port forwarding for other services based on requirements.

Reverse Proxy Servers considered for the job:

SQUID - it works, but it can not be customized. All HTTP servers need to listen on same port
APACHE - does not support domain forwarding
POUND - it was very customizable, but I had problems with the process PID and killing the process.


Problems do far: 1

I am no longer able to access my email via SquirrelMail webmail. Squirrelmail sits in the linux server and acceses email via IMAP. This is a problem when the webmail is accessed from remote PCs that have no direct access to port 8000. All traffic is routed thru squid reverse proxy in port 80.

 All works and I can access the webmail if I login locally and access the webmail via a browser in the linux server. This is true for both port 80 and 8000.

I suspect this is a SQUID ACL problem. Does anyone have experience configuring squid as reverse proxy to allow Safe_Ports? I can post the squid.conf file if necessary.


PS: so far no one has offered a good alternative solution, the points are still available for grabs.

0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12952112
Seems like even my temp solution did not work. SonicWall does not have the capabilities I am looking for. I finally settled on thi setup:

All PCs with ServerA behind SonicWall using 1 external static IP and port forwarding
Linux Server running Iptables behind a simple Linksys router using 1 external static IP and port forwarding

I will close this question. Thank you all for participating.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question