SonicWall SOHO3 one-to-one NAT configuration
My company's LAN has a SonicWall SOHO3 that serves as a NAT/Firewall/VPN appliance. There is a web server behind it running Windows 2000 Server / IIS 5 for a custom ASP application (live site). The previous IT person had a Redhat 9 server running as webserver, FTP server, and mail server outside the firewall. I would like that LINUX box to be inside the firewall for obvious reasons. This LINUX box HAS TO RUN the apache web server ! There are perl scripts written exclusively for linux and they will not run on Windows. This is also a live server and can not be taken down for too long. It has been relying on the Linux firewall for protection until now.
We have a T1 line with multiple IP addresses and I wanted to implement One-to-One NAT so that if the request was for IP 206.111.111.5 (example) then SonicWall would do port forwarding to multiple LAN PCs including the port 80 request for HTTP to the Windows 2000 server, FTP requests to come to my workstation etc..., if the request was for IP 206.111.111.8 (example) it would forward all requests, HTTP, FTP, SMTP, POP to the LINUX server.
Is this a working solution? Has anyone implemented it? Any other solutions?
We have a T1 line with multiple IP addresses and I wanted to implement One-to-One NAT so that if the request was for IP 206.111.111.5 (example) then SonicWall would do port forwarding to multiple LAN PCs including the port 80 request for HTTP to the Windows 2000 server, FTP requests to come to my workstation etc..., if the request was for IP 206.111.111.8 (example) it would forward all requests, HTTP, FTP, SMTP, POP to the LINUX server.
Is this a working solution? Has anyone implemented it? Any other solutions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My company is changing ISP. The whole IP block will change with it. I will report of my sucess/failure once I perform the transition. This is a great opportynity/risk to try this.
ASKER
I still have not figured out how to split the webserver issue.
Server A - Windows 2000, IIS running a ASP app in port 80- public IP #1 using port forwarding from Sonicwall. This IP is used for all NAT PCs behind the firewall.
Server B - Linux, Apache running HTML/Perl scripts in port 80 - Public IP #2 using 1-to-1 NAT.
I can access Server 2 from the internet if HTTP is served in any port other than 80. Port forwarding 80 only works for the 1st entry, which is Server A.
I want:
if IP #1 or domain_aaa_.com -> Server A
if IP #2 or domain_bbb_.com -> Server B
when both servers are behind SonicWall SOHO3.
I am thinking about deploying a Reverse Proxy server (apache or squid) in the linux box (Server B) at port 80 which will forward all HTTP requests to:
Server A, port 80 if for domain example_aaa_.com
Server B, port 8080 if domain is example_bb_.com
Any suggestions are welcome at this point. The reverse proxy is a last resort as ASP and Perl do not cache well and I don't think they work properly with a reverse proxy server.
Server A - Windows 2000, IIS running a ASP app in port 80- public IP #1 using port forwarding from Sonicwall. This IP is used for all NAT PCs behind the firewall.
Server B - Linux, Apache running HTML/Perl scripts in port 80 - Public IP #2 using 1-to-1 NAT.
I can access Server 2 from the internet if HTTP is served in any port other than 80. Port forwarding 80 only works for the 1st entry, which is Server A.
I want:
if IP #1 or domain_aaa_.com -> Server A
if IP #2 or domain_bbb_.com -> Server B
when both servers are behind SonicWall SOHO3.
I am thinking about deploying a Reverse Proxy server (apache or squid) in the linux box (Server B) at port 80 which will forward all HTTP requests to:
Server A, port 80 if for domain example_aaa_.com
Server B, port 8080 if domain is example_bb_.com
Any suggestions are welcome at this point. The reverse proxy is a last resort as ASP and Perl do not cache well and I don't think they work properly with a reverse proxy server.
ASKER
well, this is my solution to this. It's not perfect, but it works.
Move the linux server behind the firewall.
Modify internet DNS to point both websites to same IP
Forward all HTTP traffic from that external IP port 80 to the LINUX server
Run SQUID as a reverse proxy on port 80. Modify the internal DNS or /etc/hosts file so squid redirects information based on domain header in HTTP request.
If domain_aaa_.com -> Server A:8000 (Windows 2000, IIS)
If domain_bbb_.com -> Server B:8000 (linux, apache)
implement port forwarding for other services based on requirements.
Reverse Proxy Servers considered for the job:
SQUID - it works, but it can not be customized. All HTTP servers need to listen on same port
APACHE - does not support domain forwarding
POUND - it was very customizable, but I had problems with the process PID and killing the process.
Problems do far: 1
I am no longer able to access my email via SquirrelMail webmail. Squirrelmail sits in the linux server and acceses email via IMAP. This is a problem when the webmail is accessed from remote PCs that have no direct access to port 8000. All traffic is routed thru squid reverse proxy in port 80.
All works and I can access the webmail if I login locally and access the webmail via a browser in the linux server. This is true for both port 80 and 8000.
I suspect this is a SQUID ACL problem. Does anyone have experience configuring squid as reverse proxy to allow Safe_Ports? I can post the squid.conf file if necessary.
PS: so far no one has offered a good alternative solution, the points are still available for grabs.
Move the linux server behind the firewall.
Modify internet DNS to point both websites to same IP
Forward all HTTP traffic from that external IP port 80 to the LINUX server
Run SQUID as a reverse proxy on port 80. Modify the internal DNS or /etc/hosts file so squid redirects information based on domain header in HTTP request.
If domain_aaa_.com -> Server A:8000 (Windows 2000, IIS)
If domain_bbb_.com -> Server B:8000 (linux, apache)
implement port forwarding for other services based on requirements.
Reverse Proxy Servers considered for the job:
SQUID - it works, but it can not be customized. All HTTP servers need to listen on same port
APACHE - does not support domain forwarding
POUND - it was very customizable, but I had problems with the process PID and killing the process.
Problems do far: 1
I am no longer able to access my email via SquirrelMail webmail. Squirrelmail sits in the linux server and acceses email via IMAP. This is a problem when the webmail is accessed from remote PCs that have no direct access to port 8000. All traffic is routed thru squid reverse proxy in port 80.
All works and I can access the webmail if I login locally and access the webmail via a browser in the linux server. This is true for both port 80 and 8000.
I suspect this is a SQUID ACL problem. Does anyone have experience configuring squid as reverse proxy to allow Safe_Ports? I can post the squid.conf file if necessary.
PS: so far no one has offered a good alternative solution, the points are still available for grabs.
ASKER
Seems like even my temp solution did not work. SonicWall does not have the capabilities I am looking for. I finally settled on thi setup:
All PCs with ServerA behind SonicWall using 1 external static IP and port forwarding
Linux Server running Iptables behind a simple Linksys router using 1 external static IP and port forwarding
I will close this question. Thank you all for participating.
All PCs with ServerA behind SonicWall using 1 external static IP and port forwarding
Linux Server running Iptables behind a simple Linksys router using 1 external static IP and port forwarding
I will close this question. Thank you all for participating.
ASKER
A question I came up is: Is One-To-One NAT a DMZ form (for many PCs) or does the SonicWall provide any protection????? Logic suggests this is a DMZ :-(
Are there any alternatives?