DMZ NAT Policy to External DNS namespace

Hello all,

I have a Sonicwall FW Pro 1260 Enhanced OS with three interfaces: 1-int goes to the WAN, 1-int goes to th LAN, 1-int (OPT) connects to a switch for DMZ.  We just recently configured a F5 Firepass SSL VPN and placed it in the LAN.  On my FW, I configured NAT policies and Access Rules so that the external DNS namespace will NAT to the private IP address.  During the testing phase, users were able to access the https://vpn.domain_name.com, and logon onto the F5 SSL console for data and email access via Outlook.  

There are two situations that I'm encountering:
Situation 1:
When I'm inside the LAN, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, so I constantly have to connect via its internal IP address.

Situation 2:
When I'm inside the DMZ, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, but able to hit it using the internal IP address.

My intention is to configure multiple APs (equipped with wireless distribution system technology) in the DMZ and have mobile users and consultants log on to the AP and hit the https://vpn.domain_name.com to access their data and emails access.  At this point, data is what matters the most.  I've successfully configured RPC over HTTPs for their Outlook.

Please shed some lights to how I can configure the Sonicwall FW in order to hit the DNS namespace when I'm inside the DMZ and the LAN.

Thank you so much and apologize for the long description.

christian_dinhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bhnmiCommented:
Situation 1:
When I'm inside the LAN, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, so I constantly have to connect via its internal IP address.

The sonicwall will not allow you to route out and back in on the same interface.

Situation 2:
When I'm inside the DMZ, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, but able to hit it using the internal IP address.

When trying to access it via the public interface from the dmz do you see anything in th log(of the sonicwall)?
0
christian_dinhAuthor Commented:
Could you tell me exactly what I'm looking for in the log?
0
christian_dinhAuthor Commented:
I get the following logs when I filtered from DMZ --> WAN:

1      01/31/2008 12:48:05.128      Notice      Network Access      UDP packet dropped      172.16.x.x, 1527, OPT      64.81.79.2, 53, WAN      UDP DNS (Name Service) UDP      
2      01/31/2008 12:47:01.192      Notice      Network Access      UDP packet dropped      172.16.x.x, 1043, OPT      64.81.79.2, 53, WAN      UDP DNS (Name Service) UDP

Thanks for your assistance.
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

bhnmiCommented:
Okay, lets work this way.

From a machine in the opt zone can you use nslookup to resolve the FQDN of the ssl vpn?
0
christian_dinhAuthor Commented:
Yes.  From FQDN to IP address.
0
bhnmiCommented:
Are you hosting any other public services from the LAN? If so can you access these from the OPT using the public interface? Also, you access rule for the SSL VPN can you post it here? Actually any rules you have created for it.
0
christian_dinhAuthor Commented:
We have only two public services from the LAN.  OWA and SSL VPN.  I can get to the https://mail.domain_name.com, both from the DMZ and LAN.  Here's the Access Rules

WAN --> LAN
Scr      Dest            Service            Action            Enable
Any      WAN Primary Ip      RRAS            Allow            Checked
Any      WAN Primary Ip      SMTP             Allow            Checked
Any      WAN Primary Ip      80 & 443                           Allow            checked
Any      F5 SSL public      HTTPS            Allow            Checked

LAN --> WAN
Scr      Dest            Service            Action            Enable
Any      Any            Any            Allow            checked

DMZ --> WAN
Scr            Dest            Service            Action      Enable
DMZ subnets      Any            Any            Allow      Checked      
DMZ --> LAN
Scr      Dest            Service            Action            Enable
Any      Any            40 & 443                            Allow            checked
Any      Any            PPTP            Allow            Checked
0
giltjrCommented:
How many DNS servers do you have?  And, in relationship to the DMZ, where are they?

Most firewalls will not allow you to do what you are attempting to do.  What you really need to do is setup DNS so that when you are in the DMZ the host name get resloved to the private IP address and when you are on the Internet it gets resolved to the public IP address.
0
christian_dinhAuthor Commented:
I have 1 DNS server in the private LAN.  As for DNS in the DMZ, I'm using the ISP's DNS for lookup.  I was able to resolve the public IP to its FQDN, and vice versa when I'm in the DMZ.

0
bhnmiCommented:
is the https management port still 443? If so change it.
0
christian_dinhAuthor Commented:
On which zone are you referring to?  Nothing is select for the WAN or the DMZ zone.
0
bhnmiCommented:
You dont have https management access on the wan interface?
0
christian_dinhAuthor Commented:
Is that a huge problem?  Please elaborate.
0
bhnmiCommented:
No problem, just wondering if it is enabled. It listens on 443 unless you change it. Are both the OWA server and the SSL VPN on the LAN? DO the both listen on 443 for SSL connections?
0
christian_dinhAuthor Commented:
OWA and SSL VPN are sitting on the LAN.  I can hit the FQDN and external IP for the OWA, but not for the SSL VPN.  What do you mean listen for SSL connections?  I'm not sure what you referenced to?
0
bhnmiCommented:
You cannot have 443 open to two different IP's on the LAN. If both the SSL VPN and OWA are listening on 443 one needs to be changed.
0
christian_dinhAuthor Commented:
change to what?  does it matter if each device has a one-to-one NAT policy that translates to a public IP address.  I think we are heading to the wrong path here.

If I hit the mail.FQDN.com, I will get my OWA.  If I hit the vpn.FQDN.com, I will get my SSL VPN login console.  But the matter is that it's not resolving the vpn.FQDN.com from the DMZ.
0
bhnmiCommented:
Sorry, lost my train of thought I forgot you could access it from outside the network.
0
christian_dinhAuthor Commented:
thanks for the effort.
0
bhnmiCommented:
can you access the OWA from the dmz?
0
christian_dinhAuthor Commented:
yes...both the FQDN, and IP address.
0
bhnmiCommented:
You notice any rules related to OWA and the DMZ? If you do replicate them but with the SSL VPN info.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
christian_dinhAuthor Commented:
did you see the access rules I provided in this posting?  I've tried to replicate what I have with the OWA to the SSL, but it's still not hitting the vpn.FQDN.com.
0
giltjrCommented:
In the DMZ you should be using your DNS server for lookup.  Your DNS server needs to then forward to your ISP's DNS servers for all IP domain name spaces (a.k.a. zones) that are not yours.  The OWA host name need to reslove to the private IP address when you are access OWA from anyplace "behind" your firewall.

Your setup is:

    OWA <-- DMZ --> Firewall <--> Internet
                     /\
                      |
                     \/
                    PC

Where on the firewall the DMZ is connected to the "inside" interface and the Internet is connected to the "outside" interface.  The firewall performs the NAT for traffic that flows through it, that is from the inside to the outside or from the outside to the inside.  From the PC that is also in the DMZ the traffic never flows from inside to outside or from outside to inside.  It is all inside, so no NAT takes place.
0
christian_dinhAuthor Commented:
My LAN DNS server is resolving internal lookup.  At the same, it's also configured to forward queries to the ISP's DNS.  

giltjr, please elaborate on your diagram as there may have been some settings/rules that I have not configure.

Thanks.
0
giltjrCommented:
Where I have "DMZ" that is a switch that the OWA server and a PC are both connected to.  I am assuming that they are both on the same IP subnet, but they do not have to be.  The main issue is they are both on the same side of the firewall.

When you attempt to connect to the public IP address of the OWA server, the traffic will be routed to the Firewall.  However since the firewall is NOT passing the traffic through it, the NAT will never happen.  NAT'ing occurs when traffic flows from one interface of a firewall to another, at least on all the firewalls I have worked on.  Since the PC and the OWA server are on the same side of the firewall, the traffic goes in and out of the same interface, as bhnmi stated in the first post.

Why is your inside DNS server resolving the OWA server name to its public IP address?  It should be resolving it to the private IP address.

It will be a few hours before I can get back to this.    It't time for me to stare at break lights for awhile :)
0
bhnmiCommented:
giltjr,

The sonciwall performs NAT functions on all interfaces... So traffic going from the DMZ goes out and in the wan to the lan hitting the OWA server. The WAN has multiple public address and one is mapped to the OWA server another to his VPN device. So far we can tell the setups are the same but he cannot access the vpn   device. He can resolve the A reocrd for his vpn to the correct public IP and reverse lookup the IP to the a record.

Have you talked to the yahoo's at sonicwall yet? Also dumb question but have you pwer cycled the box? Is it running the latest firmware? Sonicwalls are known to bug out sometimes. I wish I could read your TSR.
0
christian_dinhAuthor Commented:
I think i fixed my own problem.  Thank you for your time and assistance.  After troubleshooting it, I had to create an access rule from the 'Firewall Subnet' to the public IP address of the SSL VPN.
0
christian_dinhAuthor Commented:

"You notice any rules related to OWA and the DMZ? If you do replicate them but with the SSL VPN info."

bhnmi, I have to credit you for this (although I did overlook on my part).  A full 500 pts is awarded to you.  Thanks for your patience and assistance.
0
giltjrCommented:
bhnmi,  I am assuming that missed something in the setup, but in my diagram you can't have the PC accessing the OWA server using the public IP address if the firewall is doing NAT.  Yes, firewalls can perform NAT on all interface, but none that I have ever seen can NAT traffic when all the traffic is on the same interface.
0
christian_dinhAuthor Commented:
You could have a PC accessing the OWA server using either the FQDN or IP address from the DMZ if you have Access Rules originating from the Firewall Subnetted; not the DMZ subnet.  I learned that after days of troubleshooting so that I can hit my FQDN/Public IP for the SSL VPN.  It's all working great now.
0
giltjrCommented:
Umm, maybe I am still missing something I have host1 10.10.10.2 and host2 10.10.10.3 both in the DMZ and the firewall's DMZ IP address is 10.10.10.1.  I don't see how the firewall would be doing NAT in a setup like that.
0
christian_dinhAuthor Commented:
Where r u trying to NAT to?  Are you NAT'ing from the WAN-->DMZ, WAN-->LAN, DMZ-->WAN, DMZ--LAN?

Wut custom access rules do you already have in place?  
0
giltjrCommented:
I'm not, you were.  The way I understood your problem you where attempting to have one host in your DMZ access another host within your DMZ using an public IP address that was nat'ed by your firewall that sits between your DMZ and the Internet.  

Look at the diagram I have in post ID 20800779.  I am was assuming that the NAT function was being done by the firewall and that both of your hosts were in the same DMZ.
0
christian_dinhAuthor Commented:
No...the two hosts (SsL & OWA) that I have are not in the DMZ, they are in the LAN.  I'm going to put several APs on my DMZ and have mobile users (guests or consultants) connect to the the DMZ.  If they need access to their data (which is on the private LAN) they will be connecting to the VPN console (SSL VPN is on the LAN) to retrieve their files.
0
giltjrCommented:
O.K.,  What was between the LAN and the DMZ?  Can you provide a stick figure of your network?
0
christian_dinhAuthor Commented:
What is between the LAN and DMZ is the firewall that separates each zone.  On my FW, I have to create NAT policies that translated from the Firewalled Subnet to all the hosts that I want to have access from the DMZ.

Firewalled Subnets      F5 SSL Public      F5 SSL Public      F5 SSL Private      HTTPS      Original      Any      Any
Firewalled Subnets      WAN  IP              WAN IP                    RRAS Private    RRAS    Original           Any      Any
Firewalled Subnets      WAN  IP       WAN IP                    mail Private       SMTP        Original       Any        Any
Firewalled Subnets      WAN IP             WAN  IP                    mail Private       80_443 Original      Any      Any

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.