[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

DMZ NAT Policy to External DNS namespace

Posted on 2008-01-31
37
Medium Priority
?
1,127 Views
Last Modified: 2012-05-05
Hello all,

I have a Sonicwall FW Pro 1260 Enhanced OS with three interfaces: 1-int goes to the WAN, 1-int goes to th LAN, 1-int (OPT) connects to a switch for DMZ.  We just recently configured a F5 Firepass SSL VPN and placed it in the LAN.  On my FW, I configured NAT policies and Access Rules so that the external DNS namespace will NAT to the private IP address.  During the testing phase, users were able to access the https://vpn.domain_name.com, and logon onto the F5 SSL console for data and email access via Outlook.  

There are two situations that I'm encountering:
Situation 1:
When I'm inside the LAN, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, so I constantly have to connect via its internal IP address.

Situation 2:
When I'm inside the DMZ, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, but able to hit it using the internal IP address.

My intention is to configure multiple APs (equipped with wireless distribution system technology) in the DMZ and have mobile users and consultants log on to the AP and hit the https://vpn.domain_name.com to access their data and emails access.  At this point, data is what matters the most.  I've successfully configured RPC over HTTPs for their Outlook.

Please shed some lights to how I can configure the Sonicwall FW in order to hit the DNS namespace when I'm inside the DMZ and the LAN.

Thank you so much and apologize for the long description.

0
Comment
Question by:christian_dinh
  • 19
  • 11
  • 7
37 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20791333
Situation 1:
When I'm inside the LAN, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, so I constantly have to connect via its internal IP address.

The sonicwall will not allow you to route out and back in on the same interface.

Situation 2:
When I'm inside the DMZ, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, but able to hit it using the internal IP address.

When trying to access it via the public interface from the dmz do you see anything in th log(of the sonicwall)?
0
 

Author Comment

by:christian_dinh
ID: 20791448
Could you tell me exactly what I'm looking for in the log?
0
 

Author Comment

by:christian_dinh
ID: 20791459
I get the following logs when I filtered from DMZ --> WAN:

1      01/31/2008 12:48:05.128      Notice      Network Access      UDP packet dropped      172.16.x.x, 1527, OPT      64.81.79.2, 53, WAN      UDP DNS (Name Service) UDP      
2      01/31/2008 12:47:01.192      Notice      Network Access      UDP packet dropped      172.16.x.x, 1043, OPT      64.81.79.2, 53, WAN      UDP DNS (Name Service) UDP

Thanks for your assistance.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 12

Expert Comment

by:bhnmi
ID: 20791661
Okay, lets work this way.

From a machine in the opt zone can you use nslookup to resolve the FQDN of the ssl vpn?
0
 

Author Comment

by:christian_dinh
ID: 20791711
Yes.  From FQDN to IP address.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20791996
Are you hosting any other public services from the LAN? If so can you access these from the OPT using the public interface? Also, you access rule for the SSL VPN can you post it here? Actually any rules you have created for it.
0
 

Author Comment

by:christian_dinh
ID: 20792151
We have only two public services from the LAN.  OWA and SSL VPN.  I can get to the https://mail.domain_name.com, both from the DMZ and LAN.  Here's the Access Rules

WAN --> LAN
Scr      Dest            Service            Action            Enable
Any      WAN Primary Ip      RRAS            Allow            Checked
Any      WAN Primary Ip      SMTP             Allow            Checked
Any      WAN Primary Ip      80 & 443                           Allow            checked
Any      F5 SSL public      HTTPS            Allow            Checked

LAN --> WAN
Scr      Dest            Service            Action            Enable
Any      Any            Any            Allow            checked

DMZ --> WAN
Scr            Dest            Service            Action      Enable
DMZ subnets      Any            Any            Allow      Checked      
DMZ --> LAN
Scr      Dest            Service            Action            Enable
Any      Any            40 & 443                            Allow            checked
Any      Any            PPTP            Allow            Checked
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20800254
How many DNS servers do you have?  And, in relationship to the DMZ, where are they?

Most firewalls will not allow you to do what you are attempting to do.  What you really need to do is setup DNS so that when you are in the DMZ the host name get resloved to the private IP address and when you are on the Internet it gets resolved to the public IP address.
0
 

Author Comment

by:christian_dinh
ID: 20800286
I have 1 DNS server in the private LAN.  As for DNS in the DMZ, I'm using the ISP's DNS for lookup.  I was able to resolve the public IP to its FQDN, and vice versa when I'm in the DMZ.

0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20800313
is the https management port still 443? If so change it.
0
 

Author Comment

by:christian_dinh
ID: 20800335
On which zone are you referring to?  Nothing is select for the WAN or the DMZ zone.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20800346
You dont have https management access on the wan interface?
0
 

Author Comment

by:christian_dinh
ID: 20800357
Is that a huge problem?  Please elaborate.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20800380
No problem, just wondering if it is enabled. It listens on 443 unless you change it. Are both the OWA server and the SSL VPN on the LAN? DO the both listen on 443 for SSL connections?
0
 

Author Comment

by:christian_dinh
ID: 20800397
OWA and SSL VPN are sitting on the LAN.  I can hit the FQDN and external IP for the OWA, but not for the SSL VPN.  What do you mean listen for SSL connections?  I'm not sure what you referenced to?
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20800412
You cannot have 443 open to two different IP's on the LAN. If both the SSL VPN and OWA are listening on 443 one needs to be changed.
0
 

Author Comment

by:christian_dinh
ID: 20800470
change to what?  does it matter if each device has a one-to-one NAT policy that translates to a public IP address.  I think we are heading to the wrong path here.

If I hit the mail.FQDN.com, I will get my OWA.  If I hit the vpn.FQDN.com, I will get my SSL VPN login console.  But the matter is that it's not resolving the vpn.FQDN.com from the DMZ.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20800495
Sorry, lost my train of thought I forgot you could access it from outside the network.
0
 

Author Comment

by:christian_dinh
ID: 20800538
thanks for the effort.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20800549
can you access the OWA from the dmz?
0
 

Author Comment

by:christian_dinh
ID: 20800582
yes...both the FQDN, and IP address.
0
 
LVL 12

Accepted Solution

by:
bhnmi earned 1500 total points
ID: 20800739
You notice any rules related to OWA and the DMZ? If you do replicate them but with the SSL VPN info.
0
 

Author Comment

by:christian_dinh
ID: 20800764
did you see the access rules I provided in this posting?  I've tried to replicate what I have with the OWA to the SSL, but it's still not hitting the vpn.FQDN.com.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20800779
In the DMZ you should be using your DNS server for lookup.  Your DNS server needs to then forward to your ISP's DNS servers for all IP domain name spaces (a.k.a. zones) that are not yours.  The OWA host name need to reslove to the private IP address when you are access OWA from anyplace "behind" your firewall.

Your setup is:

    OWA <-- DMZ --> Firewall <--> Internet
                     /\
                      |
                     \/
                    PC

Where on the firewall the DMZ is connected to the "inside" interface and the Internet is connected to the "outside" interface.  The firewall performs the NAT for traffic that flows through it, that is from the inside to the outside or from the outside to the inside.  From the PC that is also in the DMZ the traffic never flows from inside to outside or from outside to inside.  It is all inside, so no NAT takes place.
0
 

Author Comment

by:christian_dinh
ID: 20800867
My LAN DNS server is resolving internal lookup.  At the same, it's also configured to forward queries to the ISP's DNS.  

giltjr, please elaborate on your diagram as there may have been some settings/rules that I have not configure.

Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20801014
Where I have "DMZ" that is a switch that the OWA server and a PC are both connected to.  I am assuming that they are both on the same IP subnet, but they do not have to be.  The main issue is they are both on the same side of the firewall.

When you attempt to connect to the public IP address of the OWA server, the traffic will be routed to the Firewall.  However since the firewall is NOT passing the traffic through it, the NAT will never happen.  NAT'ing occurs when traffic flows from one interface of a firewall to another, at least on all the firewalls I have worked on.  Since the PC and the OWA server are on the same side of the firewall, the traffic goes in and out of the same interface, as bhnmi stated in the first post.

Why is your inside DNS server resolving the OWA server name to its public IP address?  It should be resolving it to the private IP address.

It will be a few hours before I can get back to this.    It't time for me to stare at break lights for awhile :)
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20801077
giltjr,

The sonciwall performs NAT functions on all interfaces... So traffic going from the DMZ goes out and in the wan to the lan hitting the OWA server. The WAN has multiple public address and one is mapped to the OWA server another to his VPN device. So far we can tell the setups are the same but he cannot access the vpn   device. He can resolve the A reocrd for his vpn to the correct public IP and reverse lookup the IP to the a record.

Have you talked to the yahoo's at sonicwall yet? Also dumb question but have you pwer cycled the box? Is it running the latest firmware? Sonicwalls are known to bug out sometimes. I wish I could read your TSR.
0
 

Author Comment

by:christian_dinh
ID: 20801255
I think i fixed my own problem.  Thank you for your time and assistance.  After troubleshooting it, I had to create an access rule from the 'Firewall Subnet' to the public IP address of the SSL VPN.
0
 

Author Comment

by:christian_dinh
ID: 20801969

"You notice any rules related to OWA and the DMZ? If you do replicate them but with the SSL VPN info."

bhnmi, I have to credit you for this (although I did overlook on my part).  A full 500 pts is awarded to you.  Thanks for your patience and assistance.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20802183
bhnmi,  I am assuming that missed something in the setup, but in my diagram you can't have the PC accessing the OWA server using the public IP address if the firewall is doing NAT.  Yes, firewalls can perform NAT on all interface, but none that I have ever seen can NAT traffic when all the traffic is on the same interface.
0
 

Author Comment

by:christian_dinh
ID: 20802270
You could have a PC accessing the OWA server using either the FQDN or IP address from the DMZ if you have Access Rules originating from the Firewall Subnetted; not the DMZ subnet.  I learned that after days of troubleshooting so that I can hit my FQDN/Public IP for the SSL VPN.  It's all working great now.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20802469
Umm, maybe I am still missing something I have host1 10.10.10.2 and host2 10.10.10.3 both in the DMZ and the firewall's DMZ IP address is 10.10.10.1.  I don't see how the firewall would be doing NAT in a setup like that.
0
 

Author Comment

by:christian_dinh
ID: 20816524
Where r u trying to NAT to?  Are you NAT'ing from the WAN-->DMZ, WAN-->LAN, DMZ-->WAN, DMZ--LAN?

Wut custom access rules do you already have in place?  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20816773
I'm not, you were.  The way I understood your problem you where attempting to have one host in your DMZ access another host within your DMZ using an public IP address that was nat'ed by your firewall that sits between your DMZ and the Internet.  

Look at the diagram I have in post ID 20800779.  I am was assuming that the NAT function was being done by the firewall and that both of your hosts were in the same DMZ.
0
 

Author Comment

by:christian_dinh
ID: 20817020
No...the two hosts (SsL & OWA) that I have are not in the DMZ, they are in the LAN.  I'm going to put several APs on my DMZ and have mobile users (guests or consultants) connect to the the DMZ.  If they need access to their data (which is on the private LAN) they will be connecting to the VPN console (SSL VPN is on the LAN) to retrieve their files.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20817668
O.K.,  What was between the LAN and the DMZ?  Can you provide a stick figure of your network?
0
 

Author Comment

by:christian_dinh
ID: 20817733
What is between the LAN and DMZ is the firewall that separates each zone.  On my FW, I have to create NAT policies that translated from the Firewalled Subnet to all the hosts that I want to have access from the DMZ.

Firewalled Subnets      F5 SSL Public      F5 SSL Public      F5 SSL Private      HTTPS      Original      Any      Any
Firewalled Subnets      WAN  IP              WAN IP                    RRAS Private    RRAS    Original           Any      Any
Firewalled Subnets      WAN  IP       WAN IP                    mail Private       SMTP        Original       Any        Any
Firewalled Subnets      WAN IP             WAN  IP                    mail Private       80_443 Original      Any      Any

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question