christian_dinh
asked on
DMZ NAT Policy to External DNS namespace
Hello all,
I have a Sonicwall FW Pro 1260 Enhanced OS with three interfaces: 1-int goes to the WAN, 1-int goes to th LAN, 1-int (OPT) connects to a switch for DMZ. We just recently configured a F5 Firepass SSL VPN and placed it in the LAN. On my FW, I configured NAT policies and Access Rules so that the external DNS namespace will NAT to the private IP address. During the testing phase, users were able to access the https://vpn.domain_name.com, and logon onto the F5 SSL console for data and email access via Outlook.
There are two situations that I'm encountering:
Situation 1:
When I'm inside the LAN, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, so I constantly have to connect via its internal IP address.
Situation 2:
When I'm inside the DMZ, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, but able to hit it using the internal IP address.
My intention is to configure multiple APs (equipped with wireless distribution system technology) in the DMZ and have mobile users and consultants log on to the AP and hit the https://vpn.domain_name.com to access their data and emails access. At this point, data is what matters the most. I've successfully configured RPC over HTTPs for their Outlook.
Please shed some lights to how I can configure the Sonicwall FW in order to hit the DNS namespace when I'm inside the DMZ and the LAN.
Thank you so much and apologize for the long description.
I have a Sonicwall FW Pro 1260 Enhanced OS with three interfaces: 1-int goes to the WAN, 1-int goes to th LAN, 1-int (OPT) connects to a switch for DMZ. We just recently configured a F5 Firepass SSL VPN and placed it in the LAN. On my FW, I configured NAT policies and Access Rules so that the external DNS namespace will NAT to the private IP address. During the testing phase, users were able to access the https://vpn.domain_name.com, and logon onto the F5 SSL console for data and email access via Outlook.
There are two situations that I'm encountering:
Situation 1:
When I'm inside the LAN, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, so I constantly have to connect via its internal IP address.
Situation 2:
When I'm inside the DMZ, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, but able to hit it using the internal IP address.
My intention is to configure multiple APs (equipped with wireless distribution system technology) in the DMZ and have mobile users and consultants log on to the AP and hit the https://vpn.domain_name.com to access their data and emails access. At this point, data is what matters the most. I've successfully configured RPC over HTTPs for their Outlook.
Please shed some lights to how I can configure the Sonicwall FW in order to hit the DNS namespace when I'm inside the DMZ and the LAN.
Thank you so much and apologize for the long description.
ASKER
Could you tell me exactly what I'm looking for in the log?
ASKER
I get the following logs when I filtered from DMZ --> WAN:
1 01/31/2008 12:48:05.128 Notice Network Access UDP packet dropped 172.16.x.x, 1527, OPT 64.81.79.2, 53, WAN UDP DNS (Name Service) UDP
2 01/31/2008 12:47:01.192 Notice Network Access UDP packet dropped 172.16.x.x, 1043, OPT 64.81.79.2, 53, WAN UDP DNS (Name Service) UDP
Thanks for your assistance.
1 01/31/2008 12:48:05.128 Notice Network Access UDP packet dropped 172.16.x.x, 1527, OPT 64.81.79.2, 53, WAN UDP DNS (Name Service) UDP
2 01/31/2008 12:47:01.192 Notice Network Access UDP packet dropped 172.16.x.x, 1043, OPT 64.81.79.2, 53, WAN UDP DNS (Name Service) UDP
Thanks for your assistance.
Okay, lets work this way.
From a machine in the opt zone can you use nslookup to resolve the FQDN of the ssl vpn?
From a machine in the opt zone can you use nslookup to resolve the FQDN of the ssl vpn?
ASKER
Yes. From FQDN to IP address.
Are you hosting any other public services from the LAN? If so can you access these from the OPT using the public interface? Also, you access rule for the SSL VPN can you post it here? Actually any rules you have created for it.
ASKER
We have only two public services from the LAN. OWA and SSL VPN. I can get to the https://mail.domain_name.com, both from the DMZ and LAN. Here's the Access Rules
WAN --> LAN
Scr Dest Service Action Enable
Any WAN Primary Ip RRAS Allow Checked
Any WAN Primary Ip SMTP Allow Checked
Any WAN Primary Ip 80 & 443 Allow checked
Any F5 SSL public HTTPS Allow Checked
LAN --> WAN
Scr Dest Service Action Enable
Any Any Any Allow checked
DMZ --> WAN
Scr Dest Service Action Enable
DMZ subnets Any Any Allow Checked
DMZ --> LAN
Scr Dest Service Action Enable
Any Any 40 & 443 Allow checked
Any Any PPTP Allow Checked
WAN --> LAN
Scr Dest Service Action Enable
Any WAN Primary Ip RRAS Allow Checked
Any WAN Primary Ip SMTP Allow Checked
Any WAN Primary Ip 80 & 443 Allow checked
Any F5 SSL public HTTPS Allow Checked
LAN --> WAN
Scr Dest Service Action Enable
Any Any Any Allow checked
DMZ --> WAN
Scr Dest Service Action Enable
DMZ subnets Any Any Allow Checked
DMZ --> LAN
Scr Dest Service Action Enable
Any Any 40 & 443 Allow checked
Any Any PPTP Allow Checked
How many DNS servers do you have? And, in relationship to the DMZ, where are they?
Most firewalls will not allow you to do what you are attempting to do. What you really need to do is setup DNS so that when you are in the DMZ the host name get resloved to the private IP address and when you are on the Internet it gets resolved to the public IP address.
Most firewalls will not allow you to do what you are attempting to do. What you really need to do is setup DNS so that when you are in the DMZ the host name get resloved to the private IP address and when you are on the Internet it gets resolved to the public IP address.
ASKER
I have 1 DNS server in the private LAN. As for DNS in the DMZ, I'm using the ISP's DNS for lookup. I was able to resolve the public IP to its FQDN, and vice versa when I'm in the DMZ.
is the https management port still 443? If so change it.
ASKER
On which zone are you referring to? Nothing is select for the WAN or the DMZ zone.
You dont have https management access on the wan interface?
ASKER
Is that a huge problem? Please elaborate.
No problem, just wondering if it is enabled. It listens on 443 unless you change it. Are both the OWA server and the SSL VPN on the LAN? DO the both listen on 443 for SSL connections?
ASKER
OWA and SSL VPN are sitting on the LAN. I can hit the FQDN and external IP for the OWA, but not for the SSL VPN. What do you mean listen for SSL connections? I'm not sure what you referenced to?
You cannot have 443 open to two different IP's on the LAN. If both the SSL VPN and OWA are listening on 443 one needs to be changed.
ASKER
change to what? does it matter if each device has a one-to-one NAT policy that translates to a public IP address. I think we are heading to the wrong path here.
If I hit the mail.FQDN.com, I will get my OWA. If I hit the vpn.FQDN.com, I will get my SSL VPN login console. But the matter is that it's not resolving the vpn.FQDN.com from the DMZ.
If I hit the mail.FQDN.com, I will get my OWA. If I hit the vpn.FQDN.com, I will get my SSL VPN login console. But the matter is that it's not resolving the vpn.FQDN.com from the DMZ.
Sorry, lost my train of thought I forgot you could access it from outside the network.
ASKER
thanks for the effort.
can you access the OWA from the dmz?
ASKER
yes...both the FQDN, and IP address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
did you see the access rules I provided in this posting? I've tried to replicate what I have with the OWA to the SSL, but it's still not hitting the vpn.FQDN.com.
In the DMZ you should be using your DNS server for lookup. Your DNS server needs to then forward to your ISP's DNS servers for all IP domain name spaces (a.k.a. zones) that are not yours. The OWA host name need to reslove to the private IP address when you are access OWA from anyplace "behind" your firewall.
Your setup is:
OWA <-- DMZ --> Firewall <--> Internet
/\
|
\/
PC
Where on the firewall the DMZ is connected to the "inside" interface and the Internet is connected to the "outside" interface. The firewall performs the NAT for traffic that flows through it, that is from the inside to the outside or from the outside to the inside. From the PC that is also in the DMZ the traffic never flows from inside to outside or from outside to inside. It is all inside, so no NAT takes place.
Your setup is:
OWA <-- DMZ --> Firewall <--> Internet
/\
|
\/
PC
Where on the firewall the DMZ is connected to the "inside" interface and the Internet is connected to the "outside" interface. The firewall performs the NAT for traffic that flows through it, that is from the inside to the outside or from the outside to the inside. From the PC that is also in the DMZ the traffic never flows from inside to outside or from outside to inside. It is all inside, so no NAT takes place.
ASKER
My LAN DNS server is resolving internal lookup. At the same, it's also configured to forward queries to the ISP's DNS.
giltjr, please elaborate on your diagram as there may have been some settings/rules that I have not configure.
Thanks.
giltjr, please elaborate on your diagram as there may have been some settings/rules that I have not configure.
Thanks.
Where I have "DMZ" that is a switch that the OWA server and a PC are both connected to. I am assuming that they are both on the same IP subnet, but they do not have to be. The main issue is they are both on the same side of the firewall.
When you attempt to connect to the public IP address of the OWA server, the traffic will be routed to the Firewall. However since the firewall is NOT passing the traffic through it, the NAT will never happen. NAT'ing occurs when traffic flows from one interface of a firewall to another, at least on all the firewalls I have worked on. Since the PC and the OWA server are on the same side of the firewall, the traffic goes in and out of the same interface, as bhnmi stated in the first post.
Why is your inside DNS server resolving the OWA server name to its public IP address? It should be resolving it to the private IP address.
It will be a few hours before I can get back to this. It't time for me to stare at break lights for awhile :)
When you attempt to connect to the public IP address of the OWA server, the traffic will be routed to the Firewall. However since the firewall is NOT passing the traffic through it, the NAT will never happen. NAT'ing occurs when traffic flows from one interface of a firewall to another, at least on all the firewalls I have worked on. Since the PC and the OWA server are on the same side of the firewall, the traffic goes in and out of the same interface, as bhnmi stated in the first post.
Why is your inside DNS server resolving the OWA server name to its public IP address? It should be resolving it to the private IP address.
It will be a few hours before I can get back to this. It't time for me to stare at break lights for awhile :)
giltjr,
The sonciwall performs NAT functions on all interfaces... So traffic going from the DMZ goes out and in the wan to the lan hitting the OWA server. The WAN has multiple public address and one is mapped to the OWA server another to his VPN device. So far we can tell the setups are the same but he cannot access the vpn device. He can resolve the A reocrd for his vpn to the correct public IP and reverse lookup the IP to the a record.
Have you talked to the yahoo's at sonicwall yet? Also dumb question but have you pwer cycled the box? Is it running the latest firmware? Sonicwalls are known to bug out sometimes. I wish I could read your TSR.
The sonciwall performs NAT functions on all interfaces... So traffic going from the DMZ goes out and in the wan to the lan hitting the OWA server. The WAN has multiple public address and one is mapped to the OWA server another to his VPN device. So far we can tell the setups are the same but he cannot access the vpn device. He can resolve the A reocrd for his vpn to the correct public IP and reverse lookup the IP to the a record.
Have you talked to the yahoo's at sonicwall yet? Also dumb question but have you pwer cycled the box? Is it running the latest firmware? Sonicwalls are known to bug out sometimes. I wish I could read your TSR.
ASKER
I think i fixed my own problem. Thank you for your time and assistance. After troubleshooting it, I had to create an access rule from the 'Firewall Subnet' to the public IP address of the SSL VPN.
ASKER
"You notice any rules related to OWA and the DMZ? If you do replicate them but with the SSL VPN info."
bhnmi, I have to credit you for this (although I did overlook on my part). A full 500 pts is awarded to you. Thanks for your patience and assistance.
bhnmi, I am assuming that missed something in the setup, but in my diagram you can't have the PC accessing the OWA server using the public IP address if the firewall is doing NAT. Yes, firewalls can perform NAT on all interface, but none that I have ever seen can NAT traffic when all the traffic is on the same interface.
ASKER
You could have a PC accessing the OWA server using either the FQDN or IP address from the DMZ if you have Access Rules originating from the Firewall Subnetted; not the DMZ subnet. I learned that after days of troubleshooting so that I can hit my FQDN/Public IP for the SSL VPN. It's all working great now.
Umm, maybe I am still missing something I have host1 10.10.10.2 and host2 10.10.10.3 both in the DMZ and the firewall's DMZ IP address is 10.10.10.1. I don't see how the firewall would be doing NAT in a setup like that.
ASKER
Where r u trying to NAT to? Are you NAT'ing from the WAN-->DMZ, WAN-->LAN, DMZ-->WAN, DMZ--LAN?
Wut custom access rules do you already have in place?
Wut custom access rules do you already have in place?
I'm not, you were. The way I understood your problem you where attempting to have one host in your DMZ access another host within your DMZ using an public IP address that was nat'ed by your firewall that sits between your DMZ and the Internet.
Look at the diagram I have in post ID 20800779. I am was assuming that the NAT function was being done by the firewall and that both of your hosts were in the same DMZ.
Look at the diagram I have in post ID 20800779. I am was assuming that the NAT function was being done by the firewall and that both of your hosts were in the same DMZ.
ASKER
No...the two hosts (SsL & OWA) that I have are not in the DMZ, they are in the LAN. I'm going to put several APs on my DMZ and have mobile users (guests or consultants) connect to the the DMZ. If they need access to their data (which is on the private LAN) they will be connecting to the VPN console (SSL VPN is on the LAN) to retrieve their files.
O.K., What was between the LAN and the DMZ? Can you provide a stick figure of your network?
ASKER
What is between the LAN and DMZ is the firewall that separates each zone. On my FW, I have to create NAT policies that translated from the Firewalled Subnet to all the hosts that I want to have access from the DMZ.
Firewalled Subnets F5 SSL Public F5 SSL Public F5 SSL Private HTTPS Original Any Any
Firewalled Subnets WAN IP WAN IP RRAS Private RRAS Original Any Any
Firewalled Subnets WAN IP WAN IP mail Private SMTP Original Any Any
Firewalled Subnets WAN IP WAN IP mail Private 80_443 Original Any Any
Firewalled Subnets F5 SSL Public F5 SSL Public F5 SSL Private HTTPS Original Any Any
Firewalled Subnets WAN IP WAN IP RRAS Private RRAS Original Any Any
Firewalled Subnets WAN IP WAN IP mail Private SMTP Original Any Any
Firewalled Subnets WAN IP WAN IP mail Private 80_443 Original Any Any
When I'm inside the LAN, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, so I constantly have to connect via its internal IP address.
The sonicwall will not allow you to route out and back in on the same interface.
Situation 2:
When I'm inside the DMZ, I can't hit the https://vpn.domain_name.com via its DNS name or its external IP address, but able to hit it using the internal IP address.
When trying to access it via the public interface from the dmz do you see anything in th log(of the sonicwall)?