Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

SonicWall 2040 Pro - issues with setting up interface X3

Posted on 2009-12-29
18
Medium Priority
?
815 Views
Last Modified: 2013-11-16
We have a SonicWall 2040 Pro and  we are having issues with setting up interface X3.    I previously set up interface X2 as a DMZ with no problems, but X3 is giving me a headache.

My intent is to set up X3 and plug a WAP into it so that I can set up separate rules for wireless accessing the LAN.  The WAP sets up ok, and DHCP passes fromt he Sonicwall to the WAP and also through the WAP to the wireless clients.  They receive the IP address and DNS settings OK.  Wireless clients are able to communicate with the LAN, but not the internet.

I double checked, and the rules are in place to allow the traffic to the internet, so at first I thought it was DNS, but I could not access www.google.com nor http://66.249.90.104/  (one of Google's IPs).  Futher, NSlookup of the google.com IPs works to our internal DNS server (primary) but NOT to the external DNS server (secondary).

It is like X3 is getting blocked from just the internet...  I checked the Sonicwall logs and nothing shows up - no rule appears to be firing that might be blocking the packets.


Any ideas?
0
Comment
Question by:okacs
  • 10
  • 8
18 Comments
 
LVL 3

Accepted Solution

by:
jlwcci earned 2000 total points
ID: 26143630
What "zone" did you create X3 in?
0
 

Author Comment

by:okacs
ID: 26145401
I named the Zone "WAP" and placed it originally in "Wireless" ... but then changed it to "Trusted".
0
 

Author Comment

by:okacs
ID: 26146777
update:  Apparently even with the Zone set to trusted (like the LAN), my log file sometimes shows the attempt blocked as an "IP Spoof".
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Expert Comment

by:jlwcci
ID: 26147082
And you have a rule that says from the WAP zone to the WAN, any any allow? Perhaps the problem is with the traffic coming back to your devices in the WAP zone, so i might be going out, but being blocked on the way back. The IP spoof entries in the log, where are them from and to?
Also, are you using any of the security services like IPS, content filtering, anti-spyware?
0
 

Author Comment

by:okacs
ID: 26147124
Yes, I have outbound traffic allowed.

IIRC, the Spoofs are from the WAP zone IPs to the external IPs.  I will confirm that next time I see them occur...


0
 
LVL 3

Assisted Solution

by:jlwcci
jlwcci earned 2000 total points
ID: 26147172
Do you have a NAT policy that says:
any X1IP any original any original X3 X1?

0
 

Author Comment

by:okacs
ID: 26147895
Like This?  Then yes....
ScreenShot001.jpg
0
 

Author Comment

by:okacs
ID: 26147992
When I try to create the reverse, ie:  Any/Orig/Any/orig/Any/orig/X3/X1  it tells me that a duplicate exists.  (thought I don't see it in the list)
0
 
LVL 3

Expert Comment

by:jlwcci
ID: 26148033
This might sound like a stupid question, but the LAN and WAP zones are in different subnets, correct?
Also, can you ping from the WAP to an external ip like 4.2.2.2?
0
 

Author Comment

by:okacs
ID: 26148219
Yes.  Lan is 192.x.x.x and WAP is 172.x.x.x

No, I can not ping external IPs.  but I can ping LAN IPs...
0
 
LVL 3

Expert Comment

by:jlwcci
ID: 26148306
Can ping your WAN interface IP?
0
 
LVL 3

Expert Comment

by:jlwcci
ID: 26148457
Have you tried putting the zone in DMZ security type?
0
 
LVL 3

Assisted Solution

by:jlwcci
jlwcci earned 2000 total points
ID: 26148575
I was looking through you NAT policy screen shot.
I think you should change the source translated needs to be the WAN interface IP, or X1IP.
Not Original. Otherwise you're sending the internal IP out, not the WAN IP.

Try that.
0
 

Author Comment

by:okacs
ID: 26148602
No, I can not ping my LAN Primary IP from the WAP zone
No, I can not ping my WAN Primary IP from the WAP zone

There are only 3 types available:  "Trusted" (internal segments), "Public" (external Segments), and "Wireless" (specifies options for wifi-sec, etc)

0
 

Author Comment

by:okacs
ID: 26148803
Quote:  "source translated needs to be the WAN interface IP, or X1IP."

Tried that just now.  No luck...
0
 

Author Comment

by:okacs
ID: 26148870

OK, it works now.  I disabled the X3 interface all together.  Set it to unassigned.  Then I set it up again.  it works now.  Weird.

Thanks!
0
 

Author Closing Comment

by:okacs
ID: 31670864
Thanks!
0
 
LVL 3

Expert Comment

by:jlwcci
ID: 26148890
Good. I was going to suggest a reboot. I had a similar weirdness on mine the other day where one little change started blocking all traffic...
I'm glad it's working now.
What zone did you leave it in? Trusted or Wireless?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month12 days, 7 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question