DMZ config issues on SonicWALL 4060

I am not able to get the DMZ visible from the internet on a Pro 4060 with SonicOS Enhanced 3.5.  Here is the ip layout.  X0 (LAN) 192.168.x.x  X1 (WAN) 173.11.x.x,   X2 (WAN) 66.100.x.x and X4 (DMZ) 10.10.x.x.  X2 is failover for X1.  Have a block of 128 ips on X2.  have setup the Address Objects and Access Rules Services, etc manually and by using the Wizards, but cannot see things from the internet.  i am able to ping and resolve from the LAN, and able to access internet from DMZ machine.  The DMZ private addresses (10.10.x.x) will translate to X2 range of address (ex.  private address 10.10.100.140 would be public 66.100.100.140).  Any ideas of what I could be missing so that it is not visible?  Let mek now what info you would need to help?  thanks
richvdollAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AngloCommented:
Reading what you are saying it looks like you cannot access the DMZ from X2, am I correct or is it from X1 as well?  
Erik BjersPrincipal Systems AdministratorCommented:
I am a cisco guy so can not tell you the exact config changes needed but I can tell you this is nat related.

You need a 1to1 nat for each server in the dmz you want public as well as access rules to allow the traffic.

Eb
richvdollAuthor Commented:
I have 1to1 nat for each server in dmz (public address to the private address).  I also tried using an address from the X1 block of addresses and it didnt work either.  Could this be a router setup issue?  I saw a note in SonicWALL documentation stating something about making sure that the ISP has not set something up on the router.  Currently, the public addresses that I am giong to be using are addressed on the machine.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Cas KristCommented:
When you setup the NAT and firewall rules using a wizard you should be able to connect to the server using the expernal ip from your LAN. For example you should be able to reach a webserver in the DMZ when you type http://66.100.x.x (you NATted webserver) from a workstation in your LAN. (the loopback NAT policy is responsible for this.) Does this work? (if yes, then it is something in your router)
AngloCommented:
X2 IPs will only work a/. on X1 failure & b/. for outgoing connections.  The WAN failover mechanism is restricted to that.
richvdollAuthor Commented:
Caskrist: Yes, the LAN can connect to the external IP correctly.  

Anglo, if I remove the failover, would it be able to work correctly then?
Thanks.
Cas KristCommented:
You can enable load-balancing.
richvdollAuthor Commented:
Load balancing is enabled.  If I am reading the information from SonicWALL site correctly, it looks like it is applies to out-bound initiated traffic only.  
Cas KristCommented:
I have the same setup. I have websites behind both WAN-ranges (behind both WAN interfaces).
wan-failover.png
Cas KristCommented:
Oh yes, my mistake. Load balancing can only be used for outbound traffic only. But inbound traffic comes in on both interfaces.
richvdollAuthor Commented:
So you think it might be a router issue then?  The secondary was the main isp previously and the machines are static addressed to the block from the ISP.  I setup objects for public using these addresses and then used different subnet for private addresses and then tried static ips in this range on the machines and setup the rules.  Still cant get access from outside though.
Cas KristCommented:
Are you sure you have the correct NAT policies and firewall rules in place? Maybe try running the public server wizard.
(when the router worked fine before, it can't be the router)
richvdollAuthor Commented:
Have tried the Wizard and get same issue.  Settings were similar as what I manually did.  Currently, the machines I wasnt to put in DMZ are hooked up to secondary WAN connection via a hub placed before the sonicwall and they are addressed with the public ips.  I had seen a note on SonicWALL about making sure that the ISP didnt program the router a certain way, but of course I cant find that comment now that I am looking for it.
Cas KristCommented:
I don't think it is very likely to be a problem with the router as the server works now. Do you have any static routes in your Sonicwall?
richvdollAuthor Commented:
Here is setup:
X0 LAN 192.168.x.x
X1 WAN 173.11.x.x (dns: lan dns then from isp)
X2 WAN 66.100.x.x (dns: lan dns then from isp)
X4 DMZ 10.10.x.x
WAN Failover X1 to X2 with loadbalancing basic active/passive
ZONE LAN trusted, allow interface trust, CFS
ZONE WAN public, no interface trust, no CFS
ZONE DMZ public, allow interface trust, no CFS
DNS specifically set, LAN dns server, then first dns of each ISP
Address Object *Private, Zone DMZ, ip 10.10.200.150   *Public, Zone WAN, ip 66.100.200.150
Route advertisement RIPv1 enabled for DMZ
NAT policies:
Orig Src: Firewalled Subnets, Trans Src: *Public, Orig Dest: *Public, Trans Dest: *Private, Orig serv: any, tran serv: original, inboound: any, outbound: any
Orig Src: *private, Trans Src: *Public, Orig Dest: Any, Trans Dest: original, Orig serv: any, tran serv: original, inboound: any, outbound: X2
Orig Src: any, Trans Src: original, Orig Dest: *Public, Trans Dest: *Private, Orig serv: any, tran serv: original, inboound: any, outbound: any
No ARP, DHCP, IP, Web proxy, or DDNS
Access Rules:
DMZ to LAN, all denied
WAN to LAN, all denied
WAN to DMZ, allow, any service, any source, any destination, all users allowed, always on

I think this all that pertains to this connection.  I have put everything open from WAN to DMZ just trying to get connection.
richvdollAuthor Commented:
Another thing of note is that when I look at the log, I get a notice of the following:

ICMP Packet Dropped
Source: external ip address, 512, X2
Destination: 66.100.200.150, 8, X1
ICMP Echo, Code: 0
Cas KristCommented:
The notice of the dropped ICMP packet is not important>

Maybe you NAT policies are to generic. I will post a screenshot when I have access to the right Sonicwall.
Cas KristCommented:
Here you have a screenshot. My second WAN is on X3. In this example my server uses the WAN-IP of my X3 interface (X3 IP) and forwards the traffic to the server (pbxnsip-test private). Only pbxnsip-test services (a services group) are forwarded. Line 17 is the loopback policy, Line 18 outbound, Line 19 is inbound.
natpolicy.png
richvdollAuthor Commented:
caskrist.  Thanks.  That looks very similar to what I have.  Instead of X3 IP I am using Public.  Does X3 IP go to the ip address of the Gateway of X3, or just to a number in the subnet of ip addresses?  In other words, if I have 4 machines to access in the DMZ and I have 4 different ip addresses (say 66.100.100.10, 66.100.100.11, 66.100.100.12 and 66.100.100.13) that translate to different machines on the DMZ, do I still use X3 IP (well X2 IP in my case since secondary is on X2), or do I have to put the public address in each NAT policy for each machine?
Cas KristCommented:
You have to put each public address in each NAT policy for each machine. So for 4 machines you get 12 NAT policies (4 * 3, inbound, outbound and loopback for each server).
When you run the wizard, the wizard asks for which public IP the rule is meant (with new firmware).
Hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
richvdollAuthor Commented:
Thanks,  This is what I have been doing.  I will talk to them and get them to upgrade the firmware.  
richvdollAuthor Commented:
Just an update.  found out after all of my checking, I had missed something.  Another person had started this install  and I made the huge mistake of assuming everything was addressed correctly.  Turns out that he had an incorrect subnet on X2.  I changed that and re-addressed the IP of X2 to the number it should be and everything started working.
Cas KristCommented:
Good for you, thanks for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.