asked on SonicWall TZ190 - 2 District Offices - 1 Main Office
I am installing a TZ190 firewall and am having troubles.
We have one main office which uses 10.0.0.0
We have a District office using 192.168.1.0
and another district office using 192.168.2.0
Each site has its own external IP address
All sites are connected together with a CISCO router and VLANS, so that all the sites meet at the router.
The internet is put through the firewall and then both plug into the switches.
Both the router and firewall plug into the internet box from Ontera so that the router has external IP of .194 the firewall has .195
the district sites have .196 and .197
So, right now I have things working a little bit, the NAT for out webmail server, the internet for the main office, but...
the district offices do not have internet, I think it has to do with IP Spoofing, since the IP addresses are a different network (192.168.0.0) the firewall thinks they are sppoofed because the main office is (10.0.0.0)
This is major confusing but if anyone can give me some hints for the Sonicwall TZ190 in this situation. Even what I use, ie, do I use NAT or Routing or address objects.
I thought I was a pretty smart IT guy untill I tried to set this firewall up...
Kevin
We have one main office which uses 10.0.0.0
We have a District office using 192.168.1.0
and another district office using 192.168.2.0
Each site has its own external IP address
All sites are connected together with a CISCO router and VLANS, so that all the sites meet at the router.
The internet is put through the firewall and then both plug into the switches.
Both the router and firewall plug into the internet box from Ontera so that the router has external IP of .194 the firewall has .195
the district sites have .196 and .197
So, right now I have things working a little bit, the NAT for out webmail server, the internet for the main office, but...
the district offices do not have internet, I think it has to do with IP Spoofing, since the IP addresses are a different network (192.168.0.0) the firewall thinks they are sppoofed because the main office is (10.0.0.0)
This is major confusing but if anyone can give me some hints for the Sonicwall TZ190 in this situation. Even what I use, ie, do I use NAT or Routing or address objects.
I thought I was a pretty smart IT guy untill I tried to set this firewall up...
Kevin
Hardware Firewalls
Last Comment
digitap
Need a little clarification. I don't understand how there is only one Cisco router when all sites converge AND each site has it's own external IP address. If each has it's own external IP, then each would have their own firewall and each would establish a VPN back to the main site, right? Where does the sonicwall fit into all of this? Are all sites getting Internet access from the sonicwall? Does each site have their own internet connection?Does the sonicwall know about each network?
ASKER
All Sites are getting internet through the main site. The sites are connected with VLAN connections from Ontera, the router brings them together at the main site.
It's wierd there is one amc box a tiny little demarc that gives us our connections, we have a 100 Mb VLAN to the Ontera Core, a 4 Mb Internet connection, 10 Mb to one district office and another 10 Mb to the other district office and a bunch of static IP addresses.
The way it's been setup is that the router plugs into on port, the firewall plugs into another and the video conference machine plugs into the another.
Right now I am confused because we have external IP addresses .194 - .197, I know that .196 and .197 are used for the video conference and I know that right now with the old firewall if I got to .194 I can get the login screen to the old firewall, if I telnet to .195 I get the router, I think it's so that any communication between our districts stays within our network, that we have the router and the firewall plugged into the demarc, I'm pretty sure that any time the district access the internet they go through the router and then the firewall to get out.
I hope that you gain some more insight into my situation, it's complicated, I do have a diagram I could post, i'll put it at http://www.andsolutions.ca/afsnet.pdf
Thank you, Kev
It's wierd there is one amc box a tiny little demarc that gives us our connections, we have a 100 Mb VLAN to the Ontera Core, a 4 Mb Internet connection, 10 Mb to one district office and another 10 Mb to the other district office and a bunch of static IP addresses.
The way it's been setup is that the router plugs into on port, the firewall plugs into another and the video conference machine plugs into the another.
Right now I am confused because we have external IP addresses .194 - .197, I know that .196 and .197 are used for the video conference and I know that right now with the old firewall if I got to .194 I can get the login screen to the old firewall, if I telnet to .195 I get the router, I think it's so that any communication between our districts stays within our network, that we have the router and the firewall plugged into the demarc, I'm pretty sure that any time the district access the internet they go through the router and then the firewall to get out.
I hope that you gain some more insight into my situation, it's complicated, I do have a diagram I could post, i'll put it at http://www.andsolutions.ca/afsnet.pdf
Thank you, Kev
I believe I understand. Disregarding the technology used to connect the remote sites to HQ, we know that this is all routed within the internal network of the ISP. I don't believe that traffic traverses the Internet.
I believe what you need to do is add a route for each remote site on the Sonicwall. Each route needs to be pointed to the Ontera. I think the sonicwall believes those IPs are being spoofed because it doesn't know about those networks. Adding the routes should remedy that. Are those routes there now?
I believe what you need to do is add a route for each remote site on the Sonicwall. Each route needs to be pointed to the Ontera. I think the sonicwall believes those IPs are being spoofed because it doesn't know about those networks. Adding the routes should remedy that. Are those routes there now?
ASKER
No I have not used the Routes part of the Sonicwall at all. So I should use Route Policies? What about Route Advertisment?
ASKER
Do I want to create a route policy like this:
Source: District Subnets
Destination: WAN Primary IP ?? (.194)
Service: Any
Gateway: Default (10.10.0.1 - Router's IP)
Interface: LAN
Metric: 1
Priority: 1
Source: District Subnets
Destination: WAN Primary IP ?? (.194)
Service: Any
Gateway: Default (10.10.0.1 - Router's IP)
Interface: LAN
Metric: 1
Priority: 1
Yes. Add a route for one of the networks receiving the spoofs and setup a route for that network. See if the spoofs go away.
ASKER
Well I tried a number of variations with the Route Policy and none seem to work. I was not able to access the internet from the districts, I changed the Destination for the route to Any, to the gateway to the routers external ip and none of the changed had any effect. Do I need Route Advertisment? Is there something I could be missing here?
sorry...you posted your last before i responded. let me get back to my computer.
OK...go to Network > Routing. Configure it this way:Source: AnyDestination: 192.168.1.0/24Service: AnyGateway: IP of the OnteraInterface: X0Leave the metric as is. Is the LAN interface of the Sonicwall on the IP network of 10.0.0.0?
ASKER
OK I will try this, the LAN interface of the SonicWall is 10.10.0.5, so yes.
The firewall has a gateway right now that is the Internal IP of the Router, 10.10.0.1
When you say the IP of Ontera, do you mean the external IP address that leads to the Router or the Internet IP address?
Thank you for all your help, I very much appreciate you working through this with me...
I am not sure that I can test the setting above until 4:30 today as I took the network down yesterday and I should leave it up during the day today.,.
I would like to look at the settings from the old firewall that is in there now, but noone has the password, not Ontera and noone at the company... we have tried everything we could think of.... it's an old fortigate, so I have to set the new firewall up the same way without looking at the settings, thats why we are doing this.
The firewall has a gateway right now that is the Internal IP of the Router, 10.10.0.1
When you say the IP of Ontera, do you mean the external IP address that leads to the Router or the Internet IP address?
Thank you for all your help, I very much appreciate you working through this with me...
I am not sure that I can test the setting above until 4:30 today as I took the network down yesterday and I should leave it up during the day today.,.
I would like to look at the settings from the old firewall that is in there now, but noone has the password, not Ontera and noone at the company... we have tried everything we could think of.... it's an old fortigate, so I have to set the new firewall up the same way without looking at the settings, thats why we are doing this.
Ah...thanks for the extra information. Typically, you can't just reset the password on a hardware appliance. You end up resetting the whole appliance. However, have you tried getting into the command line interface of the Fortinet? The security is a little more relaxed as it's typically hardware to get into this than just pulling up the interface via IE or FF. You might get access to the configuration.
Regarding the Sonicwall, what I meant about the Ontera is the router that brings the remote sites and HQ together. It would be the router that would know not only how but where to send traffic to the remote sites. I think you said the remote sites and HQ directly converge onto the Ontera, is that correct?
Regarding the Sonicwall, what I meant about the Ontera is the router that brings the remote sites and HQ together. It would be the router that would know not only how but where to send traffic to the remote sites. I think you said the remote sites and HQ directly converge onto the Ontera, is that correct?
ASKER
I have not tried the command line interface on the Fortinet firewall because it was being replaced anyway.
The Sites link together by being setup in the Cisco 2800 router as VLAN's
The gateway of the SonicWall is set to the IP of the router 10.10.0.1 and it works for the main site like that.
So I will try your Route when the office clears out today and then hopefully get this working properly over the weekend.
The Sites link together by being setup in the Cisco 2800 router as VLAN's
The gateway of the SonicWall is set to the IP of the router 10.10.0.1 and it works for the main site like that.
So I will try your Route when the office clears out today and then hopefully get this working properly over the weekend.
If you have questions during that, post here. My wife is going out with her girlfriends tonight so it will be me and the boy (son) at home.
What's the Ontera then?
What's the Ontera then?
ASKER
Sorry, Ontera is our Internet Provider here, they give us the connections:
100 Mb VLAN to the Ontera Core
4 Mb Internet connection
10 Mb to one district office
10 Mb to the other district office
plus a 10Mb connection to an office just down the street, but that office is on the same subnet, ie 10.11.0.0 so I have no problem because the router has 255.0.0.0 as the netmask and it recognizes that it's in the same network and doesn't flag it as IP spoofing...
Once I get the other district offices accessing the internet through the main office, I will have to deal with some other issues such as Video Conference paths and NAT paths to the web server(s), VPN and Remote Desktop. For now though I just want to get the one problem fixed so that I can move on.
100 Mb VLAN to the Ontera Core
4 Mb Internet connection
10 Mb to one district office
10 Mb to the other district office
plus a 10Mb connection to an office just down the street, but that office is on the same subnet, ie 10.11.0.0 so I have no problem because the router has 255.0.0.0 as the netmask and it recognizes that it's in the same network and doesn't flag it as IP spoofing...
Once I get the other district offices accessing the internet through the main office, I will have to deal with some other issues such as Video Conference paths and NAT paths to the web server(s), VPN and Remote Desktop. For now though I just want to get the one problem fixed so that I can move on.
ASKER
Well I have tried a number of Routes and no luck, the log still says that IP Spoofing is blocking the transaction.
It looks like this.
39 09/20/2010 20:23:41.448 Alert Intrusion Prevention IP spoof dropped 192.168.1.25, 55472, LAN 216.239.34.10, 53, WAN MAC address: 00:0c:30:25:6b:01
I turned the Intrusion Prevention off, which does not seem to have stopped the IP from blocking these. It is off for both interfaces LAN and WAN.
Are you able to start troubleshooting this with me again, I know that it's a complicated setup but I can give you any information you need.
Kevin
It looks like this.
39 09/20/2010 20:23:41.448 Alert Intrusion Prevention IP spoof dropped 192.168.1.25, 55472, LAN 216.239.34.10, 53, WAN MAC address: 00:0c:30:25:6b:01
I turned the Intrusion Prevention off, which does not seem to have stopped the IP from blocking these. It is off for both interfaces LAN and WAN.
Are you able to start troubleshooting this with me again, I know that it's a complicated setup but I can give you any information you need.
Kevin
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
This was exactly what I needed! The first article led me to the KB article here: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3559
The article deals with setting up static routes where you have a different subnet behind a router which is causing IP Spoofing to be suspected.
I will now have to try and get the proper NAT connections happening for Video Conference and Web Servers but the main issue of district internet connectivity has been resolved,.
Thank you,
K.
The article deals with setting up static routes where you have a different subnet behind a router which is causing IP Spoofing to be suspected.
I will now have to try and get the proper NAT connections happening for Video Conference and Web Servers but the main issue of district internet connectivity has been resolved,.
Thank you,
K.
ASKER
Thank you for knowing where to look.
You're welcome! Thanks for the points! I don't get notifications of new sonicwall questions. If you have challenges with the NAT stuff and open a new question, post to this one so I get notified. Again, thanks for the points!