Solved

SonicWall TZ190 - 2 District Offices - 1 Main Office

Posted on 2010-09-09
19
825 Views
Last Modified: 2012-05-10
I am installing a TZ190 firewall and am having troubles.  

We have one main office which uses 10.0.0.0
We have a District office using 192.168.1.0
and another district office using 192.168.2.0
 
Each site has its own external IP address

All sites are connected together with a CISCO router and VLANS, so that all the sites meet at the router.
The internet is put through the firewall and then both plug into the switches.


Both the router and firewall plug into the internet box from Ontera so that the router has external IP of .194 the firewall has .195
the district sites have .196 and .197



So, right now I have things working a little bit, the NAT for out webmail server, the internet for the main office, but...

the district offices do not have internet, I think it has to do with IP Spoofing, since the IP addresses are a different network (192.168.0.0) the firewall thinks they are sppoofed because the main office is (10.0.0.0)


This is major confusing but if anyone can give me some hints for the Sonicwall TZ190 in this situation.   Even what I use, ie, do I use NAT or Routing or address objects.  

I thought I was a pretty smart IT guy untill I tried to set this firewall up...

Kevin
0
Comment
Question by:AFSTech
  • 10
  • 9
19 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 33637899
Need a little clarification.  I don't understand how there is only one Cisco router when all sites converge AND each site has it's own external IP address.  If each has it's own external IP, then each would have their own firewall and each would establish a VPN back to the main site, right?  Where does the sonicwall fit into all of this?  Are all sites getting Internet access from the sonicwall?  Does each site have their own internet connection?Does the sonicwall know about each network?
0
 

Author Comment

by:AFSTech
ID: 33638729
All Sites are getting internet through the main site.  The sites are connected with VLAN connections from Ontera, the router brings them together at the main site.  
It's wierd there is one amc box a tiny little demarc that gives us our connections, we have a 100 Mb VLAN to the Ontera Core, a 4 Mb Internet connection, 10 Mb to one district office and another 10 Mb to the other district office and a bunch of static IP addresses.  
The way it's been setup is that the router plugs into on port, the firewall plugs into another and the video conference machine plugs into the another.  
Right now I am confused because we have external IP addresses .194 - .197, I know that .196 and .197 are used for the video conference and I know that right now with the old firewall if I got to .194 I can get the login screen to the old firewall, if I telnet to .195 I get the router, I think it's so that any communication between our districts stays within our network, that we have the router and the firewall plugged into the demarc, I'm pretty sure that any time the district access the internet they go through the router and then the firewall to get out.  
 
I hope that you gain some more insight into my situation, it's complicated, I do have a diagram I could post, i'll put it at http://www.andsolutions.ca/afsnet.pdf
Thank you, Kev
0
 
LVL 33

Expert Comment

by:digitap
ID: 33638818
I believe I understand.  Disregarding the technology used to connect the remote sites to HQ, we know that this is all routed within the internal network of the ISP.  I don't believe that traffic traverses the Internet.

I believe what you need to do is add a route for each remote site on the Sonicwall.  Each route needs to be pointed to the Ontera.  I think the sonicwall believes those IPs are being spoofed because it doesn't know about those networks.  Adding the routes should remedy that.  Are those routes there now?
0
 

Author Comment

by:AFSTech
ID: 33638857
No I have not used the Routes part of the Sonicwall at all.  So I should use Route Policies? What about Route Advertisment?
0
 

Author Comment

by:AFSTech
ID: 33638945
Do I want to create a route policy like this:
Source: District Subnets
Destination: WAN Primary IP ?? (.194)
Service: Any
Gateway: Default (10.10.0.1 - Router's IP)
Interface: LAN
Metric: 1
Priority: 1
0
 
LVL 33

Expert Comment

by:digitap
ID: 33639030
Yes.  Add a route for one of the networks receiving the spoofs and setup a route for that network.  See if the spoofs go away.
0
 

Author Comment

by:AFSTech
ID: 33639323
Well I tried a number of variations with the Route Policy and none seem to work.  I was not able to access the internet from the districts, I changed the Destination for the route to Any, to the gateway to the routers external ip and none of the changed had any effect.  Do I need Route Advertisment? Is there something I could be missing here?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33639408
sorry...you posted your last before i responded.  let me get back to my computer.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33640519
OK...go to Network > Routing.  Configure it this way:Source: AnyDestination: 192.168.1.0/24Service: AnyGateway: IP of the OnteraInterface: X0Leave the metric as is.  Is the LAN interface of the Sonicwall on the IP network of 10.0.0.0?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:AFSTech
ID: 33645957
OK I will try this, the LAN interface of the SonicWall is 10.10.0.5, so yes.  
The firewall has a gateway right now that is the Internal IP of the Router, 10.10.0.1
When you say the IP of Ontera, do you mean the external IP address that leads to the Router or the Internet IP address?
 
Thank you for all your help, I very much appreciate you working through this with me...
I am not sure that I can test the setting above until 4:30 today as I took the network down yesterday and I should leave it up during the day today.,.
I would like to look at the settings from the old firewall that is in there now, but noone has the password, not Ontera and noone at the company... we have tried everything we could think of.... it's an old fortigate, so I have to set the new firewall up the same way without looking at the settings, thats why we are doing this.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33646482
Ah...thanks for the extra information.  Typically, you can't just reset the password on a hardware appliance.  You end up resetting the whole appliance.  However, have you tried getting into the command line interface of the Fortinet?  The security is a little more relaxed as it's typically hardware to get into this than just pulling up the interface via IE or FF.  You might get access to the configuration.

Regarding the Sonicwall, what I meant about the Ontera is the router that brings the remote sites and HQ together.  It would be the router that would know not only how but where to send traffic to the remote sites.  I think you said the remote sites and HQ directly converge onto the Ontera, is that correct?
0
 

Author Comment

by:AFSTech
ID: 33646806
I have not tried the command line interface on the Fortinet firewall because it was being replaced anyway.  
The Sites link together by being setup in the Cisco 2800 router as VLAN's
The gateway of the SonicWall is set to the IP of the router 10.10.0.1 and it works for the main site like that.  
 
So I will try your Route when the office clears out today and then hopefully get this working properly over the weekend.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33646890
If you have questions during that, post here.  My wife is going out with her girlfriends tonight so it will be me and the boy (son) at home.

What's the Ontera then?
0
 

Author Comment

by:AFSTech
ID: 33647234
Sorry, Ontera is our Internet Provider here, they give us the connections:
100 Mb VLAN to the Ontera Core
4 Mb Internet connection
10 Mb to one district office
10 Mb to the other district office
plus a 10Mb connection to an office just down the street, but that office is on the same subnet, ie 10.11.0.0 so I have no problem because the router has 255.0.0.0 as the netmask and it recognizes that it's in the same network and doesn't flag it as IP spoofing...
Once I get the other district offices accessing the internet through the main office, I will have to deal with some other issues such as Video Conference paths and NAT paths to the web server(s), VPN and Remote Desktop.  For now though I just want to get the one problem fixed so that I can move on.  
0
 

Author Comment

by:AFSTech
ID: 33725313
Well I have tried a number of Routes and no luck, the log still says that IP Spoofing is blocking the transaction.
It looks like this.
39 09/20/2010 20:23:41.448 Alert Intrusion Prevention IP spoof dropped 192.168.1.25, 55472, LAN 216.239.34.10, 53, WAN MAC address: 00:0c:30:25:6b:01  
I turned the Intrusion Prevention off, which does not seem to have stopped the IP from blocking these.  It is off for both interfaces LAN and WAN.
Are you able to start troubleshooting this with me again, I know that it's a complicated setup but I can give you any information you need.
Kevin  
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33725578
Sure...communication will be spotty as I'm at work, but we can pick this up again.  I'm about to leave a client site and move on to another.  Here are some troubleshooting ideas until I can get back to my computer:

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8007
0
 

Author Comment

by:AFSTech
ID: 33726710
This was exactly what I needed!  The first article led me to the KB article here: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3559
The article deals with setting up static routes where you have a different subnet behind a router which is causing IP Spoofing to be suspected.
I will now have to try and get the proper NAT connections happening for Video Conference and Web Servers but the main issue of district internet connectivity has been resolved,.
Thank you,
K.
0
 

Author Closing Comment

by:AFSTech
ID: 33726718
Thank you for knowing where to look.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33726876
You're welcome!  Thanks for the points!  I don't get notifications of new sonicwall questions.  If you have challenges with the NAT stuff and open a new question, post to this one so I get notified.  Again, thanks for the points!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now