Solved

Sonicwall TZ 210 - Need to configure several public IP's for use - How is this possible?

Posted on 2010-09-10
32
5,762 Views
Last Modified: 2013-11-16
Were moving from ISA 2006 to a Sonicwall TZ 210. I'm starting to work through the configurations but I'm stuck. We have about 30 static IP's that we need to setup, but I don't know how with this new device?

Thanks!
0
Comment
Question by:dsmjeff
  • 13
  • 9
  • 6
  • +1
32 Comments
 
LVL 6

Accepted Solution

by:
caskrist earned 250 total points
Comment Utility
THe most simple way to achieve this is to use the public server wizard. If you really don't like wizard you have to do it with 'NAT policies' (found under 'network').
What the public server does, it creates three NAT policies for you and it also creates a firewall rule.
(The three NAT policies are for  1) inbound traffic, 2) outbound traffic and 3) loopback policy.)

Just run the public server wizard and see what it does.
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
An example of the three policies:
1 = loopback policy (what the sonicwall has to do when an internal client wants to access the local server with it's public ip)
2 = outbound policy (makes sure that the public server uses the correct public ip)
3 = inbound policy which translates the public ip to the private ip

3NAT-policies.png
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 125 total points
Comment Utility
Caskrist - sorry - but the Public Server Wizard will create 1:Many nat rules using the WAN ip address only.

To set up full 1:1 mappings you need to do it by hand.

Steps are:-

1) Give each device on the LAN that you need to have a public address a Network Object "Host" name. e.g. "MailServerLAN = 192.169.1.44"
2) Give each public address that you want to map a Network Object "Host" name. e.g. "MailServerPublic = 212.123.12.82". These of course must be chosen from the range of public IP addresses avaiable on your WAN network as supplied by your ISP.
3) Now create an "IN" and an "OUT" NAT mapping to connect these two. BY and large you should map "any" protocol to "orignal" i.e. unless you WANT to re-map port addresses, just map IP and leave services unaffected.

e.g.

Source - Original = MailSvrLAN
Source - Translated = MailSvrPub
Dest - Original = Any
Dest - Translated = Original

for the outboound mapping and

Source - Orignal = Any
Source -Translated = Original
Dest - Original = MailSvrPub
Dest - Translated = MailSvrLAN

for the inbound.

0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
No, with the wizard you can give an alternate public ip address, see the screenshot of the wizard.

server-wizard.png
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 125 total points
Comment Utility
@ccomley :: caskrist is accurate.  Runing the Public Wizard server can be done for each public IP that needs to "map" to an internal server.  A address object for each public IP address would be needed and referenced during the wizard.
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
Thanks, but as you can see you can enter an ip address in the wizard. The wizard creates the address object.

but either way, even when the wizard doesn't ask for the external ip (with older firware), it is easier to change the policies creates by the wizard, then to create them yourself (for new Sonicwall admins).

In my example of the policies you can change 'X1 IP' to an address object which has the external IP. (don't forget the firewall rule).
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
yes...i think that's what i meant.  the wizard would create it.  thanks for the clarification.
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
Sorry guys - the "wizard" has clearly been upgraded since I last used it!!! :-)

0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
No problem, thanks to you all I am learning every day about Sonicwall.
0
 

Author Comment

by:dsmjeff
Comment Utility
Thanks all for the input.

I have been working this weekend on setting up all of our rules. I ran into a few other snags. For example -
(We host about 15 Mail Domains all of which have there own IP)
1 - Using the wizard, when I change the IP address to the domain I'm setting up. The wizard makes the changes, but the subnet is not correct. It is setting up the subnet to be 255.255.255.255 and it should be 255.255.255.192. Short of changing each rule, what could I do? The Network Settings on the WAN is correct.

2 - Working on getting the SSL certs in for each domain. Is there a best practice or wizard?

Thanks again!
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
If you have that many I would *deffo* skip the wizard and get the hang of doing it by hand!!

Start with the Object Names. Create two HOST type objects for each server, one for it's LAN address and one for the public IP you wish it to map to.

Create a Service Group containing all the services you expect to use with them (SMTP, POP, IMAP, possibly HTTP and HTTPS)

Create In and Out rules as per my earlier description.

DON@T FORGET you ASLO need to create a PERMIT rule on the Fierwall WAN-to-LAN grid - just setting up the NAT mapping does NOT do this!!!

NOTE THAT The wizard is setting the subnet to 255.255.255.255 coz you are dealing with a SINGLE ip address not a range of addresses when you set up a mapping light that. It's not wrong!
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
When you've already got the rules setup, the rules will reference an address object.  You'll want to give each address object a unique name so you'll know which one is associated to the proper rule.  Then, simply modify the address object.  This will update each firewall access rule and NAT rule.
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
I think, but I'm not sure, that the certs should be created on the servers on and for the servers, not the sonicwall.
0
 

Author Comment

by:dsmjeff
Comment Utility
SSL - Currently we use ISA 2006 Enterprise. On this setup, we have our the SSL cert on the Mail Server, then we have to export it to the ISA box as a PFX file. ISA accepts it into the rule, then it starts accepting traffic. Without the 2nd piece (ISA/PFX), the rule doesn't allow SSL. I see in the settings there are SSL Control and other SSL settings, but I wanted to get a census on the 'best practices'.

ccomley: With regards to setting up NAT 1:1 - I noticed I can only have 512? or 514 entries. Is there a way to just set up a rule allowing all IP's to accept SMTP, POP and IMAP? This would cut quite a few rules. And this is how I had it setup on ISA (right or wrong, I'm not sure)..
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
caskrist is right - the SSL certs for HTTPS use should be installed on the web server(s). The only reason to put an SSL cert on the Sonicwall would be to use SSL based VPN type stuff...


WRT rules, yes of course. You can create a Network Object which is a *range* of IP address(es), you can create Group Objects which contain multiple individual objects, and you can create a single rule for the group. So for example, if

MailServer1 = 192.168.1.10
MailServer2 = 192.168.1.20
MailServer3 = 192.168.1.21
MailServer4 = 192.168.1.22

You would already have for your NAT mappings, a "host" object for each. Now you can add

ServerRange1 = 192.168.1.20 through 192.168.1.22 (Range)

And then

ServerGroup = MailServer1Lan, ServerRange1, (plus any others)

And if you have the SERVICE group I suggested above, say

MailServices = POP+IMAP+SMTP+HTTP+HTTPS


And create a single WAN to LAN rule which says

Source = any
Dest = ServerGroup
Service = MailServices
Permit

0
 

Author Comment

by:dsmjeff
Comment Utility
Do you guys know of a resource book available? For example, with ISA I had Tom Schneider's books.

Thanks
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:dsmjeff
Comment Utility
Another question - (sorry for so many questions!)

Since we have several different mail domains, all of them share port 443 on the Internet, but coming into the Mail Server (IIS 6) I had to change the ports. Domain A uses 443, Domain B uses 444, Domain C uses 445, etc.

On ISA I set it up so the requests come in on 443 then forward to port 445,446, etc. How do I do this on Sonicwall?

Thanks again!
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
Also with theNAT policies.
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
If each server has it's own private IP address then you don't need to worry about maapping ports. Just include all the ports that MIGHT be used by a session in the Service Group You may first need to create an actual Service for non-standard port numbers.

So 443 is already set up. Create services this
445 = SecureMail5
446 = SecureMail6
(etc)

Now just add the new services to the existing MailServices service group, and traffic on those ports will automatically be permitted by the existing rule. (Assuming you already created the Permit rule to allow MailService traffic in.)

0
 

Author Comment

by:dsmjeff
Comment Utility
Sorry, I wasn't clear.

We have one primary Mail Server. However, each client accesses Web Mail via HTTPs.

So currently ISA takes the different public Static IP's and turns them into the private LAN IP and also converts each domain to the SSL Port that the Mail Server is looking for - 443/444/445/etc.

I'm poling around in the NAT and am unsure how to change the ports on the inside still. i set this up using the wizards for simplicity sake, but also plan to do it manually now that I am starting to understand what the unit is looking for, however I still don't know how to turn those HTTPs's into different ports.

Thanks all!
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
In the NAT policies you have an 'original service' and a 'translated service' thats what you are looking for.
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
0
 

Author Comment

by:dsmjeff
Comment Utility
If I'm thinking through this correctly, if I make a new service that uses port 448 for example - and then go into NAT Policies and change the Translated into the new rule 448, that should translate it from 443 to 448 correct?

Thanks
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
Yes tha should be it, but keep in mind you have three policies. For the inbound policy traffic comes in at 443 at the sonicwall and you wat to redirect it to port 448 on your server. But for the outbound rule I think it should be the other way around. You server responds with traffic on port 448 outbound so the sonicwall should also translate that to 443.
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
Ah yes - if you have ONE server listening only on port 443 but you wish to present *different* ports to the outside world, then you also need to do PORT TRANSLATION in the NAT table.

To do this it's the same basic idea as doing IP translation.  Create services thus:-

SecHTTP1 = 444
SecHTTP2 = 445
SecHTTP3 = 446
etc
(YOu don't need to create one for 443 - it's there by default, called "HTTPS")

Then on the INBOUND NAT map rule  for each "server" where it says "Serviecs" instead of Original=Any put Original=(as above) and instead of "translated=original" put "translated=HTTPS". Similarly on the OUTBOUND NAT rule for each server, put Services, Original=HTTPS, Translated=(as above). Just make sure you match the correct SecHTTPx entry with the matching public IP entry, or you'll get very odd results!!
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
And, Any luck?
0
 

Author Comment

by:dsmjeff
Comment Utility
I got pulled away from it. I worked on it again this weekend. I'm hoping to put it into test later this week. I'll post back with results/questions.

Thanks!
0
 
LVL 6

Assisted Solution

by:caskrist
caskrist earned 250 total points
Comment Utility
And, Any luck? You've asked three questions so far, nothing solved yet?
0
 

Author Comment

by:dsmjeff
Comment Utility
It is up and running. I was waiting to see if something broke to follow up to, but so far, so good. Thank you all for your help! Much appreciated!!

Jeff
0
 

Author Closing Comment

by:dsmjeff
Comment Utility
Thanks all!
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
thx for the pts!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now