Sonicwall TZ 210 - Need to configure several public IP's for use - How is this possible?

Were moving from ISA 2006 to a Sonicwall TZ 210. I'm starting to work through the configurations but I'm stuck. We have about 30 static IP's that we need to setup, but I don't know how with this new device?

Thanks!
dsmjeffAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Cas KristConnect With a Mentor Commented:
THe most simple way to achieve this is to use the public server wizard. If you really don't like wizard you have to do it with 'NAT policies' (found under 'network').
What the public server does, it creates three NAT policies for you and it also creates a firewall rule.
(The three NAT policies are for  1) inbound traffic, 2) outbound traffic and 3) loopback policy.)

Just run the public server wizard and see what it does.
0
 
Cas KristCommented:
An example of the three policies:
1 = loopback policy (what the sonicwall has to do when an internal client wants to access the local server with it's public ip)
2 = outbound policy (makes sure that the public server uses the correct public ip)
3 = inbound policy which translates the public ip to the private ip

3NAT-policies.png
0
 
ccomleyConnect With a Mentor Commented:
Caskrist - sorry - but the Public Server Wizard will create 1:Many nat rules using the WAN ip address only.

To set up full 1:1 mappings you need to do it by hand.

Steps are:-

1) Give each device on the LAN that you need to have a public address a Network Object "Host" name. e.g. "MailServerLAN = 192.169.1.44"
2) Give each public address that you want to map a Network Object "Host" name. e.g. "MailServerPublic = 212.123.12.82". These of course must be chosen from the range of public IP addresses avaiable on your WAN network as supplied by your ISP.
3) Now create an "IN" and an "OUT" NAT mapping to connect these two. BY and large you should map "any" protocol to "orignal" i.e. unless you WANT to re-map port addresses, just map IP and leave services unaffected.

e.g.

Source - Original = MailSvrLAN
Source - Translated = MailSvrPub
Dest - Original = Any
Dest - Translated = Original

for the outboound mapping and

Source - Orignal = Any
Source -Translated = Original
Dest - Original = MailSvrPub
Dest - Translated = MailSvrLAN

for the inbound.

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Cas KristCommented:
No, with the wizard you can give an alternate public ip address, see the screenshot of the wizard.

server-wizard.png
0
 
digitapConnect With a Mentor Commented:
@ccomley :: caskrist is accurate.  Runing the Public Wizard server can be done for each public IP that needs to "map" to an internal server.  A address object for each public IP address would be needed and referenced during the wizard.
0
 
Cas KristCommented:
Thanks, but as you can see you can enter an ip address in the wizard. The wizard creates the address object.

but either way, even when the wizard doesn't ask for the external ip (with older firware), it is easier to change the policies creates by the wizard, then to create them yourself (for new Sonicwall admins).

In my example of the policies you can change 'X1 IP' to an address object which has the external IP. (don't forget the firewall rule).
0
 
digitapCommented:
yes...i think that's what i meant.  the wizard would create it.  thanks for the clarification.
0
 
ccomleyCommented:
Sorry guys - the "wizard" has clearly been upgraded since I last used it!!! :-)

0
 
Cas KristCommented:
No problem, thanks to you all I am learning every day about Sonicwall.
0
 
dsmjeffAuthor Commented:
Thanks all for the input.

I have been working this weekend on setting up all of our rules. I ran into a few other snags. For example -
(We host about 15 Mail Domains all of which have there own IP)
1 - Using the wizard, when I change the IP address to the domain I'm setting up. The wizard makes the changes, but the subnet is not correct. It is setting up the subnet to be 255.255.255.255 and it should be 255.255.255.192. Short of changing each rule, what could I do? The Network Settings on the WAN is correct.

2 - Working on getting the SSL certs in for each domain. Is there a best practice or wizard?

Thanks again!
0
 
ccomleyCommented:
If you have that many I would *deffo* skip the wizard and get the hang of doing it by hand!!

Start with the Object Names. Create two HOST type objects for each server, one for it's LAN address and one for the public IP you wish it to map to.

Create a Service Group containing all the services you expect to use with them (SMTP, POP, IMAP, possibly HTTP and HTTPS)

Create In and Out rules as per my earlier description.

DON@T FORGET you ASLO need to create a PERMIT rule on the Fierwall WAN-to-LAN grid - just setting up the NAT mapping does NOT do this!!!

NOTE THAT The wizard is setting the subnet to 255.255.255.255 coz you are dealing with a SINGLE ip address not a range of addresses when you set up a mapping light that. It's not wrong!
0
 
digitapCommented:
When you've already got the rules setup, the rules will reference an address object.  You'll want to give each address object a unique name so you'll know which one is associated to the proper rule.  Then, simply modify the address object.  This will update each firewall access rule and NAT rule.
0
 
Cas KristCommented:
I think, but I'm not sure, that the certs should be created on the servers on and for the servers, not the sonicwall.
0
 
dsmjeffAuthor Commented:
SSL - Currently we use ISA 2006 Enterprise. On this setup, we have our the SSL cert on the Mail Server, then we have to export it to the ISA box as a PFX file. ISA accepts it into the rule, then it starts accepting traffic. Without the 2nd piece (ISA/PFX), the rule doesn't allow SSL. I see in the settings there are SSL Control and other SSL settings, but I wanted to get a census on the 'best practices'.

ccomley: With regards to setting up NAT 1:1 - I noticed I can only have 512? or 514 entries. Is there a way to just set up a rule allowing all IP's to accept SMTP, POP and IMAP? This would cut quite a few rules. And this is how I had it setup on ISA (right or wrong, I'm not sure)..
0
 
ccomleyCommented:
caskrist is right - the SSL certs for HTTPS use should be installed on the web server(s). The only reason to put an SSL cert on the Sonicwall would be to use SSL based VPN type stuff...


WRT rules, yes of course. You can create a Network Object which is a *range* of IP address(es), you can create Group Objects which contain multiple individual objects, and you can create a single rule for the group. So for example, if

MailServer1 = 192.168.1.10
MailServer2 = 192.168.1.20
MailServer3 = 192.168.1.21
MailServer4 = 192.168.1.22

You would already have for your NAT mappings, a "host" object for each. Now you can add

ServerRange1 = 192.168.1.20 through 192.168.1.22 (Range)

And then

ServerGroup = MailServer1Lan, ServerRange1, (plus any others)

And if you have the SERVICE group I suggested above, say

MailServices = POP+IMAP+SMTP+HTTP+HTTPS


And create a single WAN to LAN rule which says

Source = any
Dest = ServerGroup
Service = MailServices
Permit

0
 
dsmjeffAuthor Commented:
Do you guys know of a resource book available? For example, with ISA I had Tom Schneider's books.

Thanks
0
 
dsmjeffAuthor Commented:
Another question - (sorry for so many questions!)

Since we have several different mail domains, all of them share port 443 on the Internet, but coming into the Mail Server (IIS 6) I had to change the ports. Domain A uses 443, Domain B uses 444, Domain C uses 445, etc.

On ISA I set it up so the requests come in on 443 then forward to port 445,446, etc. How do I do this on Sonicwall?

Thanks again!
0
 
Cas KristCommented:
Also with theNAT policies.
0
 
ccomleyCommented:
If each server has it's own private IP address then you don't need to worry about maapping ports. Just include all the ports that MIGHT be used by a session in the Service Group You may first need to create an actual Service for non-standard port numbers.

So 443 is already set up. Create services this
445 = SecureMail5
446 = SecureMail6
(etc)

Now just add the new services to the existing MailServices service group, and traffic on those ports will automatically be permitted by the existing rule. (Assuming you already created the Permit rule to allow MailService traffic in.)

0
 
dsmjeffAuthor Commented:
Sorry, I wasn't clear.

We have one primary Mail Server. However, each client accesses Web Mail via HTTPs.

So currently ISA takes the different public Static IP's and turns them into the private LAN IP and also converts each domain to the SSL Port that the Mail Server is looking for - 443/444/445/etc.

I'm poling around in the NAT and am unsure how to change the ports on the inside still. i set this up using the wizards for simplicity sake, but also plan to do it manually now that I am starting to understand what the unit is looking for, however I still don't know how to turn those HTTPs's into different ports.

Thanks all!
0
 
Cas KristCommented:
In the NAT policies you have an 'original service' and a 'translated service' thats what you are looking for.
0
 
dsmjeffAuthor Commented:
If I'm thinking through this correctly, if I make a new service that uses port 448 for example - and then go into NAT Policies and change the Translated into the new rule 448, that should translate it from 443 to 448 correct?

Thanks
0
 
Cas KristCommented:
Yes tha should be it, but keep in mind you have three policies. For the inbound policy traffic comes in at 443 at the sonicwall and you wat to redirect it to port 448 on your server. But for the outbound rule I think it should be the other way around. You server responds with traffic on port 448 outbound so the sonicwall should also translate that to 443.
0
 
ccomleyCommented:
Ah yes - if you have ONE server listening only on port 443 but you wish to present *different* ports to the outside world, then you also need to do PORT TRANSLATION in the NAT table.

To do this it's the same basic idea as doing IP translation.  Create services thus:-

SecHTTP1 = 444
SecHTTP2 = 445
SecHTTP3 = 446
etc
(YOu don't need to create one for 443 - it's there by default, called "HTTPS")

Then on the INBOUND NAT map rule  for each "server" where it says "Serviecs" instead of Original=Any put Original=(as above) and instead of "translated=original" put "translated=HTTPS". Similarly on the OUTBOUND NAT rule for each server, put Services, Original=HTTPS, Translated=(as above). Just make sure you match the correct SecHTTPx entry with the matching public IP entry, or you'll get very odd results!!
0
 
Cas KristCommented:
And, Any luck?
0
 
dsmjeffAuthor Commented:
I got pulled away from it. I worked on it again this weekend. I'm hoping to put it into test later this week. I'll post back with results/questions.

Thanks!
0
 
Cas KristConnect With a Mentor Commented:
And, Any luck? You've asked three questions so far, nothing solved yet?
0
 
dsmjeffAuthor Commented:
It is up and running. I was waiting to see if something broke to follow up to, but so far, so good. Thank you all for your help! Much appreciated!!

Jeff
0
 
dsmjeffAuthor Commented:
Thanks all!
0
 
digitapCommented:
thx for the pts!
0
All Courses

From novice to tech pro — start learning today.