Solved

Sonicwall TZ 210 - Need to configure several public IP's for use - How is this possible?

Posted on 2010-09-10
32
5,822 Views
Last Modified: 2013-11-16
Were moving from ISA 2006 to a Sonicwall TZ 210. I'm starting to work through the configurations but I'm stuck. We have about 30 static IP's that we need to setup, but I don't know how with this new device?

Thanks!
0
Comment
Question by:dsmjeff
  • 13
  • 9
  • 6
  • +1
32 Comments
 
LVL 6

Accepted Solution

by:
caskrist earned 250 total points
ID: 33652173
THe most simple way to achieve this is to use the public server wizard. If you really don't like wizard you have to do it with 'NAT policies' (found under 'network').
What the public server does, it creates three NAT policies for you and it also creates a firewall rule.
(The three NAT policies are for  1) inbound traffic, 2) outbound traffic and 3) loopback policy.)

Just run the public server wizard and see what it does.
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33652187
An example of the three policies:
1 = loopback policy (what the sonicwall has to do when an internal client wants to access the local server with it's public ip)
2 = outbound policy (makes sure that the public server uses the correct public ip)
3 = inbound policy which translates the public ip to the private ip

3NAT-policies.png
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 125 total points
ID: 33653981
Caskrist - sorry - but the Public Server Wizard will create 1:Many nat rules using the WAN ip address only.

To set up full 1:1 mappings you need to do it by hand.

Steps are:-

1) Give each device on the LAN that you need to have a public address a Network Object "Host" name. e.g. "MailServerLAN = 192.169.1.44"
2) Give each public address that you want to map a Network Object "Host" name. e.g. "MailServerPublic = 212.123.12.82". These of course must be chosen from the range of public IP addresses avaiable on your WAN network as supplied by your ISP.
3) Now create an "IN" and an "OUT" NAT mapping to connect these two. BY and large you should map "any" protocol to "orignal" i.e. unless you WANT to re-map port addresses, just map IP and leave services unaffected.

e.g.

Source - Original = MailSvrLAN
Source - Translated = MailSvrPub
Dest - Original = Any
Dest - Translated = Original

for the outboound mapping and

Source - Orignal = Any
Source -Translated = Original
Dest - Original = MailSvrPub
Dest - Translated = MailSvrLAN

for the inbound.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Expert Comment

by:caskrist
ID: 33654417
No, with the wizard you can give an alternate public ip address, see the screenshot of the wizard.

server-wizard.png
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 125 total points
ID: 33655631
@ccomley :: caskrist is accurate.  Runing the Public Wizard server can be done for each public IP that needs to "map" to an internal server.  A address object for each public IP address would be needed and referenced during the wizard.
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33655973
Thanks, but as you can see you can enter an ip address in the wizard. The wizard creates the address object.

but either way, even when the wizard doesn't ask for the external ip (with older firware), it is easier to change the policies creates by the wizard, then to create them yourself (for new Sonicwall admins).

In my example of the policies you can change 'X1 IP' to an address object which has the external IP. (don't forget the firewall rule).
0
 
LVL 33

Expert Comment

by:digitap
ID: 33656788
yes...i think that's what i meant.  the wizard would create it.  thanks for the clarification.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33660444
Sorry guys - the "wizard" has clearly been upgraded since I last used it!!! :-)

0
 
LVL 6

Expert Comment

by:caskrist
ID: 33660966
No problem, thanks to you all I am learning every day about Sonicwall.
0
 

Author Comment

by:dsmjeff
ID: 33661772
Thanks all for the input.

I have been working this weekend on setting up all of our rules. I ran into a few other snags. For example -
(We host about 15 Mail Domains all of which have there own IP)
1 - Using the wizard, when I change the IP address to the domain I'm setting up. The wizard makes the changes, but the subnet is not correct. It is setting up the subnet to be 255.255.255.255 and it should be 255.255.255.192. Short of changing each rule, what could I do? The Network Settings on the WAN is correct.

2 - Working on getting the SSL certs in for each domain. Is there a best practice or wizard?

Thanks again!
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33662058
If you have that many I would *deffo* skip the wizard and get the hang of doing it by hand!!

Start with the Object Names. Create two HOST type objects for each server, one for it's LAN address and one for the public IP you wish it to map to.

Create a Service Group containing all the services you expect to use with them (SMTP, POP, IMAP, possibly HTTP and HTTPS)

Create In and Out rules as per my earlier description.

DON@T FORGET you ASLO need to create a PERMIT rule on the Fierwall WAN-to-LAN grid - just setting up the NAT mapping does NOT do this!!!

NOTE THAT The wizard is setting the subnet to 255.255.255.255 coz you are dealing with a SINGLE ip address not a range of addresses when you set up a mapping light that. It's not wrong!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33662060
When you've already got the rules setup, the rules will reference an address object.  You'll want to give each address object a unique name so you'll know which one is associated to the proper rule.  Then, simply modify the address object.  This will update each firewall access rule and NAT rule.
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33662130
I think, but I'm not sure, that the certs should be created on the servers on and for the servers, not the sonicwall.
0
 

Author Comment

by:dsmjeff
ID: 33662196
SSL - Currently we use ISA 2006 Enterprise. On this setup, we have our the SSL cert on the Mail Server, then we have to export it to the ISA box as a PFX file. ISA accepts it into the rule, then it starts accepting traffic. Without the 2nd piece (ISA/PFX), the rule doesn't allow SSL. I see in the settings there are SSL Control and other SSL settings, but I wanted to get a census on the 'best practices'.

ccomley: With regards to setting up NAT 1:1 - I noticed I can only have 512? or 514 entries. Is there a way to just set up a rule allowing all IP's to accept SMTP, POP and IMAP? This would cut quite a few rules. And this is how I had it setup on ISA (right or wrong, I'm not sure)..
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33662313
caskrist is right - the SSL certs for HTTPS use should be installed on the web server(s). The only reason to put an SSL cert on the Sonicwall would be to use SSL based VPN type stuff...


WRT rules, yes of course. You can create a Network Object which is a *range* of IP address(es), you can create Group Objects which contain multiple individual objects, and you can create a single rule for the group. So for example, if

MailServer1 = 192.168.1.10
MailServer2 = 192.168.1.20
MailServer3 = 192.168.1.21
MailServer4 = 192.168.1.22

You would already have for your NAT mappings, a "host" object for each. Now you can add

ServerRange1 = 192.168.1.20 through 192.168.1.22 (Range)

And then

ServerGroup = MailServer1Lan, ServerRange1, (plus any others)

And if you have the SERVICE group I suggested above, say

MailServices = POP+IMAP+SMTP+HTTP+HTTPS


And create a single WAN to LAN rule which says

Source = any
Dest = ServerGroup
Service = MailServices
Permit

0
 

Author Comment

by:dsmjeff
ID: 33665831
Do you guys know of a resource book available? For example, with ISA I had Tom Schneider's books.

Thanks
0
 

Author Comment

by:dsmjeff
ID: 33665905
Another question - (sorry for so many questions!)

Since we have several different mail domains, all of them share port 443 on the Internet, but coming into the Mail Server (IIS 6) I had to change the ports. Domain A uses 443, Domain B uses 444, Domain C uses 445, etc.

On ISA I set it up so the requests come in on 443 then forward to port 445,446, etc. How do I do this on Sonicwall?

Thanks again!
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33666415
Also with theNAT policies.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33669817
If each server has it's own private IP address then you don't need to worry about maapping ports. Just include all the ports that MIGHT be used by a session in the Service Group You may first need to create an actual Service for non-standard port numbers.

So 443 is already set up. Create services this
445 = SecureMail5
446 = SecureMail6
(etc)

Now just add the new services to the existing MailServices service group, and traffic on those ports will automatically be permitted by the existing rule. (Assuming you already created the Permit rule to allow MailService traffic in.)

0
 

Author Comment

by:dsmjeff
ID: 33678604
Sorry, I wasn't clear.

We have one primary Mail Server. However, each client accesses Web Mail via HTTPs.

So currently ISA takes the different public Static IP's and turns them into the private LAN IP and also converts each domain to the SSL Port that the Mail Server is looking for - 443/444/445/etc.

I'm poling around in the NAT and am unsure how to change the ports on the inside still. i set this up using the wizards for simplicity sake, but also plan to do it manually now that I am starting to understand what the unit is looking for, however I still don't know how to turn those HTTPs's into different ports.

Thanks all!
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33679934
In the NAT policies you have an 'original service' and a 'translated service' thats what you are looking for.
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33680124
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33680815
0
 

Author Comment

by:dsmjeff
ID: 33708907
If I'm thinking through this correctly, if I make a new service that uses port 448 for example - and then go into NAT Policies and change the Translated into the new rule 448, that should translate it from 443 to 448 correct?

Thanks
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33710284
Yes tha should be it, but keep in mind you have three policies. For the inbound policy traffic comes in at 443 at the sonicwall and you wat to redirect it to port 448 on your server. But for the outbound rule I think it should be the other way around. You server responds with traffic on port 448 outbound so the sonicwall should also translate that to 443.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 33714620
Ah yes - if you have ONE server listening only on port 443 but you wish to present *different* ports to the outside world, then you also need to do PORT TRANSLATION in the NAT table.

To do this it's the same basic idea as doing IP translation.  Create services thus:-

SecHTTP1 = 444
SecHTTP2 = 445
SecHTTP3 = 446
etc
(YOu don't need to create one for 443 - it's there by default, called "HTTPS")

Then on the INBOUND NAT map rule  for each "server" where it says "Serviecs" instead of Original=Any put Original=(as above) and instead of "translated=original" put "translated=HTTPS". Similarly on the OUTBOUND NAT rule for each server, put Services, Original=HTTPS, Translated=(as above). Just make sure you match the correct SecHTTPx entry with the matching public IP entry, or you'll get very odd results!!
0
 
LVL 6

Expert Comment

by:caskrist
ID: 33763747
And, Any luck?
0
 

Author Comment

by:dsmjeff
ID: 33769376
I got pulled away from it. I worked on it again this weekend. I'm hoping to put it into test later this week. I'll post back with results/questions.

Thanks!
0
 
LVL 6

Assisted Solution

by:caskrist
caskrist earned 250 total points
ID: 33895283
And, Any luck? You've asked three questions so far, nothing solved yet?
0
 

Author Comment

by:dsmjeff
ID: 33896138
It is up and running. I was waiting to see if something broke to follow up to, but so far, so good. Thank you all for your help! Much appreciated!!

Jeff
0
 

Author Closing Comment

by:dsmjeff
ID: 33896141
Thanks all!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33896627
thx for the pts!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question