Sonicwall TZ 210 - Need to configure several public IP's for use - How is this possible?

An example of the three policies:
1 = loopback policy (what the sonicwall has to do when an internal client wants to access the local server with it's public ip)
2 = outbound policy (makes sure that the public server uses the correct public ip)
3 = inbound policy which translates the public ip to the private ip

3NAT-policies.png

No, with the wizard you can give an alternate public ip address, see the screenshot of the wizard.

server-wizard.png

Thanks, but as you can see you can enter an ip address in the wizard. The wizard creates the address object.

but either way, even when the wizard doesn't ask for the external ip (with older firware), it is easier to change the policies creates by the wizard, then to create them yourself (for new Sonicwall admins).

In my example of the policies you can change 'X1 IP' to an address object which has the external IP. (don't forget the firewall rule).

yes...i think that's what i meant.  the wizard would create it.  thanks for the clarification.

Sorry guys - the "wizard" has clearly been upgraded since I last used it!!! :-)

No problem, thanks to you all I am learning every day about Sonicwall.

Thanks all for the input.

I have been working this weekend on setting up all of our rules. I ran into a few other snags. For example -
(We host about 15 Mail Domains all of which have there own IP)
1 - Using the wizard, when I change the IP address to the domain I'm setting up. The wizard makes the changes, but the subnet is not correct. It is setting up the subnet to be 255.255.255.255 and it should be 255.255.255.192. Short of changing each rule, what could I do? The Network Settings on the WAN is correct.

2 - Working on getting the SSL certs in for each domain. Is there a best practice or wizard?

Thanks again!

If you have that many I would *deffo* skip the wizard and get the hang of doing it by hand!!

Start with the Object Names. Create two HOST type objects for each server, one for it's LAN address and one for the public IP you wish it to map to.

Create a Service Group containing all the services you expect to use with them (SMTP, POP, IMAP, possibly HTTP and HTTPS)

Create In and Out rules as per my earlier description.

DON@T FORGET you ASLO need to create a PERMIT rule on the Fierwall WAN-to-LAN grid - just setting up the NAT mapping does NOT do this!!!

NOTE THAT The wizard is setting the subnet to 255.255.255.255 coz you are dealing with a SINGLE ip address not a range of addresses when you set up a mapping light that. It's not wrong!

When you've already got the rules setup, the rules will reference an address object.  You'll want to give each address object a unique name so you'll know which one is associated to the proper rule.  Then, simply modify the address object.  This will update each firewall access rule and NAT rule.

I think, but I'm not sure, that the certs should be created on the servers on and for the servers, not the sonicwall.

SSL - Currently we use ISA 2006 Enterprise. On this setup, we have our the SSL cert on the Mail Server, then we have to export it to the ISA box as a PFX file. ISA accepts it into the rule, then it starts accepting traffic. Without the 2nd piece (ISA/PFX), the rule doesn't allow SSL. I see in the settings there are SSL Control and other SSL settings, but I wanted to get a census on the 'best practices'.

ccomley: With regards to setting up NAT 1:1 - I noticed I can only have 512? or 514 entries. Is there a way to just set up a rule allowing all IP's to accept SMTP, POP and IMAP? This would cut quite a few rules. And this is how I had it setup on ISA (right or wrong, I'm not sure)..

caskrist is right - the SSL certs for HTTPS use should be installed on the web server(s). The only reason to put an SSL cert on the Sonicwall would be to use SSL based VPN type stuff...


WRT rules, yes of course. You can create a Network Object which is a *range* of IP address(es), you can create Group Objects which contain multiple individual objects, and you can create a single rule for the group. So for example, if

MailServer1 = 192.168.1.10
MailServer2 = 192.168.1.20
MailServer3 = 192.168.1.21
MailServer4 = 192.168.1.22

You would already have for your NAT mappings, a "host" object for each. Now you can add

ServerRange1 = 192.168.1.20 through 192.168.1.22 (Range)

And then

ServerGroup = MailServer1Lan, ServerRange1, (plus any others)

And if you have the SERVICE group I suggested above, say

MailServices = POP+IMAP+SMTP+HTTP+HTTPS


And create a single WAN to LAN rule which says

Source = any
Dest = ServerGroup
Service = MailServices
Permit

Do you guys know of a resource book available? For example, with ISA I had Tom Schneider's books.

Thanks

Another question - (sorry for so many questions!)

Since we have several different mail domains, all of them share port 443 on the Internet, but coming into the Mail Server (IIS 6) I had to change the ports. Domain A uses 443, Domain B uses 444, Domain C uses 445, etc.

On ISA I set it up so the requests come in on 443 then forward to port 445,446, etc. How do I do this on Sonicwall?

Thanks again!

Also with theNAT policies.

If each server has it's own private IP address then you don't need to worry about maapping ports. Just include all the ports that MIGHT be used by a session in the Service Group You may first need to create an actual Service for non-standard port numbers.

So 443 is already set up. Create services this
445 = SecureMail5
446 = SecureMail6
(etc)

Now just add the new services to the existing MailServices service group, and traffic on those ports will automatically be permitted by the existing rule. (Assuming you already created the Permit rule to allow MailService traffic in.)

Sorry, I wasn't clear.

We have one primary Mail Server. However, each client accesses Web Mail via HTTPs.

So currently ISA takes the different public Static IP's and turns them into the private LAN IP and also converts each domain to the SSL Port that the Mail Server is looking for - 443/444/445/etc.

I'm poling around in the NAT and am unsure how to change the ports on the inside still. i set this up using the wizards for simplicity sake, but also plan to do it manually now that I am starting to understand what the unit is looking for, however I still don't know how to turn those HTTPs's into different ports.

Thanks all!

In the NAT policies you have an 'original service' and a 'translated service' thats what you are looking for.

See: http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23582877.html

Or even better:
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5611&SearchType=advanced&referrer=&gpn=&CustID=&bUseEditor=&keyword=port+translation&rfield=&sortmethod=rel&usertype=&gpv=&catID2=&formaction=search&catID1=143&IncludeHTML=&catID3=&TotalResults=4629&submitbutton=Go&match=and

Look for your questions in the sonicwall knowledgebase.
(www.sonicwall.com, support, documentation, knowledgebase)

If I'm thinking through this correctly, if I make a new service that uses port 448 for example - and then go into NAT Policies and change the Translated into the new rule 448, that should translate it from 443 to 448 correct?

Thanks

Yes tha should be it, but keep in mind you have three policies. For the inbound policy traffic comes in at 443 at the sonicwall and you wat to redirect it to port 448 on your server. But for the outbound rule I think it should be the other way around. You server responds with traffic on port 448 outbound so the sonicwall should also translate that to 443.

Ah yes - if you have ONE server listening only on port 443 but you wish to present *different* ports to the outside world, then you also need to do PORT TRANSLATION in the NAT table.

To do this it's the same basic idea as doing IP translation.  Create services thus:-

SecHTTP1 = 444
SecHTTP2 = 445
SecHTTP3 = 446
etc
(YOu don't need to create one for 443 - it's there by default, called "HTTPS")

Then on the INBOUND NAT map rule  for each "server" where it says "Serviecs" instead of Original=Any put Original=(as above) and instead of "translated=original" put "translated=HTTPS". Similarly on the OUTBOUND NAT rule for each server, put Services, Original=HTTPS, Translated=(as above). Just make sure you match the correct SecHTTPx entry with the matching public IP entry, or you'll get very odd results!!

And, Any luck?

I got pulled away from it. I worked on it again this weekend. I'm hoping to put it into test later this week. I'll post back with results/questions.

Thanks!

It is up and running. I was waiting to see if something broke to follow up to, but so far, so good. Thank you all for your help! Much appreciated!!

Jeff

Thanks all!

thx for the pts!