Sonicwall TZ use external IP internally
I just changed our office firewall to a sonicwall TZ-190 series. I have five incoming static IP addresses. I have split DNS on my server because we use three web applications inside our network. The DNS says when using internal look to 192.168.1.16 for Exch2003.sbx.com , but when external look to 98.23.24.2. It has worked fine forever when we used a single static IP SOHO firewall from 3COM.
Now we are having users that are having routing problems because their pc's will not release the external IP when internal. I have the clear arp and flush dns and it works but this does not always work for everyone. Is there a way to allow traffic to flow from an internal user to an external IP and then right back in. I don't want to do it consistently but just when this fails. I think it is traversal?? but I am not sure. Any sonciwall experts out there?
Now we are having users that are having routing problems because their pc's will not release the external IP when internal. I have the clear arp and flush dns and it works but this does not always work for everyone. Is there a way to allow traffic to flow from an internal user to an external IP and then right back in. I don't want to do it consistently but just when this fails. I think it is traversal?? but I am not sure. Any sonciwall experts out there?
are they laptops or desktops? exchange novell? outlook?
how did you configure the sonicwall to allow the ports through to your web servers? did you use the public server wizard or did you manually create the NAT and firewall rules? it sounds as if you did it manually and you are missing the NAT loopback that the public server wizard would create.
yes he is missing the nat rule but does he really want email to go to the internet and then come right back in? waste of bandwith.
ASKER
no I do not you are right stress- however what happens is this. My users are on their laptop, close it up, drive into the office, plug into the wall and start rightup.
Their laptop at home uses the DNS on the net and finds mail.sbx.com to the external IP. They come in and open it up with DNS remembering external DNS and it does not work.
Yes I did it manual. Where is it in the firewall to allow nat transversal.
Their laptop at home uses the DNS on the net and finds mail.sbx.com to the external IP. They come in and open it up with DNS remembering external DNS and it does not work.
Yes I did it manual. Where is it in the firewall to allow nat transversal.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No you are right on but will this allow me to go out and come back in.
No. NAT Traversal is used when your IPSEC traffic must pass a router performing NAT. here's a KB on it with more details.
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5787
The loopback created by the wizard or one you manually create will do what you're looking for.
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5787
The loopback created by the wizard or one you manually create will do what you're looking for.
ASKER
I assume from this I need to create one for each service\port we are forwading or can I do it for the service groups.
Hi bhgewilson,
You can simply set the following for your LoopBack NAT:
Original Source: Firewalled Subnets
Translated Source: WAN Primary IP
Original Destination: WAN Primary IP
Translated Destination: [INTERNAL SERVER IP]
Original Service: Any
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
This will do the trick. However, if you'd like, you can also specify specific service objects or even a service group. That is not necessary though... The above configuration is what a SonicWALL Engineer will give you.
Hope this is helpful.
to be honest, if i'm having a problem with rules or policies, i don't try to make the changes manually. i'll delete what i've got...rules, nat policies, objects/groups...and run the wizard. i've been working with the sonicwall for over 6 years and have sonicwall certification and i still use the public server wizard.
Hi digitap,
I certainly understand and respect your position, however, I too have my CSSA and have a rather deep understanding of the SonicWALL. I'm on the other side of the fence on this one, and respectfully disagree, as I know first and second hand that using the Wizard can get you into trouble - and quickly. I never trust it when I know that I can create any access rule, policy or object by hand, and the result will be just what I'm looking for.
The NAT policy I listed above is the proper LoopBack policy used by SonicWALL Engineers on any SonicOS enhanced unit. I highly recommend that this be added by hand rather than using the Wizard, as the Wizard does not give an option for creating just a LoopBack policy. Rather, it will attempt to overwrite the existing inbound and outbound NAT policies, and then try to create the LoopBack. This is a recipe for disaster.
bhgewilson, if you're reading this comment, the choice is ultimately yours, though I am partial to my suggestion and recommend it. This does not invalidate digitap's suggestion... I just believe mine is safer.
ok, seemed for a moment that you were trying to invalidate my suggestion. of course, everyone's experience is different. i like the wizard for doing the simple stuff of getting a web or exchange server on the internet. i like that the wizard creates the objects, etc. i know enough to go back and tweak if necessary. however, when i have to nat over a vpn, i don't use the nat stuff within the vpn sa, i create those by hand.
also, to your suggestion, if you really want to understand what's going on, there's nothing setting things up manually.
also, to your suggestion, if you really want to understand what's going on, there's nothing setting things up manually.
@digitap :: You're absolutely right; everyone's experience is different, and I do completely understand that you've had a better experience with this. I merely make the suggestion to do it by hand *if you know how to set a policy by hand* because it is safer.
To anyone who reads this thread, digitap's suggestion is completely valid. If you're uncomfortable setting a policy or rule by hand, use the Wizard. If you have the experience or detailed information that you'll need, do it by hand.
I hope this clears up my position on using the Wizard.
Kind Regards.
To anyone who reads this thread, digitap's suggestion is completely valid. If you're uncomfortable setting a policy or rule by hand, use the Wizard. If you have the experience or detailed information that you'll need, do it by hand.
I hope this clears up my position on using the Wizard.
Kind Regards.
indeed it does. thanks and sorry i was a cranky with you.
@Tyrant :: if asked, would you look at a question for me?
ASKER
I was not able to test this until today. This solution worked. Thanks so much for the help.
no problem...thanks for the points!
@digitap :: Sorry for the delay! I've been quite preoccupied over the last few days. It would be my pleasure to look at a question for you. Just let me know what it is.
=]
=]
i figured it out in the mean time...no worries, >GRIN<!