Sonicwall TZ use external IP internally

I just changed our office firewall to a sonicwall TZ-190 series.  I have five incoming static IP addresses.  I have split DNS on my server because we use three web applications inside our network.  The DNS says when using internal look to 192.168.1.16 for Exch2003.sbx.com , but when external look to 98.23.24.2.  It has worked fine forever when we used a single static IP SOHO firewall from 3COM.  

Now we are having users that are having routing problems because their pc's will not release the external IP when internal.  I have the clear arp and flush dns and it works but this does not always work for everyone.  Is there a way to allow traffic to flow from an internal user to an external IP and then right back in.  I don't want to do it consistently but just when this fails.  I think it is traversal??  but I am not sure.  Any sonciwall experts out there?
bhgewilsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressless-ITCommented:
are they laptops or desktops? exchange novell? outlook?
digitapCommented:
how did you configure the sonicwall to allow the ports through to your web servers?  did you use the public server wizard or did you manually create the NAT and firewall rules?  it sounds as if you did it manually and you are missing the NAT loopback that the public server wizard would create.
stressless-ITCommented:
yes he is missing the nat rule but does he really want email to go to the internet and then come right back in? waste of bandwith.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

bhgewilsonAuthor Commented:
no I do not you are right stress- however what happens is this.  My users are on their laptop, close it up, drive into the office, plug into the wall and start rightup.

Their laptop at home uses the DNS on the net and finds mail.sbx.com to the external IP.  They come in and open it up with DNS remembering external DNS and it does not work.  

Yes I did it manual.  Where is it in the firewall to allow nat transversal.  
digitapCommented:
that's not what i'm saying the loopback prevents the internal user from going out to the internet and coming back.  the sonicwall will identify that it's an internal host requesting an internal resource and keep it within the sonicwall.  here's a KB on setting up NAT policies:

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7979

I assume you mean NAT Traversal as in VPN?  if so, then VPN > Advanced.  There is a check box to enable/disable that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bhgewilsonAuthor Commented:
No you are right on but will this allow me to go out and come back in.  
digitapCommented:
No.  NAT Traversal is used when your IPSEC traffic must pass a router performing NAT.  here's a KB on it with more details.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5787

The loopback created by the wizard or one you manually create will do what you're looking for.
bhgewilsonAuthor Commented:
I assume from this I need to create one for each service\port we are forwading or can I do it for the service groups.  
_TyrantCommented:

Hi bhgewilson,

You can simply set the following for your LoopBack NAT:

Original Source: Firewalled Subnets
Translated Source: WAN Primary IP
Original Destination: WAN Primary IP
Translated Destination: [INTERNAL SERVER IP]
Original Service: Any
Translated Service: Original

Inbound Interface: Any
Outbound Interface: Any

This will do the trick. However, if you'd like, you can also specify specific service objects or even a service group. That is not necessary though... The above configuration is what a SonicWALL Engineer will give you.

Hope this is helpful.
digitapCommented:
to be honest, if i'm having a problem with rules or policies, i don't try to make the changes manually.  i'll delete what i've got...rules, nat policies, objects/groups...and run the wizard.  i've been working with the sonicwall for over 6 years and have sonicwall certification and i still use the public server wizard.
_TyrantCommented:

Hi digitap,

I certainly understand and respect your position, however, I too have my CSSA and have a rather deep understanding of the SonicWALL. I'm on the other side of the fence on this one, and respectfully disagree, as I know first and second hand that using the Wizard can get you into trouble - and quickly. I never trust it when I know that I can create any access rule, policy or object by hand, and the result will be just what I'm looking for.

The NAT policy I listed above is the proper LoopBack policy used by SonicWALL Engineers on any SonicOS enhanced unit. I highly recommend that this be added by hand rather than using the Wizard, as the Wizard does not give an option for creating just a LoopBack policy. Rather, it will attempt to overwrite the existing inbound and outbound NAT policies, and then try to create the LoopBack. This is a recipe for disaster.

bhgewilson, if you're reading this comment, the choice is ultimately yours, though I am partial to my suggestion and recommend it. This does not invalidate digitap's suggestion... I just believe mine is safer.
digitapCommented:
ok, seemed for a moment that you were trying to invalidate my suggestion.  of course, everyone's experience is different.  i like the wizard for doing the simple stuff of getting a web or exchange server on the internet.  i like that the wizard creates the objects, etc.  i know enough to go back and tweak if necessary.  however, when i have to nat over a vpn, i don't use the nat stuff within the vpn sa, i create those by hand.

also, to your suggestion, if you really want to understand what's going on, there's nothing setting things up manually.
_TyrantCommented:
@digitap :: You're absolutely right; everyone's experience is different, and I do completely understand that you've had a better experience with this. I merely make the suggestion to do it by hand *if you know how to set a policy by hand* because it is safer.

To anyone who reads this thread, digitap's suggestion is completely valid. If you're uncomfortable setting a policy or rule by hand, use the Wizard. If you have the experience or detailed information that you'll need, do it by hand.

I hope this clears up my position on using the Wizard.

Kind Regards.
digitapCommented:
indeed it does.  thanks and sorry i was a cranky with you.
digitapCommented:
@Tyrant :: if asked, would you look at a question for me?
bhgewilsonAuthor Commented:
I was not able to test this until today. This solution worked.  Thanks so much for the help.
digitapCommented:
no problem...thanks for the points!
_TyrantCommented:
@digitap :: Sorry for the delay! I've been quite preoccupied over the last few days. It would be my pleasure to look at a question for you. Just let me know what it is.

=]
digitapCommented:
i figured it out in the mean time...no worries, >GRIN<!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.