Solved

Issues with communication between two WAN interfaces on Sonicwall 2040 Enhanced

Posted on 2011-02-22
25
1,669 Views
Last Modified: 2012-05-11
X0 interface - on Sonicwall is our LAN
X1 interface - is connected to WAN
x2 interface - is connected to our secondary seperate DSL line ( which provides activesync traffic as well as guest wireless)

The problem that I am facing is that when connected to the the X2 interface through the wireless router I am not able to access an externally accessible web server that exists on X1 interface. The sonicwall keeps dropping the packets with an error of (IP spoof dropped). I am able to get to the internet, etc but not the web server mentioned above. I should also mention that we have our activesync traffic pointed to x2 interface that in turn routes it to a server on X1 interface. That works fine and has been in place for a while now.

I have tried quite a few things to get this to work (turned off IP spoofing for testing) still did not work, added an access rule, interface trust, etc
Please help. Thanks!
0
Comment
Question by:Llacy80
  • 13
  • 12
25 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34954181
so, you have a publicly available server that sits on the LAN zone that you can't access using the public URL from the WLAN zone?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34954195
sorry, forgot to include a link for troubleshooting.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8007
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34954236
Yes I have a publicly available server on LAN zone that is not accesible from the X2 zone. The packets get dropped and labeled as a "spoofed ip address"

Thanks
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34954248
I have read through that link before but did not find anything that helped me identify the issue and how to resolve it
0
 
LVL 33

Expert Comment

by:digitap
ID: 34954310
so, your LAN users can access it using the public URL?  sounds like you're missing a loopback NAT policy.  did you use the public server wizard when you added the server to the sonicwall?  it creates the necessary firewall rules and NAT policies (ingress, egress, loopback).  go to NAT policies and review custom policies.  if you highlight the comment bubble on the right, it should indicate the loopback policies.  confirm this corresponds with your other NAT policies for this server.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34954327
to explain further...if it is a loopback issue, when your local host tries to access the server using the public URL, the URL is pointing to the WAN interface IP.  the sonicwall sees the internal host trying to access the internal host using the public IP and drops the connection.  the loopback allows the sonicwall to redirect that traffic to the internal ip when it's trying to access the public IP.
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34954634
Hi. Externally all users can access the remoteapp ts that is published but when I am connected to the wireless network on the DSL interface X2 I am not able to access it because it keeps dropping the packets. It just sits there and clocks and eventually times out (& I see the packets being dropped on the sonicwall). I will check the things you mentioned above.
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34954667
Oh yes and none of the users on the XO interface (LAN) have ever been able to access the externally accessible URL and there was never a need for it because only remote off site users needed access to the terminal remoteapps. I just left it alone because I did not need it to work for internal users. Now it is a problem because when we have offsite employees come in for meetings, etc and they need to connect to the terminal server URL remote app from the X2 interface, it is dropping the connections. I hope this makes sense, if not let me know
0
 
LVL 33

Expert Comment

by:digitap
ID: 34954833
sure, makes sense.  it sounds like you didn't run the public server wizard and manually setup the NAT policies and firewall access rules.  below, you can see what the settings of a loopback would look like.

also, you say DSL, X2 and WLAN interchangably.  can you explain the relationship there?  i can see where x2 and WLAN come in, but don't understand DSL.

loopback NAT policy:

original source: Firewalled Subnets
translated source: address object representing the public IP address used by the URL
original destination: address object representing the public IP address used by the URL
translated destination: address object representing the private IP of your terminal server
original service: service object representing the services allowed through the firewall
translated service: Original
inbound/outbound interface: Any
enable NAT policy: enable it
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34955159
Hi. You are correct. I did manually add this access Rule along with the NAT policy a while back and everything worked and still does with the exception of accessing the external url of the server hosted on interface X0.

Ok so we have a DSL line coming in that connects from the DSL Modem to the Sonicwall on port X2. This was originally set up to seperate the activesync traffic from the X1 network (not sure the real reason of that since we don't have a lot of activesync traffic) We have 5 usable Static IP's with the DSL line. So I needed to add guest wireless so I connected a wireless router to another port on that DSL modem.  So we have one cable going from DSL modem to Sonicwall and one cable going from the DSL modem to wireless router with second public IP address assigned to it. My hope in setting this up was to allow visiting employees to use their laptops (which are not part of the domain) to connect to the RemoteApp external URL while using the wireless router. All users can access the internet when connected to that wireless router but they can not access the remoteapp url. I think I mentioned all of this already but hopefully that explains better what I am trying to accomplish here and how everythign is set up.

I will try to delete that particular access rule that points to the remoteapp server and add it using the wizard. Hopefully that will fix the issue. I will report back when I have some time after hours to do this. Thanks for you help
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34955359
yes, i'm understanding a little better.  i think you defenately have a firewall issue between the wireless access point and the remote app.  i assume the access point is handing out private IP so it's NAT'ing.  then, it has a public IP address that falls into the range of the WAN interface.  the loopback MAY resolve the wireless connectivity issue, but it's certainly going to resolve the LAN issue.

what i'd do with the wireless users is still make that AP a guest one, but put them on their own interface.  you have the 2040 so you should have one more interface.  leave the DSL on X2.  configure the X3 interface as guest wireless.  either use the existing WLAN zone or create a new one with it's own IP subnet.  the sonicwall will create a DHCP scope for the WLAN (or, whatever zone you use).  put the AP in bridge mode so it hands out the IP addresses for wireless hosts.

now, you won't have WLAN <> LAN access initially.  this is denied by default.  the loopback MAY work for the URL, but you may need to open the firewall WLAN <> LAN for the terminal server.
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34962848
Hi there. I know you already answered my question and I awarded points but I would greatly appreciate any more input you have.

I tried adding the rule through the public wizard and it did indeed create a few extra nat policies that I did not have before but it is still not working when trying to access anything on the X0 interface from the X2 interface. In the log I see the following. I really just don't understand why this does not work. It's driving me crazy. Any extra help would be greatly appreciated!

02/23/2011 11:33:45.800 Alert Intrusion Prevention IP spoof dropped 99.xx.xx.x, 1419, X1 63.xxx.xx.xx, 443, X1
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 33

Expert Comment

by:digitap
ID: 34964045
no worries...if it's no working, then we need to keep going.

from the ip spoof log entry, there appears to be two public IP addresses and both are assigned to X1.  i assume you've continued with the existing physical config with the WAP on the DSL internet @ X2, right?  what's puzzling me is the fact that both public IP addresses are different but appear on the same interface, X1.  i think that's where the spoof is coming from.  i understand where you'd have different public IPs as you'd get a different one from the with the DSL.

the spoof is indicating that two different IPs are on the same interface.  the thing to figure out is WHY do they appear on the same interface.
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34964122
Thank you for replying. Yes I am still trying to get it to work with the WAP on the dsl on X2 because in my mind it should..I thought it was strange too that the log is showing both of those on the same interface as well. Do you think it has to do with the fact that they are running fimware version SonicOS Enhanced 3.2.3.0-6e ?? : - ) I don't see why that would be a problem but I do know that is older firmware.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34964149
it's possible there was a fix for something like this.  tell me, do you have failover enabled?
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34964214
Hi. No Hardware Failover is disabled.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34964349
OK...just running through some possibilities.  i'm going to stick to my initial recommendation.  putting the WAP on an additional interface and setting up a WLAN zone allowing the sonicwall to route as needed.

i know it SHOULD work as it is, but i'm wondering if the time spent troubleshooting is worth it.  flattening out the network is always a good idea.

however, perhaps there's a route goofed up somewhere.  without having access to the sonicwall, i can't say for certain.

have you updated the firmeware yet?

if the update doesn't work, then i'm not sure what the next step is except moving the WAP to its own interface.
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34964426
Alrighty. I will do that. I am stubborn so I was determined to get it to work as is but I think you are right and I will try to update firmware and if it is a no go then I will try the other solution you mentioned. Thanks again!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34964563
also, i'm not out yet.  if you get somewhere, post back here.  you've got 500 points to get out of me!!
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34964690
I figured you were out :) Is there any way I can send  P's from here and then once I have it fixed I will post the final solution?
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34964693
I am meant to say private message. Sorry
0
 
LVL 33

Expert Comment

by:digitap
ID: 34964709
no, but i have particulars for that in my profile.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34964713
EE profile that is.
0
 
LVL 4

Author Comment

by:Llacy80
ID: 34983168
Do you happen to have any articles handy that you could post for me that shows how to set up a WLAN guest services on an interface?

I need to set up wireless access for off-site employees that are in town to use that is seperate from teh lan but they are able to access a Rdweb session that is hosted on a server on X0 interface.

Thanks again for your help. It's appreciated. I'm going to be upgrading the firmware this evening to see if it fixes the ip spoof issue & if that does not correct it I'll be setting up the WLAN interface like you suggested.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34983783
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now