SonicWALL WAN FailOver Outbound NATs

We have a SonicWALL NSA240 firewall enhanced firmware and are attempting to setup FailOver on two internet WAN connections.  Currently we already have the FailOver working to the point of automatically switching over the internet connections when the primary internet connection goes down, we also have already setup all of the NAT inbound rules, the firewall rules, and DNSMadeEasy.com for FailOver to switch over the DNS records as we have a mail server and a couple of websites internal.

The part that we are stuck at is how to make the outbound NAT rules fail over as well.  Currently what happens if the internet goes down is that everything works properly except when for example the mail server responds it uses the original primary connections static internet address to send traffic outbound as the original NAT rule tells it to which I assume will drop the traffic as the primary internet static IP would not be active.  We could potentially just use the primary WAN IP which would change dynamically when the WAN changes, but we also have about 3 web sites internally, we could use different ports, but it seems the SonicWALL would support this.

How do we make the outbound NAT failover as well?
maxtexgrAsked:
Who is Participating?
 
maxtexgrConnect With a Mentor Author Commented:
After looking at the NAT rules more all we really needed to do was specify the interface on the original NAT outbound rules as X1 for the interface destination and vice versa on the fail over NAT outbound rules to X2.  So if the primary connection is down the other rule is used which accomplishes what we are looking to do.  Can't believe I didn't see this sooner.
0
 
digitapCommented:
that sounds more of an issue with your route.  when the connection is down, there should be a route that indicates which default gateway to send traffic out of.  of course, you should have a NAT policy for egress Exchange traffic and i'm guessing you have one.  when your primary internet is down, there should be a route that will send traffic out the secondary gateway.

did you setup a secondary gateway?  which option under failover did you select?

configure secondary gateway:


https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781
0
 
maxtexgrAuthor Commented:
Thanks for your reply.

The secondary gateway has already been setup, the setup was similar to the link you posted which automatically during the process setup the routes needed for the basic traffic going outbound.  The failover method we choose was Basic Active/Passive FailOver.  The internet works when the primary internet connection goes down, but our mail servers and web servers do not due to the outbound NAT issue, which is what the problem is.

The current NAT rule for the primary server says anything coming out from our internal Exchange address on port 25, 80, 443 go out on our static 205.xxx.xxx.xxx which belongs to our primary address.  When the primary goes down and and our statics switch over to 204.xxx.xxx.xxx this NAT rule causes the Exchange server to respond on a different IP then it was sent the traffic on, the MX record is updated through DNSMadeEasy, and that causes the packet to be dropped.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
digitapCommented:
do you have the secondary public IP configured in your mx record?
0
 
maxtexgrAuthor Commented:
Yes
0
 
digitapCommented:
i can understand how it would fail initially after the failover.  when the sender's mail server realizes that the primary IP of the MX record is not responding, it should pickup on the second, right?  at this point, it would succeed.  sorry if i'm being dense in understanding.
0
 
maxtexgrAuthor Commented:
The sending mail server would try to connect on the secondary mx, the traffic would get to the receiving server and when the server tried to respond it would respond on a different ip than what it was sent the traffic on, that ip would be the non failover outbound nat ip and since the sonicwall doesn't have the primary internet connection up it would not allow the traffic out.  Let's say even if it was smart enough to realize the primary internet was down and it responded on the fail over inet connection it could still respond with the wrong ip, we might want to use a different ip in the block then what the wan int is using, and the original sending server would drop the traffic once it received it as its the incorrect address and doesn't match that which it sent to.
0
 
digitapCommented:
yes, that is frustrating. i've done that before. without seeing the rules myself, this is one of those small details that's easy to overlook. glad you got it!
0
 
maxtexgrAuthor Commented:
We answered our own question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.