Solved

SonicWALL WAN FailOver Outbound NATs

Posted on 2011-02-23
9
3,357 Views
Last Modified: 2012-06-21
We have a SonicWALL NSA240 firewall enhanced firmware and are attempting to setup FailOver on two internet WAN connections.  Currently we already have the FailOver working to the point of automatically switching over the internet connections when the primary internet connection goes down, we also have already setup all of the NAT inbound rules, the firewall rules, and DNSMadeEasy.com for FailOver to switch over the DNS records as we have a mail server and a couple of websites internal.

The part that we are stuck at is how to make the outbound NAT rules fail over as well.  Currently what happens if the internet goes down is that everything works properly except when for example the mail server responds it uses the original primary connections static internet address to send traffic outbound as the original NAT rule tells it to which I assume will drop the traffic as the primary internet static IP would not be active.  We could potentially just use the primary WAN IP which would change dynamically when the WAN changes, but we also have about 3 web sites internally, we could use different ports, but it seems the SonicWALL would support this.

How do we make the outbound NAT failover as well?
0
Comment
Question by:maxtexgr
  • 5
  • 4
9 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34962259
that sounds more of an issue with your route.  when the connection is down, there should be a route that indicates which default gateway to send traffic out of.  of course, you should have a NAT policy for egress Exchange traffic and i'm guessing you have one.  when your primary internet is down, there should be a route that will send traffic out the secondary gateway.

did you setup a secondary gateway?  which option under failover did you select?

configure secondary gateway:


https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781
0
 

Author Comment

by:maxtexgr
ID: 34965118
Thanks for your reply.

The secondary gateway has already been setup, the setup was similar to the link you posted which automatically during the process setup the routes needed for the basic traffic going outbound.  The failover method we choose was Basic Active/Passive FailOver.  The internet works when the primary internet connection goes down, but our mail servers and web servers do not due to the outbound NAT issue, which is what the problem is.

The current NAT rule for the primary server says anything coming out from our internal Exchange address on port 25, 80, 443 go out on our static 205.xxx.xxx.xxx which belongs to our primary address.  When the primary goes down and and our statics switch over to 204.xxx.xxx.xxx this NAT rule causes the Exchange server to respond on a different IP then it was sent the traffic on, the MX record is updated through DNSMadeEasy, and that causes the packet to be dropped.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34965157
do you have the secondary public IP configured in your mx record?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:maxtexgr
ID: 34965200
Yes
0
 
LVL 33

Expert Comment

by:digitap
ID: 34966866
i can understand how it would fail initially after the failover.  when the sender's mail server realizes that the primary IP of the MX record is not responding, it should pickup on the second, right?  at this point, it would succeed.  sorry if i'm being dense in understanding.
0
 

Author Comment

by:maxtexgr
ID: 34967295
The sending mail server would try to connect on the secondary mx, the traffic would get to the receiving server and when the server tried to respond it would respond on a different ip than what it was sent the traffic on, that ip would be the non failover outbound nat ip and since the sonicwall doesn't have the primary internet connection up it would not allow the traffic out.  Let's say even if it was smart enough to realize the primary internet was down and it responded on the fail over inet connection it could still respond with the wrong ip, we might want to use a different ip in the block then what the wan int is using, and the original sending server would drop the traffic once it received it as its the incorrect address and doesn't match that which it sent to.
0
 

Accepted Solution

by:
maxtexgr earned 0 total points
ID: 34973040
After looking at the NAT rules more all we really needed to do was specify the interface on the original NAT outbound rules as X1 for the interface destination and vice versa on the fail over NAT outbound rules to X2.  So if the primary connection is down the other rule is used which accomplishes what we are looking to do.  Can't believe I didn't see this sooner.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34973205
yes, that is frustrating. i've done that before. without seeing the rules myself, this is one of those small details that's easy to overlook. glad you got it!
0
 

Author Closing Comment

by:maxtexgr
ID: 35005291
We answered our own question.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question