Solved

SonicWALL WAN FailOver Outbound NATs

Posted on 2011-02-23
9
3,497 Views
Last Modified: 2012-06-21
We have a SonicWALL NSA240 firewall enhanced firmware and are attempting to setup FailOver on two internet WAN connections.  Currently we already have the FailOver working to the point of automatically switching over the internet connections when the primary internet connection goes down, we also have already setup all of the NAT inbound rules, the firewall rules, and DNSMadeEasy.com for FailOver to switch over the DNS records as we have a mail server and a couple of websites internal.

The part that we are stuck at is how to make the outbound NAT rules fail over as well.  Currently what happens if the internet goes down is that everything works properly except when for example the mail server responds it uses the original primary connections static internet address to send traffic outbound as the original NAT rule tells it to which I assume will drop the traffic as the primary internet static IP would not be active.  We could potentially just use the primary WAN IP which would change dynamically when the WAN changes, but we also have about 3 web sites internally, we could use different ports, but it seems the SonicWALL would support this.

How do we make the outbound NAT failover as well?
0
Comment
Question by:maxtexgr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34962259
that sounds more of an issue with your route.  when the connection is down, there should be a route that indicates which default gateway to send traffic out of.  of course, you should have a NAT policy for egress Exchange traffic and i'm guessing you have one.  when your primary internet is down, there should be a route that will send traffic out the secondary gateway.

did you setup a secondary gateway?  which option under failover did you select?

configure secondary gateway:


https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781
0
 

Author Comment

by:maxtexgr
ID: 34965118
Thanks for your reply.

The secondary gateway has already been setup, the setup was similar to the link you posted which automatically during the process setup the routes needed for the basic traffic going outbound.  The failover method we choose was Basic Active/Passive FailOver.  The internet works when the primary internet connection goes down, but our mail servers and web servers do not due to the outbound NAT issue, which is what the problem is.

The current NAT rule for the primary server says anything coming out from our internal Exchange address on port 25, 80, 443 go out on our static 205.xxx.xxx.xxx which belongs to our primary address.  When the primary goes down and and our statics switch over to 204.xxx.xxx.xxx this NAT rule causes the Exchange server to respond on a different IP then it was sent the traffic on, the MX record is updated through DNSMadeEasy, and that causes the packet to be dropped.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34965157
do you have the secondary public IP configured in your mx record?
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:maxtexgr
ID: 34965200
Yes
0
 
LVL 33

Expert Comment

by:digitap
ID: 34966866
i can understand how it would fail initially after the failover.  when the sender's mail server realizes that the primary IP of the MX record is not responding, it should pickup on the second, right?  at this point, it would succeed.  sorry if i'm being dense in understanding.
0
 

Author Comment

by:maxtexgr
ID: 34967295
The sending mail server would try to connect on the secondary mx, the traffic would get to the receiving server and when the server tried to respond it would respond on a different ip than what it was sent the traffic on, that ip would be the non failover outbound nat ip and since the sonicwall doesn't have the primary internet connection up it would not allow the traffic out.  Let's say even if it was smart enough to realize the primary internet was down and it responded on the fail over inet connection it could still respond with the wrong ip, we might want to use a different ip in the block then what the wan int is using, and the original sending server would drop the traffic once it received it as its the incorrect address and doesn't match that which it sent to.
0
 

Accepted Solution

by:
maxtexgr earned 0 total points
ID: 34973040
After looking at the NAT rules more all we really needed to do was specify the interface on the original NAT outbound rules as X1 for the interface destination and vice versa on the fail over NAT outbound rules to X2.  So if the primary connection is down the other rule is used which accomplishes what we are looking to do.  Can't believe I didn't see this sooner.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34973205
yes, that is frustrating. i've done that before. without seeing the rules myself, this is one of those small details that's easy to overlook. glad you got it!
0
 

Author Closing Comment

by:maxtexgr
ID: 35005291
We answered our own question.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question