SonicWALL WAN FailOver Outbound NATs

Posted on 2011-02-23
Last Modified: 2012-06-21
We have a SonicWALL NSA240 firewall enhanced firmware and are attempting to setup FailOver on two internet WAN connections.  Currently we already have the FailOver working to the point of automatically switching over the internet connections when the primary internet connection goes down, we also have already setup all of the NAT inbound rules, the firewall rules, and for FailOver to switch over the DNS records as we have a mail server and a couple of websites internal.

The part that we are stuck at is how to make the outbound NAT rules fail over as well.  Currently what happens if the internet goes down is that everything works properly except when for example the mail server responds it uses the original primary connections static internet address to send traffic outbound as the original NAT rule tells it to which I assume will drop the traffic as the primary internet static IP would not be active.  We could potentially just use the primary WAN IP which would change dynamically when the WAN changes, but we also have about 3 web sites internally, we could use different ports, but it seems the SonicWALL would support this.

How do we make the outbound NAT failover as well?
Question by:maxtexgr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 33

Expert Comment

ID: 34962259
that sounds more of an issue with your route.  when the connection is down, there should be a route that indicates which default gateway to send traffic out of.  of course, you should have a NAT policy for egress Exchange traffic and i'm guessing you have one.  when your primary internet is down, there should be a route that will send traffic out the secondary gateway.

did you setup a secondary gateway?  which option under failover did you select?

configure secondary gateway:

Author Comment

ID: 34965118
Thanks for your reply.

The secondary gateway has already been setup, the setup was similar to the link you posted which automatically during the process setup the routes needed for the basic traffic going outbound.  The failover method we choose was Basic Active/Passive FailOver.  The internet works when the primary internet connection goes down, but our mail servers and web servers do not due to the outbound NAT issue, which is what the problem is.

The current NAT rule for the primary server says anything coming out from our internal Exchange address on port 25, 80, 443 go out on our static which belongs to our primary address.  When the primary goes down and and our statics switch over to this NAT rule causes the Exchange server to respond on a different IP then it was sent the traffic on, the MX record is updated through DNSMadeEasy, and that causes the packet to be dropped.
LVL 33

Expert Comment

ID: 34965157
do you have the secondary public IP configured in your mx record?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 34965200
LVL 33

Expert Comment

ID: 34966866
i can understand how it would fail initially after the failover.  when the sender's mail server realizes that the primary IP of the MX record is not responding, it should pickup on the second, right?  at this point, it would succeed.  sorry if i'm being dense in understanding.

Author Comment

ID: 34967295
The sending mail server would try to connect on the secondary mx, the traffic would get to the receiving server and when the server tried to respond it would respond on a different ip than what it was sent the traffic on, that ip would be the non failover outbound nat ip and since the sonicwall doesn't have the primary internet connection up it would not allow the traffic out.  Let's say even if it was smart enough to realize the primary internet was down and it responded on the fail over inet connection it could still respond with the wrong ip, we might want to use a different ip in the block then what the wan int is using, and the original sending server would drop the traffic once it received it as its the incorrect address and doesn't match that which it sent to.

Accepted Solution

maxtexgr earned 0 total points
ID: 34973040
After looking at the NAT rules more all we really needed to do was specify the interface on the original NAT outbound rules as X1 for the interface destination and vice versa on the fail over NAT outbound rules to X2.  So if the primary connection is down the other rule is used which accomplishes what we are looking to do.  Can't believe I didn't see this sooner.
LVL 33

Expert Comment

ID: 34973205
yes, that is frustrating. i've done that before. without seeing the rules myself, this is one of those small details that's easy to overlook. glad you got it!

Author Closing Comment

ID: 35005291
We answered our own question.

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASE reports it as spam 2 1,061
ipsec tunnel comme not up 10 126
How to set DHCPv6 options on a Sonicwall? 13 198
Use of vpn-filter value  in S2S VPN 2 57
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question