• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

Need a little direction with Sonicwall NAT/Routing

Here is how my Sonicwall was just reconfigured to be:
X0: 10.0.0.x LAN
X1: Primary WAN
X2: 10.0.1.x LAN
X3: Backup WAN

The computers on the X0 subnet can ping and see all the computers in the X2 subnet.  However, when someone on the X2 subnet tries to ping someone on the X0 subnet, it always resolves to the X2 gateway.

What do I have to configure in order to get this to work properly.
0
rvdsabu4life
Asked:
rvdsabu4life
  • 11
  • 10
  • 7
  • +1
2 Solutions
 
Michael OrtegaSales & Systems EngineerCommented:
You need to setup static NAT from the X0 subnet to the X2 subnet. Basically, X0 has permission to send any traffic out and X2 is essentially and outside interface to X0. When X2 intiates an echo request to X0 it is trying to pass through an external interface to get to X0.

MO
0
 
digitapCommented:
both are in the same LAN zone so they should trust each other.  make sure your firewall access rule LAN X2 > LAN X0 is set to allow.
0
 
rvdsabu4lifeAuthor Commented:
Here is what I have.  Does this look right? Des
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Michael OrtegaSales & Systems EngineerCommented:
So that's basically the combination of a NAT rule and Access list. It should work.

MO
0
 
digitapCommented:
no, it's NAT only.  did you check the access rule per http:#a34979351, as i suggested? also, your address object says VLAN, you're using vlans on the sonicwall?
0
 
digitapCommented:
in your question description, does LAN imply the zone or just merely a private subnet?  from your screen shot, it looks like you created a new zone?  need some clarification here as assigning an interface the LAN zone means they trust each other and the access rules would reflect this.  this has nothing to do with NAT.
0
 
Michael OrtegaSales & Systems EngineerCommented:
I must admit that I'm not as familiar with Sonicwalls. I took the Interface status of inbound/outbound equaling "any" & "any" as a form of access rule.

MO
0
 
digitapCommented:
i can see that.  the sonicwall appliance has the 'any' option for several areas of configuration.  firewall rules are done separately from NAT policies.  in this case, i think a new zone was created and trust was not establish through a firewall access rule.
0
 
rvdsabu4lifeAuthor Commented:
in your question description, does LAN imply the zone or just merely a private subnet?  from your screen shot, it looks like you created a new zone?  need some clarification here as assigning an interface the LAN zone means they trust each other and the access rules would reflect this.  this has nothing to do with NAT.

The VLAN2 zone was a test I was running with vlans a while ago.  I just kept the name on the new zone.  Yes I also checked the firewall rule.  It was already added.
0
 
rvdsabu4lifeAuthor Commented:
Here is my access rules and nat

 Desc
0
 
digitapCommented:
would you provide me a screen shot of your zone settings?

i might suggest at some point here to change the interface for X2 to LAN from VLAN or create a new zone.  i'm thinking that if you were testing with this zone in the past, there may be something causing issues with traffic flow.
0
 
rvdsabu4lifeAuthor Commented:
See Here no
0
 
digitapCommented:
i don't see anything wrong with your firewall rules or your zone settings.  you may have static route that throwing things off.  check out network > routing and click the custom radio buttons.  this will show routes created by you or the public server wizard.  see anything suspect?
0
 
Michael OrtegaSales & Systems EngineerCommented:
Reverse your Originated and Translated subnets on your NAT rule and is that works.

MO
0
 
digitapCommented:
NAT is not needed for comm between the X2 and X0 ports.  i didn't think about it before, but you should disable any NAT rules between those to interfaces/zones.
0
 
Michael OrtegaSales & Systems EngineerCommented:
That's interesting, digitap. I guess there is a distinction between "zone" and "vlan"? The configuration sort of indicates that there are 2 vlans (subnet X0 and X2) that are trying to pass traffic through to each other. In order to do this you typically have to configure "router on a stick" for intervlan communication to work. I take it SonicWall uses the term "zone" for something other than a "vlan"?

MO
0
 
digitapCommented:
X0 and X2 are the pysical interfaces.  there is a zone called VLAN2 and VLAN, and do not directly imply they are vlans.  they are merely a way of tagging an interface for the type of traffic.  also, sonicwall applies security services based on zones.  it is via the zone that content filter, gateway anti-virus can be disabled for all the traffic going across that interface as defined by the zone.

so, yes, it does mean something different.  to create a vlan, you first create a zone.  then, go to the interface and create a new interface on an existing interface.  doing so implies you want to create a vlan.  you apply the zone you created and give it a vlan tag.

i do this for creating wireless guest and wireless corporate networks using the sonicpoint hardware.
0
 
rvdsabu4lifeAuthor Commented:
X0: 10.0.0.x LAN
X2: 10.0.1.x LAN

As it stand with my current configuration, X2 people can connect to everyone on X0.
X0 people, when they ping any IP on X2, it responds with the WAN IP.  

Its like I am close but need a reverse rule as well?
0
 
digitapCommented:
i think you've got a route there.  when you ping to X2, it's routing traffic out the WAN.  did you disable the NAT policies?  i agree, i think it's close.
0
 
rvdsabu4lifeAuthor Commented:
I did not disable the NAT policies.  Also there were no custom routes
0
 
Michael OrtegaSales & Systems EngineerCommented:
Well it still sounds like a NAT issue to me. Again, I'm not familiar with SonicWalls, but in most other firewalls where I take a switch port and carve it out (or creating a separate VLAN as is what would be needed to even do this) as a separate routable network you have to configure an access rule and NAT in order for the two subnets to communicate with each other.

In your guest and corporate wireless networks are you actually passing traffic between the two networks like what the author is trying to do?

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
What about placing both X0 & X2 interfaces in the same LAN zone?

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
If you can do that, following digitaps explanation of zones, then you won't need routes or any NAT statements. Simply place both interfaces in the same LAN zone and test.

MO
0
 
digitapCommented:
since the zones are trusted and the traffic is not traversing the internet, you don't need the NAT.  the NAT policy is NAT'ing your traffic from the private to the 3COM address object.  i assume that's your WAN gateway.  disable the NAT.  i think you'll be fine.
0
 
Michael OrtegaSales & Systems EngineerCommented:
I agree with digitap. If the zones are configured to speak to each other then I guess you don't need the NAT statement. I read up a little more on the SonicWalls. It's definitely different with SonicWall than Cisco firewalls.

MO
0
 
rvdsabu4lifeAuthor Commented:
I followed the advice of everyone above and put them all on the same zone.  I will post my results
0
 
digitapCommented:
your final response indicates you followed the advice of everyone, but your point disposition does not. recommend split between http:#a34982931 and http:#a34982962.
0
 
Michael OrtegaSales & Systems EngineerCommented:
If your solution was to remove the NAT statement and put both interfaces in the same zone then I would move all points to digitap. He arrived at that solution and I only agreed with it after doing some research.

MO
0
 
modus_operandiCommented:
Starting auto-close process to implement the recommendations of the participating Expert(s).
 
modus_operandi
EE Admin
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 10
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now