Solved

Need a little direction with Sonicwall NAT/Routing

Posted on 2011-02-25
30
522 Views
Last Modified: 2012-06-21
Here is how my Sonicwall was just reconfigured to be:
X0: 10.0.0.x LAN
X1: Primary WAN
X2: 10.0.1.x LAN
X3: Backup WAN

The computers on the X0 subnet can ping and see all the computers in the X2 subnet.  However, when someone on the X2 subnet tries to ping someone on the X0 subnet, it always resolves to the X2 gateway.

What do I have to configure in order to get this to work properly.
0
Comment
Question by:rvdsabu4life
  • 11
  • 10
  • 7
  • +1
30 Comments
 
LVL 16
ID: 34979295
You need to setup static NAT from the X0 subnet to the X2 subnet. Basically, X0 has permission to send any traffic out and X2 is essentially and outside interface to X0. When X2 intiates an echo request to X0 it is trying to pass through an external interface to get to X0.

MO
0
 
LVL 33

Expert Comment

by:digitap
ID: 34979351
both are in the same LAN zone so they should trust each other.  make sure your firewall access rule LAN X2 > LAN X0 is set to allow.
0
 

Author Comment

by:rvdsabu4life
ID: 34979611
Here is what I have.  Does this look right? Des
0
 
LVL 16
ID: 34979764
So that's basically the combination of a NAT rule and Access list. It should work.

MO
0
 
LVL 33

Expert Comment

by:digitap
ID: 34980252
no, it's NAT only.  did you check the access rule per http:#a34979351, as i suggested? also, your address object says VLAN, you're using vlans on the sonicwall?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34980276
in your question description, does LAN imply the zone or just merely a private subnet?  from your screen shot, it looks like you created a new zone?  need some clarification here as assigning an interface the LAN zone means they trust each other and the access rules would reflect this.  this has nothing to do with NAT.
0
 
LVL 16
ID: 34980350
I must admit that I'm not as familiar with Sonicwalls. I took the Interface status of inbound/outbound equaling "any" & "any" as a form of access rule.

MO
0
 
LVL 33

Expert Comment

by:digitap
ID: 34980493
i can see that.  the sonicwall appliance has the 'any' option for several areas of configuration.  firewall rules are done separately from NAT policies.  in this case, i think a new zone was created and trust was not establish through a firewall access rule.
0
 

Author Comment

by:rvdsabu4life
ID: 34980810
in your question description, does LAN imply the zone or just merely a private subnet?  from your screen shot, it looks like you created a new zone?  need some clarification here as assigning an interface the LAN zone means they trust each other and the access rules would reflect this.  this has nothing to do with NAT.

The VLAN2 zone was a test I was running with vlans a while ago.  I just kept the name on the new zone.  Yes I also checked the firewall rule.  It was already added.
0
 

Author Comment

by:rvdsabu4life
ID: 34980936
Here is my access rules and nat

 Desc
0
 
LVL 33

Accepted Solution

by:
digitap earned 250 total points
ID: 34981854
would you provide me a screen shot of your zone settings?

i might suggest at some point here to change the interface for X2 to LAN from VLAN or create a new zone.  i'm thinking that if you were testing with this zone in the past, there may be something causing issues with traffic flow.
0
 

Author Comment

by:rvdsabu4life
ID: 34982180
See Here no
0
 
LVL 33

Expert Comment

by:digitap
ID: 34982254
i don't see anything wrong with your firewall rules or your zone settings.  you may have static route that throwing things off.  check out network > routing and click the custom radio buttons.  this will show routes created by you or the public server wizard.  see anything suspect?
0
 
LVL 16
ID: 34982292
Reverse your Originated and Translated subnets on your NAT rule and is that works.

MO
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 33

Expert Comment

by:digitap
ID: 34982309
NAT is not needed for comm between the X2 and X0 ports.  i didn't think about it before, but you should disable any NAT rules between those to interfaces/zones.
0
 
LVL 16
ID: 34982389
That's interesting, digitap. I guess there is a distinction between "zone" and "vlan"? The configuration sort of indicates that there are 2 vlans (subnet X0 and X2) that are trying to pass traffic through to each other. In order to do this you typically have to configure "router on a stick" for intervlan communication to work. I take it SonicWall uses the term "zone" for something other than a "vlan"?

MO
0
 
LVL 33

Expert Comment

by:digitap
ID: 34982478
X0 and X2 are the pysical interfaces.  there is a zone called VLAN2 and VLAN, and do not directly imply they are vlans.  they are merely a way of tagging an interface for the type of traffic.  also, sonicwall applies security services based on zones.  it is via the zone that content filter, gateway anti-virus can be disabled for all the traffic going across that interface as defined by the zone.

so, yes, it does mean something different.  to create a vlan, you first create a zone.  then, go to the interface and create a new interface on an existing interface.  doing so implies you want to create a vlan.  you apply the zone you created and give it a vlan tag.

i do this for creating wireless guest and wireless corporate networks using the sonicpoint hardware.
0
 

Author Comment

by:rvdsabu4life
ID: 34982497
X0: 10.0.0.x LAN
X2: 10.0.1.x LAN

As it stand with my current configuration, X2 people can connect to everyone on X0.
X0 people, when they ping any IP on X2, it responds with the WAN IP.  

Its like I am close but need a reverse rule as well?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34982602
i think you've got a route there.  when you ping to X2, it's routing traffic out the WAN.  did you disable the NAT policies?  i agree, i think it's close.
0
 

Author Comment

by:rvdsabu4life
ID: 34982628
I did not disable the NAT policies.  Also there were no custom routes
0
 
LVL 16
ID: 34982660
Well it still sounds like a NAT issue to me. Again, I'm not familiar with SonicWalls, but in most other firewalls where I take a switch port and carve it out (or creating a separate VLAN as is what would be needed to even do this) as a separate routable network you have to configure an access rule and NAT in order for the two subnets to communicate with each other.

In your guest and corporate wireless networks are you actually passing traffic between the two networks like what the author is trying to do?

MO
0
 
LVL 16
ID: 34982707
What about placing both X0 & X2 interfaces in the same LAN zone?

MO
0
 
LVL 16
ID: 34982718
If you can do that, following digitaps explanation of zones, then you won't need routes or any NAT statements. Simply place both interfaces in the same LAN zone and test.

MO
0
 
LVL 33

Expert Comment

by:digitap
ID: 34982931
since the zones are trusted and the traffic is not traversing the internet, you don't need the NAT.  the NAT policy is NAT'ing your traffic from the private to the 3COM address object.  i assume that's your WAN gateway.  disable the NAT.  i think you'll be fine.
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 250 total points
ID: 34982962
I agree with digitap. If the zones are configured to speak to each other then I guess you don't need the NAT statement. I read up a little more on the SonicWalls. It's definitely different with SonicWall than Cisco firewalls.

MO
0
 

Author Comment

by:rvdsabu4life
ID: 34987099
I followed the advice of everyone above and put them all on the same zone.  I will post my results
0
 
LVL 33

Expert Comment

by:digitap
ID: 34992081
your final response indicates you followed the advice of everyone, but your point disposition does not. recommend split between http:#a34982931 and http:#a34982962.
0
 
LVL 16
ID: 34994032
If your solution was to remove the NAT statement and put both interfaces in the same zone then I would move all points to digitap. He arrived at that solution and I only agreed with it after doing some research.

MO
0
 
LVL 1

Expert Comment

by:modus_operandi
ID: 35042780
Starting auto-close process to implement the recommendations of the participating Expert(s).
 
modus_operandi
EE Admin
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now