Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to give DMZ WiFi WAP access to LAN web server

Posted on 2011-02-25
7
Medium Priority
?
1,900 Views
Last Modified: 2012-05-11
Goal: corporate visitors using WiFi should have full access to the Internet, zero access to the LAN.

I have a SonicWall PRO 2040 Standard and a set of HP ProCurve switches. I have created a VLAN on the switches so that a WiFi WAP connected to a specific port can hit the SonicWall DMZ port but nothing else. The SonicWall has DHCP configured on the DMZ's IP range (192.168.20.0:24). There is a reservation for the WAP's MAC address, and a nice wide range for DHCP leases. DNS is hard coded to the ISP's name servers. The WAP is configured to use DHCP. The LAN's subnet is 192.168.1.0:24.

Works perfectly. You get a WiFi connection that lets you out to the Internet, but you can't see anything on the LAN. But it works a little TOO perfectly. We have an exchange server on the LAN, and have opened up the necessary firewall ports to allow our employees to use OWA when traveling. There is an external DNS A record for mail.FooCorp.com that points to our SonicWall's external IP address (say, 76.101.5.68). The SW has a firewall rule that sends port 80 traffic to the IIS server on our Exchange box. This has worked well for ages.

The problem is this. When an *employee* uses the WiFi connection, the employee can surf the net just like anyone else. But when the employee tries to hit mail.FooCorp.com, they get a DNS error: server not found. I need to tell the SonicWall that when it hears a request for 76.101.5.68, it should send the traffic to our internal web server. Can I do that with a firewall rule, or do I need to define a static route of some kind?
0
Comment
Question by:lwebber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 34985983
create a loopback nat policy.  this will tell the sonicwall that when internal hosts hit the WAN interface, they will get redirected to the private IP.  you may need to make sure the exchange server private IP is available from the DMZ via a firewall access rule.

Original Source: Firewalled subnet
Translated Source: WAN Primary IP
Original Destination: WAN Primary IP
Translated Destination: Exchange server private IP
Original Service: 80/443
Translated Service: Original
Any
Any
Enable NAT Policy

this policy is created automatically by the public server wizard.  if you don't have it then you must have created the nat policies and firewall access rules manually.  if so, then make sure the firewall access rule dmz <> lan is allowing access to the exchange server.
1
 
LVL 9

Author Comment

by:lwebber
ID: 34988708
Unfortunately, I don't have the SonicWall Enhanced OS -- just the standard. Can I do this just with a firewall rule? If I specify a source of DMZ, address range *, with a destination LAN, I would have to specify the exchange server's specific IP address -- otherwise any guest on the WiFi WAP would have access to any device on the LAN (defeating the purpose of the VLAN). But if I specify the Exch server's IP address, then clients in the DMZ would have to know the LAN IP address of the Exch server (e.g. 192.168.1.101). I guess I could teach them that, but it would sure be nice if they could use the same URL no matter where they are (mail.foocorp.com). But the URL is going to translate to the SonicWall's WAN (public) IP address: 76.101.5.68.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34988756
either way, you'd still have to create a firewall rule because the loopback is NAT'ing back to the private IP of the exchange server in the same manner that specifying the private IP rather than mail.foocorp.com. before we get too far, review this PDF. it discusses loopbacks in standard OS. don't forget to create the firewall rule.
SonicOS-Standard-2.0-Configuring.pdf
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Author Comment

by:lwebber
ID: 34993573
I'll give this a try tomorrow from the office. I don't think I can test it any other way than to connect to my guest WiFi on the DMZ and try to hit mail.foocorp.com. I'll let you know what happens.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34993866
that's true...got my fingers crossed, good luck!
0
 
LVL 9

Author Comment

by:lwebber
ID: 35024071
Thanks for your help, Digitap. I now have a guest WiFi network that does exactly what I want. In fact, today I just added another WAP to the same VLAN. Just modded the ProCurve VLAN setup to UNTAG the port where the new WAP is plugged in, gave it a static IP in the 192.168.20.0 subnet, and it worked instantly. So now I have a WAP on the 4th floor and a WAP on the 5th floor. And some very happy clients.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35024178
that's awesome! i'm so glad i was able to help and thanks for the points! what's that saying by the A-Team guy..."I love it when a plan comes together."?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question