?
Solved

Public Server NAT Config over two routers

Posted on 2011-05-09
20
Medium Priority
?
579 Views
Last Modified: 2012-05-11
Hi,

We have been agonising over this configuration for some time now; hoping someone can point out where we're going wrong.

We need to make our Exchange Server public.  I have attached a basic diagram of what we're doing.

Diagram
In words: on the outside we have a Netgear router.  Between the Netgear router and the LAN we have a SonicWall firewall/router.  

Therefore, the initial packet (port 443) that hits the Netgear router gets forwarded, with destination IP address translated to an address on the ("public") subnet on which the Netgear router, and the SonicWall interface (X1) it attaches to, sit.  We've also created a static route to forward the packet to the SonicWall (X1 interface).

Netgear Inbound RuleNetGear Static Route
This packet then hits the SonicWall, where the destination IP address is again translated from this "public" subnet to the "private" subnet of the LAN (X0 interface), on which the Exchange Server sits.

SonicWall NAT PolicySonicWall Firewall Rule
We have been staring at these for days now, and cannot see how they are incorrect.

The test for success is browsing OWA.  We have a dyndns account setup for the public IP address of the Netgear router.  I can confirm the following:
-> Browsing OWA works within LAN
-> Browsing OWA works when plugged directly into the Netgear router (i.e. on the other side of the SonicWall)
-> Browsing OWA does not work when plugged in to a different router, not part of that network, i.e. going over the internet proper.

We placed a support request with SonicWall, and they reckoned our SonicWall config is correct, and also that what we're doing with the Netgear is conceptually correct.

If anyone can see the problem, that would be fantastic - otherwise if you have any specific troubleshooting recommendations, they will be gratefully received.

Cheers,

Tim.
0
Comment
Question by:nulliusinverba
  • 10
  • 8
  • 2
20 Comments
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725582
Ok here we go.

Change your netgear to make incoming 443 to send to 192.168.1.2

Add a static route that anything to 192.168.0.0 to goto 192.168.1.2

On sonicwall change translation from 192.168.1.2 to goto 192.168.0.21 service 25 original interface x1 to x0

Firewall rule change to 192.168.1.2
0
 
LVL 1

Author Comment

by:nulliusinverba
ID: 35725613
Hi Shareef,

The only question I have in your instructions is where you say, for the SonicWall NAT policy, "service 25"?  I could not understand what you meant there?  If left on 443, it is still not working, unfortunately, with these changes.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725652
Oops. That was a mistake. I meant 443. :)

Shareef
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725658
Change all service areas to any and then try to ping 192.168.1.1 from exchange.
0
 
LVL 1

Author Comment

by:nulliusinverba
ID: 35725674
Thanks, mate :)  But I've had a good play around with these settings and a few variations thereof, with no success.

If you beleive these are the correct settings, are you able to think of any other possible cause of the problem when the settings are correctly configured?
0
 
LVL 1

Author Comment

by:nulliusinverba
ID: 35725694
Can successfully ping 192.168.1.1 from SVREXCH.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725697
It has been awhile since I have been on a sonicwall but on an ASA you have to create a stateful bypass policy for any routing with or without NAT. Is there any setting that resembles this type of setting. The first time I ran into it on an ASA I spent days also :)
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725719
How about 4.2.2.3?
0
 
LVL 1

Author Comment

by:nulliusinverba
ID: 35725743
Unable to see anything like stateful bypass routing.

Can ping 4.2.2.3 from SVREXCH.

Cheers.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725745
So how ping exch from netgear
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725746
I meant can you ping exch from netgear
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725755
Oops, nevermind I just read that you can get there. from that network. My bad.

Turn the logging on on your Netgear. Is there anything that stands out?
0
 
LVL 1

Author Comment

by:nulliusinverba
ID: 35725759
THanks, mate - I will have a play around with that and get back to you.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725763
Can you put something on the 192.168.1.x network that has a website to test your netgear nat/acl ?
0
 
LVL 1

Author Comment

by:nulliusinverba
ID: 35726094
I've created the exact same policies for a web server, same result - presumably ruling out an issue with SVREXCH.

The log is not registering anything when I attempt to access it from outside - both Netgear and SonicWall.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35747540
You're double NAT'ing your traffic which may be causing an issue, but uncertain. The X1 interface of the sonicwall is meant to sit on the Internet and act as a firewall. The sonicwall may be seeing this traffic and not routing and/or NAT'ing it properly because of that. Is there a reason you are using the sonicwall in this configuration? Why not put the sonicwall in place of the Netgear?

Besides that, did you manually create the NAT policies and firewall rules on the sonicwall or did you use the public server wizard? When you run the wizard, you'll get a WAN > LAN firewall rule and egress, ingress and loopback NAT policies.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35748124
Did you put some kind of web server in between the netgear and sonicwall and see if your Netgear is passing the traffic correctly?
0
 
LVL 1

Accepted Solution

by:
nulliusinverba earned 0 total points
ID: 35750939
Hi guys,

Thanks again for your comments.  I've recently solved it.  I did try putting the server on the other side of the SonicWall - then used communication between that server and my DC to see what was going on.  When I saw traffic was only going one way, I played around with the firewall rules until I found the answer.  The NAT was setup correctly - just needed to add another firewall rule covering the translated and untranslated addresses.  I am conceptually unclear as to why this worked (maybe because of DNS, my best guess), but I'm happy it has.

Thanks again.

Tim.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35751594
just remember for the future, use the public server. i believe if you hade, then you would have gotten the proper firewall rules created. this was part of the solution i provided above, but i didn't see a response from you that you used the wizard.
0
 
LVL 1

Author Closing Comment

by:nulliusinverba
ID: 35775537
Managed to solve it
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question