Public Server NAT Config over two routers

Hi,

We have been agonising over this configuration for some time now; hoping someone can point out where we're going wrong.

We need to make our Exchange Server public.  I have attached a basic diagram of what we're doing.

Diagram
In words: on the outside we have a Netgear router.  Between the Netgear router and the LAN we have a SonicWall firewall/router.  

Therefore, the initial packet (port 443) that hits the Netgear router gets forwarded, with destination IP address translated to an address on the ("public") subnet on which the Netgear router, and the SonicWall interface (X1) it attaches to, sit.  We've also created a static route to forward the packet to the SonicWall (X1 interface).

Netgear Inbound RuleNetGear Static Route
This packet then hits the SonicWall, where the destination IP address is again translated from this "public" subnet to the "private" subnet of the LAN (X0 interface), on which the Exchange Server sits.

SonicWall NAT PolicySonicWall Firewall Rule
We have been staring at these for days now, and cannot see how they are incorrect.

The test for success is browsing OWA.  We have a dyndns account setup for the public IP address of the Netgear router.  I can confirm the following:
-> Browsing OWA works within LAN
-> Browsing OWA works when plugged directly into the Netgear router (i.e. on the other side of the SonicWall)
-> Browsing OWA does not work when plugged in to a different router, not part of that network, i.e. going over the internet proper.

We placed a support request with SonicWall, and they reckoned our SonicWall config is correct, and also that what we're doing with the Netgear is conceptually correct.

If anyone can see the problem, that would be fantastic - otherwise if you have any specific troubleshooting recommendations, they will be gratefully received.

Cheers,

Tim.
LVL 1
nulliusinverbaAsked:
Who is Participating?
 
nulliusinverbaAuthor Commented:
Hi guys,

Thanks again for your comments.  I've recently solved it.  I did try putting the server on the other side of the SonicWall - then used communication between that server and my DC to see what was going on.  When I saw traffic was only going one way, I played around with the firewall rules until I found the answer.  The NAT was setup correctly - just needed to add another firewall rule covering the translated and untranslated addresses.  I am conceptually unclear as to why this worked (maybe because of DNS, my best guess), but I'm happy it has.

Thanks again.

Tim.
0
 
ShareefHuddleCommented:
Ok here we go.

Change your netgear to make incoming 443 to send to 192.168.1.2

Add a static route that anything to 192.168.0.0 to goto 192.168.1.2

On sonicwall change translation from 192.168.1.2 to goto 192.168.0.21 service 25 original interface x1 to x0

Firewall rule change to 192.168.1.2
0
 
nulliusinverbaAuthor Commented:
Hi Shareef,

The only question I have in your instructions is where you say, for the SonicWall NAT policy, "service 25"?  I could not understand what you meant there?  If left on 443, it is still not working, unfortunately, with these changes.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
ShareefHuddleCommented:
Oops. That was a mistake. I meant 443. :)

Shareef
0
 
ShareefHuddleCommented:
Change all service areas to any and then try to ping 192.168.1.1 from exchange.
0
 
nulliusinverbaAuthor Commented:
Thanks, mate :)  But I've had a good play around with these settings and a few variations thereof, with no success.

If you beleive these are the correct settings, are you able to think of any other possible cause of the problem when the settings are correctly configured?
0
 
nulliusinverbaAuthor Commented:
Can successfully ping 192.168.1.1 from SVREXCH.
0
 
ShareefHuddleCommented:
It has been awhile since I have been on a sonicwall but on an ASA you have to create a stateful bypass policy for any routing with or without NAT. Is there any setting that resembles this type of setting. The first time I ran into it on an ASA I spent days also :)
0
 
ShareefHuddleCommented:
How about 4.2.2.3?
0
 
nulliusinverbaAuthor Commented:
Unable to see anything like stateful bypass routing.

Can ping 4.2.2.3 from SVREXCH.

Cheers.
0
 
ShareefHuddleCommented:
So how ping exch from netgear
0
 
ShareefHuddleCommented:
I meant can you ping exch from netgear
0
 
ShareefHuddleCommented:
Oops, nevermind I just read that you can get there. from that network. My bad.

Turn the logging on on your Netgear. Is there anything that stands out?
0
 
nulliusinverbaAuthor Commented:
THanks, mate - I will have a play around with that and get back to you.
0
 
ShareefHuddleCommented:
Can you put something on the 192.168.1.x network that has a website to test your netgear nat/acl ?
0
 
nulliusinverbaAuthor Commented:
I've created the exact same policies for a web server, same result - presumably ruling out an issue with SVREXCH.

The log is not registering anything when I attempt to access it from outside - both Netgear and SonicWall.
0
 
digitapCommented:
You're double NAT'ing your traffic which may be causing an issue, but uncertain. The X1 interface of the sonicwall is meant to sit on the Internet and act as a firewall. The sonicwall may be seeing this traffic and not routing and/or NAT'ing it properly because of that. Is there a reason you are using the sonicwall in this configuration? Why not put the sonicwall in place of the Netgear?

Besides that, did you manually create the NAT policies and firewall rules on the sonicwall or did you use the public server wizard? When you run the wizard, you'll get a WAN > LAN firewall rule and egress, ingress and loopback NAT policies.
0
 
ShareefHuddleCommented:
Did you put some kind of web server in between the netgear and sonicwall and see if your Netgear is passing the traffic correctly?
0
 
digitapCommented:
just remember for the future, use the public server. i believe if you hade, then you would have gotten the proper firewall rules created. this was part of the solution i provided above, but i didn't see a response from you that you used the wizard.
0
 
nulliusinverbaAuthor Commented:
Managed to solve it
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.