[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 616
  • Last Modified:

Multiple WAN IPs for Webtraffic and Email

I am setting up a new install of Exchange Server with a new MailFoundry (like a barracuda) spam appliance.

I am wondering if I should put the email box on a different IP address as my webtraffic?  I am given 5 static IP's from our ISP and I'm wondering if I only have 1 incoming connection how can I use more than one WAN IP and can ports be configured to use a different WAN from behind the firewall.

1)  Should I use 2 different IPs for mail vs web traffic?  
2)  Is it possible to set up different WANs from one router/firewall appliance?  
3)  If I can only have one WAN IP with my router will my spam box be able to differentiate between mail traffic and webtraffic (routing web to the DC/DNS server and mail traffic to the Exchange box)?

Thanks,
JOe K.

P.S.  I have a Sonicwall TZ-100 router which is soon to be upgraded to a Cisco ASA 5510.  I can upgrade to the ASA if it will "solve" this problem.  
0
ClaudeWalker
Asked:
ClaudeWalker
  • 10
  • 3
  • 3
  • +1
2 Solutions
 
Ernie BeekCommented:
1: that would be neater.
2: no problem, you can forward multiple publics (or ports on a public) to multiple inside addresses.
3: the spamfilter checks email, port 25. Not webtraffic, port 80 (simply put).

Both firewalls should beableto handle that. But to prevent doing it double just get with tha ASA.
0
 
Aaron TomoskyTechnology ConsultantCommented:
Basically you get one of each port per ip. So if you have two webservers on port 80 then they each need their own ip. A mailserver, FTP server, and webserver could coexist on one ip unless the mail server has a web interface that would also require port 80.

By separating the traffic on separate ips it does help to identify traffic, setup rules, and generally keep things organized. I agree that you really should wait until you get the cisco as you don't want to set this up twice.

Personally I use sonicwall gear ad I've gotten pretty good with it and it can do all you need, but if you know you are getting cisco gear, it will just confuse you as well as be a waste of time.
0
 
ClaudeWalkerAuthor Commented:
I don't mind setting it up twice as it will be educational.  I have the Cisco Box in my office however, I won't set it up until things are running smoothly.

For the Sonicwall would the proper way to go about it be setting be going into the network settings and creating a new interface?

I keep getting a overlapping subnet error.  I my X1 Port (WAN Port) goes to 1.1.1.2 and I want my X3 port to go to 1.1.1.3 (the next IP address we own).

I am trying to set up something called WAN2 instead of creating a virtual interface through WAN but neither the seperate interface nor the bridge seem to be working.  I've attached a screenshot of my config.

Any thoughts?

Thanks,
JOe K.
 
WAN Settings
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
ClaudeWalkerAuthor Commented:
This is the error I recieve:  Error: Index of the interface.: Subnet on this interface overlaps with another interface  
0
 
shahravishCommented:
You cannot setup 2 interfaces on the same ISP. When you are provided 5 public IP's, you are provided with a subnet that supports those 5 ip's. Hence, if you use hte second IP on the second interface it will not work.

Your current WAN interface will be listening on all public IP addresses. That's what your subnet is allowing you to do.
In order to achieve what you want, you are looking to do NAT or PAT (Network Address Translation or Port adddress translation)
From within Sonicwall, you can define one to one or one to many NAT's and do port forwarding.

For example, you have five public IP addresses, 1.1.1.1 to 1.1.1.5, and your X1 (WAN) interface will  be receoiving all communication for those IP addresses. In order to setup dual WAN links, you need 2 WAN connections coming in.

To seperate traffic, let's say you want to use 1.1.1.1 as your primary WAN interface IP, 1.1.1.2 as your SMTP traffic. All outgoing traffic will automatically use 1.1.1.1 as your translated web IP. that is setup via your outbound policies.

In order to setup your inbound policy/rule for email, you will create an address object with IP 1.1.1.2 under WAN interface, and 192.168.1.2 (example lan IP) for your exchange internal IP.
You will then have network address translation (if you are only going to use 1.1.1.2 to translate to the exchagne server, you can have multiple ports - 25 - SMTP, 443 - SSL (OWA), 80 (HTTP)
You will setup a translation rule to translate all incmong traffic for public ip 1.1.1.2 to 192.168.1.2 on port 25, 443 and 80.
In sonicwall's its easier as you can define it within your firewall policy.
Source - Any, Translated Source - Original, Destination - 1.1.1.2 (Public IP), translated destination - 192.168.1.2 (Internal IP) Service - 25, Translated service - Original.

You could also setup a service group and call it - exchange (for example,) and include service ports 443, 80 and 25. In this case, your service will be - exchange (or the named group that you created)

When you are provided a pool of IP's from your ISP, you are provided with a subnet that supports it. Hence you do not need to create a second interface with that IP. a single interface will be listening for all IP's.

Similarly, you can allocate other IP addresses for your FTP , WEB server etc.
0
 
Aaron TomoskyTechnology ConsultantCommented:
The one wan port gets all the wan ips. Use the public server wizard to setup each server you want with the services it hosts.
0
 
ClaudeWalkerAuthor Commented:
That probably means I should also put the IP of my Spam Appliance in the same IP as the Mail Server?

0
 
shahravishCommented:
Yes. This would mean you would not have port 25 forwarding directly to the exchange server. You maybe using OWA, for which you will need 443 forwarded to exchange. otherwise, you may not need any inbound policies configured for Exchange.

Your inbound policy will translate to the internal IP address of your spam device.
0
 
Ernie BeekCommented:
Mmmmmmmmmmmmmokay, too much Sonicwall (I'm more into Cisco ;).

So when you get to the Cisco part, I'll gladly help :)
0
 
ClaudeWalkerAuthor Commented:
It's bizzare.  I CAN connect to the (MailFoundry) Spam Appliance and the Exchange Server using telnet on port 25.  However, I CANNOT connect to the domain controller, my workstation and the router using telnet on port 25.  I'm not sure if those last 3 matter.

What I'm sure matters is I can't connect to port 25 using telnet remoting from my machine at home nor from canyouseeme.org to my router.  Meaning my SonicWall TZ100 is blocking it.

Does my domain controller and my machine blocking port 25 matter?  Both ports 25 are available via telnet on the (mailfoundry) spam appliance and the exchange server.

I think my sonicwall is configured correctly (but apparently not) to open port 25 and forward it to the (mailfoundry) spam appliance which in turn forwards it to the exchange server.

Does all of this sound correct?  Here is a screen shot of the sonicwall port forwarding.  WAN to SpamAppliance on Port 25 should be seen as open to the outside world.

SonicWall_PortForwarding_Settings
Thanks,
JOe K.
0
 
Aaron TomoskyTechnology ConsultantCommented:
The access rule and the route are two different things. Did you use the add a server wizard?
0
 
ClaudeWalkerAuthor Commented:
I tried the add server again and it worked!

Looks like I needed to put Any for the Source, My WAN for the Destination and the SMTP Port.

Now I'll try forwarding the MX Record and giving it a shot.
0
 
ClaudeWalkerAuthor Commented:
Actually, before I do that how do I port forward in the sonicwall.  I'm assuming it's set up but where would I check that?
0
 
ClaudeWalkerAuthor Commented:
On http://openportchecker.com/ it says it's closed

On http://canyouseeme.org/ it says it's open

On TelNet from my house it says it's closed.

I'm not sure what to believe.  I want to be sure it's open before I bring down email.
0
 
shahravishCommented:
That's right! Any for the source would mean it will accept any target, and destination should be your WAN address. Your translated WAN address should be your internal IP.
You can check the below link which show san example of creating a Port Address Translation.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5611

If you just want to forward any traffic on Port 25 (Essenitally NAT), you can set the original port as Any and translated port as 25. This would mean all traffic coming in for your WAN IP, will be translated to your internal IP on port 25.

The above link should show yo usteps on creating PAT
0
 
ClaudeWalkerAuthor Commented:
It looks like the Wizard set those up correctly.  

I'll try to set it up again.
0
 
ClaudeWalkerAuthor Commented:
The port it definitely open.

Now I get an error from TestExchangeConnectivity.com

The server returned status code 451 - Error in processing. The server response was: The server is too busy, please try again later
Exception details:
Message: Error in processing. The server response was: The server is too busy, please try again later
Type: System.Net.Mail.SmtpException


Any ideas what this means.  I googled it but could not find anything conclusive.
0
 
ClaudeWalkerAuthor Commented:
Thanks guys for sticking with me on this.  I needed to configure the Receive Connector to accept mail from my Spam appliance.

Thanks,
JOe K.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 10
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now