[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to temporarily disable a WAN IP on my Sonicwall NSA220?

Posted on 2012-09-09
5
Medium Priority
?
719 Views
Last Modified: 2012-09-10
I have a 1-to-1 NAT to a server named WEBSERVER-A on the LAN, consisting of:
1) a public address object for WEBSERVER-A
2) a private address object for WEBSERVER-A
3) a nat policy connecting the 2 objects
4) an access rule allowing http through the public address

Currently the NSA220 wan port is not attached to the internet.  And currently, WEBSERVER-A is published on another firewall.

I need to connect the NSA220 wan port long enough to run the "update your registration" link on the status page but at this time I'm not ready to turn the other firewall off.

So how to I temporarily turn off the IP address for WEBSERVER-A on my Sonicwall so that when I plug the wan port in to the internet I won't be causing an ip conflict?

Do I disable the access rule?
Do I disable the nat policy?
Do I disable both?

I don't see a way to disable the public address object.  Do I have to delete the public address object?

Thanks.
0
Comment
Question by:gateguard
  • 3
  • 2
5 Comments
 
LVL 16

Accepted Solution

by:
Syed_M_Usman earned 2000 total points
ID: 38381966
Dear,

"I need to connect the NSA220 wan port long enough to run the "update your registration" link on the status page but at this time I'm not ready to turn the other firewall off" Registration doestnot take long time you have two options...

minimum risk..
1) connect your SNA with your router, (from router/switch lan port connect to nsa-220 wan), configure one static ip to SNA WAN and do the reistration...

medium risk.
2) configure your LAN and WAN without connecting to your network,,,, make sure all polices are inplace... after office hours connect your wan to sna do registartion and make sure all network services are running

-----------

"So how to I temporarily turn off the IP address for WEBSERVER-A on my Sonicwall so that when I plug the wan port in to the internet I won't be causing an ip conflict?"

currently webserver is published on other firewall....the ideal way is to configure SNA box LAN, WAN, other polices .... and then connect your network (you just need to swap cables) in this case teh downtime will be mimimum + NO Ip conflict can occurs..
------------------

address objects (AO) are only identity so you dont need to disable.....
0
 

Author Comment

by:gateguard
ID: 38382520
I don't really understand your answer.

I'm going to restate my question.

In fact, my new firewall is fully pre-configured, with 9 webservers, 3 ftp servers, and a mail server with 3 different services.

All of those services are live on another firewall.  I don't want to unplug the other firewall.

I just want to plug the new firewall in to the internet long enough to do the registration update.  I have a reason why I want to do that that I don't feel like going in to.

I just want to know how to make the 16 different addresses on my new firewall "invisible" while I plug it in.

I know how I would do it if it were an ISA server.  I would disable all the access rules, delete all the ip addresses (except one) with a netsh script command, plug it into the internet with a single non-conflict ip address, do what I had to do and unplug again.  Then I would run a netsh script command adding back in all the addresses and I would quickly re-enable (with two mouse-clicks) all the access rules I had previously disabled.

I'm not looking for something that will work in 2 mouse-clicks.  I'm just looking for something that will work.

Again, let me ask this:

Do I disable the access rule?
Do I disable the nat policy?
Do I disable both?
Do I do neither?
Is there no way to do what I want to do without deleting all the objects?

Alternatively, let me ask this:
I exported an empty configuration before I built all these objects.  If I import the empty configuration, update the registration, then get off the internet and re-import the full configuration will I be wiping out the registration update or will it still be good?

Bottom line:
It's already configured with many objects but not registration-updated.  I want to run the registration update without making it live.  That's what I'm trying to do here.

Thanks.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38382729
Dear,

really sorry if i understand wrong...... but

i would suggest you REGISTER YOUR FIREWAL and do configuration or do full configuration and let the firewall LIVE with you WAN.........

below are most likely senario's..

if you have ADSL connection or Leased line connection and your connection is similar to below:

ISP---------------------ROUTER------------------------OLD FIREWALL WAN

you can do this way

ISP----------------------ROUTER----------------------OLS FIREWALL WAN
                                    |
                                SNA WAN

or

if your connection is like below

ISP---------------------MODEM------------------------OLD FIREWALL WAN
you can do this way

ISP---------------------MODEM-----------SWITCH------------------OLD FIREWALL WAN
                                                                |
                                                             SNA WAN

below i try to clerify some other points.

"In fact, my new firewall is fully pre-configured, with 9 webservers, 3 ftp servers, and a mail server with 3 different services" ---------> i belive this is SNA? if yes then how the services are running without WAN connection? and if services are not running and you want only to register firewall.i wrote in my previous post that simply connect on of your "PRODUCTION ROUTER/FIREWALL LAN cable to SNA WAN and register your SNA....

"All of those services are live on another firewall.  I don't want to unplug the other firewall"-------------->connect on of your "PRODUCTION ROUTER/FIREWALL LAN cable to SNA WAN and register your SNA....

"Do I disable the access rule?
Do I disable the nat policy?
Do I disable both?
Do I do neither?"

IF firewall services are configured but "NOT IN PRODUCTION" means running on other firewall still you can register  but you need to diable all custome rules you have made including....

NAT
ROUTES
LAN>WAN
WAN>LAN
VPN

logon to  Network > NAT Policies .. click on custom polices and uncheck all.
Network > Routing>click on custom polices and uncheck all.
 
you can do same for VPN...
0
 

Author Closing Comment

by:gateguard
ID: 38384369
I used your suggestion to put the wan port on the lan.

But first I had to create a dmz port address so I could keep talking to the device from my laptop.

All worked well.

I also signed up for a year of support at sonicwall.  Doesn't cost that much, actually.

Thanks for all the effort you put in to this.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38385553
Thanks for your comments :):):)
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 22 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question