Link to home
Start Free TrialLog in
Avatar of rbunn
rbunn

asked on

SonicWall /Cisco WAN configuration problem

I am having a small problem after adding a second WAN link to our Sonicwall firewalls.

We have a T1 from AT&T and we recently added a Cable line from WOW.
I also have dual Sonicwalls for HA redundancy.  For the HA to work, there must be a switch in between the firewalls and the routers. I am trying to avoid buying 2 switches for the different internet feeds, so i set up vlans on a Cisco 2960 switch.  

The T1 is connected to port 1 which is set to switchport access VLAN 50. Ports 2-6 are also set to switchport access VLAN 50.  The Sonicwalls X1 interfaces are connected to ports 2 & 3.

The Cable Modem is connected to port 13 which is set to switchport access VLAN 60. Ports 12-18 are also set to switchport access VLAN 60.  The Sonicwalls X3 interfaces are connected to ports 12 & 13.

Traffic seems to flow just fine in and out.
The catch is with a couple routers we have set up in our conference rooms for guests to access the internet without connecting to our network behind the firewalls.
To connect these wireless routers, I added a cisco 12 port 2950 switch.
The modem and the conference room routers connect to this switch.  Each router has its own static IP.  Then there is a cable going back to the rack where the 2960 that the firewalls plugs into lives.  
These routers can access the internet, but they can NOT reach our internal mail server and web servers.
When an attempt is made to reach the internal servers, the connection is dropped by the firewall as an IP spoof.

Intrusion Prevention      IP spoof dropped      yyy.yyy.yyy.40, 51747, X1, yyy-yyy-yyy-40.static.try.wideopenwest.com      xxx.xxx.xxx.254, 143, X3, mail.domain.com      MAC address: 00:21:a0:9b:1b:e0

I have attached a diagram of my setup.

Are there any suggestions as to what I need to do to get the conference room wireless routers to be able to access the internal servers through their nated external addresses?

I am assuming it is due to the Cisco 2960 having the WOW line and the T1 line conected and the sonicwall is seeing the mac address of the switch coming from both the X1 and X3 interfaces.  is there a NAT policy or Route I need to set to allow the traffic through?
any help is greatly appreciated.
Visio-Internet2.pdf
Avatar of rbunn
rbunn

ASKER

As a test, I removed the cable internet from the Cisco 2960, and plugged it into its own separate switch.  I still get the same errors in the log, and the sites/services will not load.

Now I am really stuck
Is the .40 IP address part of a network you have inside the firewalls?
Avatar of rbunn

ASKER

no.  it is on a separate network
Can you update your diagram and include also subnet masks?
Avatar of rbunn

ASKER

I added the subnets.
Sonicwall told me to add a route to the engenius router.  These routers are not very customizable, so i am having trouble getting any kind of route to work on them outside of the basic nating that is on by default.
Visio-Internet2.pdf
I do not think you have any routing or switching problem.

Are the servers NATed to external ip addresses, and you are attempting to reach the outside ip?

You may have problem with security policy, or NAT.

Possibly there is a problem with doing NAT from a connected ip, and/or something going wrong with proxy arp on the x3 interfaces.

Generally, there is no reason to have those routers, or having them outside the firewalls. Instead you should put the conference rooms on its own vlan and security zone inside the firewalls, and then write policy that allow those networks only to go out, and to the servers they need to go to.
Avatar of rbunn

ASKER

I dont believe it is routing or switching anymore either.

The servers are NATed to external IP addresses. and yes, I am trying to reach the external addresses from the extra routers.

I have always had these conference rooms connected this way, and they have always worked fine.  It wasnt until I added the cable line to the mix that it became a problem.
After I added the cable line, I moved the routers to that network because its faster.

I realize I could just have a VLAN for those rooms, but it is much easier to have them outside the the firewall.  There are several reasons that we like this setup.
SOLUTION
Avatar of pergr
pergr

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rbunn

ASKER

my solution provided the easiest solution as not other Solution was provided