Solved

Using Sonicwall TZ210 for non optimal configuration

Posted on 2013-01-23
8
603 Views
Last Modified: 2013-01-24
OK, this may be non optimal, and I am open to suggestions. My ISP has an occam 6150 fiber optic blade to our business. I have a sonicwall TZ205 appliance connected through one of their ports which has a static IP. I have a VPN set up as well. I called and reserved 6 more static IP addresses (one of went to as a gateway address) and asked that service not be interrupted, so they assigned the addresses to a different port on the blade . The reserved IP addresses are for email which I am bringing in house, as well as multiple webservers that I have on a hyper-v server. The question is, can I use another sonicwall port as a WAN port to the new static ip address bank, and use another port(install switch) for the machines that will use those IP addresses? If it is even possible, how would I go about this in the sonicwall config?
0
Comment
Question by:ITmanage
  • 4
  • 4
8 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 38814311
0
 

Author Comment

by:ITmanage
ID: 38814522
Well no, I have that part, but was wanting the WAN connections to stay separate as far as traffic. So, X0 is LAN, X1 is default WAN, I was hoping to use X2 as a secondary WAN, and X3 as a DMZ, i have the TZ205 and sonicwall enhanced, but it is not looking like this is possible. I mean I can achieve separation by network address, but for security reasons I was hoping to physically separate once traffic left the sonicwall.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 38814571
I guess I am not understanding. If you define the additional WAN X interfaces to those ip addresses you need, then what am I missing? If you want additional control you can assign zones for each, and set rules for that.

Not sure what you mean by "hoping to physically separate once traffic left the sonicwall."
0
 

Author Comment

by:ITmanage
ID: 38814897
Sorry for the bad terminology, wording. I am not exactly versed in firewall speak. Let me change wording, and simplify my setup for now. So I have a webserver behind 216.229.xxx.182 that is static and assigned to the primary WAN port. I have a secondary WAN port with a /29 subnet on network 216.229.xxx.160 (giving me 6 IP addresses, while 161 is the gateway, and I assigned 162 to the sonicwall as the secondary WAN address). At this point I am just trying to get this to work. I have an internal webserver (which I was originally going to put in a DMZ, but not worried about it at this point. I assigned it an IP of 192.168.20.13 (postfix server with ISPconfig, etc). I just want to be able to communicate with the email server at this point (using squirrelmail). I created address objects and created firewall policy, etc, but cannot communicate with the server. I am wondering what I am doing wrong? Apologize again for the sliding on the answer, as I said before I am just trying to get this to work firstly, and going to change as time goes on.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:ITmanage
ID: 38814899
I am trying to use both WAN ports to communicate with the local class C network.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 38815044
Ok, you can use both WAN ports as you want. By default, your X1 is the way out for all LAN traffic unless you specifically write rules to direct traffic to the secondary WAN (X2) port. For example, you might want to send all LAN originated http and https (browsing) traffic out the secondary X2. As for incoming traffic, you must also write separate rules for each WAN interface.

So, with regards to your email (smtp) and web server (http) traffic on the X2 interface I suggest you get rid of what you have, and use the Wizard to create both public server instances. If you have never used the Wizard, it will ask you questions, and use your answers to create all required objects, NATS, and rules for the service. You will need to run it twice, once for the email and once for the web server.

In the outside world you will have to redirect your incoming mail to the X2 ip address as well as your http(s) resolution. However to test before you do this you could use the ip address as http://xxx.xxx.xxx.xxx, and for email you could telnet xxx.xxx.xxx.xxx 25 and see the mail server prompt.
0
 

Author Comment

by:ITmanage
ID: 38815113
Thank you. I am thrown by all of this. I was hoping to use 1-1 NAT for my static IP's to just send all traffic from my external static IP I designated (coming from secondary WAN port) to my private email IP, and it to send all traffic back out of the secondary WAN port.
0
 
LVL 20

Accepted Solution

by:
carlmd earned 500 total points
ID: 38815153
Although it may sound like a lot, using the Wizard really makes this easy. If you are concerned at removing what you already created, just run the Wizard, and implement one of the services. It will not interfere with your current setup.

If you decide to proceed, thne know that the Wizard does NOT change anything until the last step, and asks you to confirm before it does. The last page it shows is a complete list of what it is going to do, so I suggest that you print that page for a record. This way, if for any reason you want to remove that particular setup, you have a list of what to do.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now