Solved

adding new external IP to sonicwall interface AND defining specific host

Posted on 2013-05-16
14
778 Views
Last Modified: 2013-06-04
I have a network I inherited with an EOL Sonicwall tz190  , the external IP has been RBLd due to some infected nodes on the LAN.

The ISP has informed me the client has 4 public IP's to use, what I want to do is add one of the unused IP's to the Sonicwall interface and create a rule/policy that will that will force all outbound traffic from the mail server to use the NEW CLEAN IP, and leave the rest of the LAN as is-

so it would be like this;

LAN IP  192.168.0.9 (mail server) outbound traffic via public ip=  new.clean.ip
all other lan outbound traffic via public ip= original.tainted.ip


I also am seeking this solution because there are already hundreds of rules, objects policies, etc.. already in place that I would not care to re-do
0
Comment
Question by:jjspicoli
  • 6
  • 5
  • 3
14 Comments
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
Follow the instructions in the following using SMTP. Be sure to look at and do the steps in the document referenced by "ALERT" first.

https://www.fuzeqna.com/sonicwallsandbox/ext/kbsearch.aspx?kbid=4535&keyword=force smtp
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Yep, just a nat policy where you set the translated source as the wan ip you want. All you need is an address object (which you already have since the mail server is accessible. I've done this with many things and it works great. Just use whatismyip.com from the mail server to test.

Side note: the old ip may be listed in any spam services or other things your mail server works with, try to identify and change those at the same time
0
 

Author Comment

by:jjspicoli
Comment Utility
once I create the new nat policy for the mail server to send from the NEW IP, do  i need to update my mx records to point to the new ip, or is the new nat policy for out going traffic only?
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
You need to have your mx records point to the new ip if you want to use it for incoming mail as well.

Note that if you use SPF records you will need to change those to the new ip as well.

Also, make sure reverse dns is set up for the new ip, since many sites use that to verify mail from the domain is really sent by the domain.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
That policy is outgoing only. To change the incoming you should just edit the address object probably called servername-public to the new ip
0
 

Author Comment

by:jjspicoli
Comment Utility
Also this is not enhanced os-
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Oh, I only use enhanced os so I have no idea what the regular looks like. Sorry
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 20

Accepted Solution

by:
carlmd earned 500 total points
Comment Utility
NAT instructions one to one, from SonicOS standard Administrator Guide....

This example assumes that you have a SonicWALL security appliance running in the NAT-enabled mode, with IP addresses on the LAN in the range 192.168.1.1 - 192.168.1.254, and a WAN IP address of 208.1.2.2. Also, you own the IP addresses in the range 208.1.2.1 - 208.1.2.6.

Alert: If you have only one IP address from your ISP, you cannot use One-to-One NAT.

You have three web servers on the LAN with the IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.12. Each of the servers must have a default gateway pointing to 192.168.1.1, the SonicWALL security appliance LAN IP address.

You also have three additional IP addresses from your ISP, 208.1.2.4, 208.1.2.5, and 208.1.2.6, that you want to use for three additional web servers. Use the following steps to configure One-to-One NAT:

1. Select Enable One-to-One NAT.
 2. Click Add. The Add NAT Entry window is displayed.
 3. Enter in the IP address, 192.168.1.10, in the Private Range Begin field.
 4. Enter in the IP address, 208.1.2.4, in the Public Range Begin field.
 5. Enter in 3 in the Range Length field.

Tip: You can configure the IP addresses individually, but it is easier to configure them in a range. However, the IP addresses on both the private and public sides must be consecutive to configure a range of addresses.

 6. Click OK.
 7. Click Apply.
 8. Click Firewall, then Access Rules.
 9. Click Add.
 10. Configure the following settings:


• Allow
• Service - HTTP
• Source - WAN
• Destination - LAN 192.168.1.10 - 192.168.1.12
 In the Options tab, select Always from the Apply this Rule menu.

11 Click OK.

 Requests for <http://208.1.2.4> are answered by the server at 192.168.1.10. Requests for <http://208.1.2.5> are answered by the server at 192.168.1.11, and requests for http://208.1.2.6 are answered by the server at 192.168.1.12. From the LAN, the servers can only be accessed using the private IP addresses (192.168.1.x), not the public IP addresses or domain names. For example, from the LAN, you must use URLs like <http://192.168.1.10> to reach the web servers. An IP address, such as 192.168.1.10, on the LAN cannot be used in both public LAN server configurations and in public LAN server One-to-One NAT configurations
0
 

Author Comment

by:jjspicoli
Comment Utility
I have just found out that they have a second ISP connected to their OPT1 port on the Sonicwall.

I think, and correct me if I'm wrong, that it would be easiest and quickest to just "tell the sonicwall to send outgoing traffic (smtp port25)  from Exchange (192.168.0.9) via OPT1" this way i would not have to change MX records, only SPF and RDNS,

So how do i go bout making that change , without "breaking"  anything?

Please excuse my lack of knowledge, but this is the first sonicwall I have ever dealt with, and having no technical support is no picnic.

Rest assured that this device will be retired ASAP, but in the interim I'm stuck
0
 

Author Comment

by:jjspicoli
Comment Utility
Happy to report that my work-around worked,  I was able to set the outbound smtp traffic from the email server, to use the second ISP IP address  that was connected via OPT port- I did this using the route policies in the Sonicwall.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
What to do depends upon how the Sonicwall is configured.

I don't have a Sonicwall with the standard OS , so you may have to search a bit.

Under Network -> Routing look for anything that has a service of SMTP. Please report the Source, Destination, Service, Gateway and Interface for any that you find. Hopefully there will only be one.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
Look like you did it before I got to type the instructions. Nice work!
0
 

Author Comment

by:jjspicoli
Comment Utility
I still want to be able to add the second IP to the original interface,  as I never actually resolved the issue the way I wanted to.  I feel like i just got "lucky" that they happened to have a second ISP on the OPT port.

At the same time I don't want to "test / experiment" with someone's production environment.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
Before you attempt to do that, I would consider the following.

1. Since device is EOL, are you planning to replace it?
2. If the RBL block on the ip or domain. Either is possible.
3. With 4 ip address, are you sure the others aren't being used for something you might not be aware of? Sounds like you might be getting the info a piece at a time.

IMHO you should consider leaving the setup as is, unless there is some reason you do not want to use the second ISP for email.

If you really want to attempt to add a second address on the the origianl ISP you have all the info above to do it.

If you have more questions, please post back.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now