Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 872
  • Last Modified:

adding new external IP to sonicwall interface AND defining specific host

I have a network I inherited with an EOL Sonicwall tz190  , the external IP has been RBLd due to some infected nodes on the LAN.

The ISP has informed me the client has 4 public IP's to use, what I want to do is add one of the unused IP's to the Sonicwall interface and create a rule/policy that will that will force all outbound traffic from the mail server to use the NEW CLEAN IP, and leave the rest of the LAN as is-

so it would be like this;

LAN IP  192.168.0.9 (mail server) outbound traffic via public ip=  new.clean.ip
all other lan outbound traffic via public ip= original.tainted.ip


I also am seeking this solution because there are already hundreds of rules, objects policies, etc.. already in place that I would not care to re-do
0
jjspicoli
Asked:
jjspicoli
  • 6
  • 5
  • 3
1 Solution
 
carlmdCommented:
Follow the instructions in the following using SMTP. Be sure to look at and do the steps in the document referenced by "ALERT" first.

https://www.fuzeqna.com/sonicwallsandbox/ext/kbsearch.aspx?kbid=4535&keyword=force smtp
0
 
Aaron TomoskyTechnology ConsultantCommented:
Yep, just a nat policy where you set the translated source as the wan ip you want. All you need is an address object (which you already have since the mail server is accessible. I've done this with many things and it works great. Just use whatismyip.com from the mail server to test.

Side note: the old ip may be listed in any spam services or other things your mail server works with, try to identify and change those at the same time
0
 
jjspicoliAuthor Commented:
once I create the new nat policy for the mail server to send from the NEW IP, do  i need to update my mx records to point to the new ip, or is the new nat policy for out going traffic only?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
carlmdCommented:
You need to have your mx records point to the new ip if you want to use it for incoming mail as well.

Note that if you use SPF records you will need to change those to the new ip as well.

Also, make sure reverse dns is set up for the new ip, since many sites use that to verify mail from the domain is really sent by the domain.
0
 
Aaron TomoskyTechnology ConsultantCommented:
That policy is outgoing only. To change the incoming you should just edit the address object probably called servername-public to the new ip
0
 
jjspicoliAuthor Commented:
Also this is not enhanced os-
0
 
Aaron TomoskyTechnology ConsultantCommented:
Oh, I only use enhanced os so I have no idea what the regular looks like. Sorry
0
 
carlmdCommented:
NAT instructions one to one, from SonicOS standard Administrator Guide....

This example assumes that you have a SonicWALL security appliance running in the NAT-enabled mode, with IP addresses on the LAN in the range 192.168.1.1 - 192.168.1.254, and a WAN IP address of 208.1.2.2. Also, you own the IP addresses in the range 208.1.2.1 - 208.1.2.6.

Alert: If you have only one IP address from your ISP, you cannot use One-to-One NAT.

You have three web servers on the LAN with the IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.12. Each of the servers must have a default gateway pointing to 192.168.1.1, the SonicWALL security appliance LAN IP address.

You also have three additional IP addresses from your ISP, 208.1.2.4, 208.1.2.5, and 208.1.2.6, that you want to use for three additional web servers. Use the following steps to configure One-to-One NAT:

1. Select Enable One-to-One NAT.
 2. Click Add. The Add NAT Entry window is displayed.
 3. Enter in the IP address, 192.168.1.10, in the Private Range Begin field.
 4. Enter in the IP address, 208.1.2.4, in the Public Range Begin field.
 5. Enter in 3 in the Range Length field.

Tip: You can configure the IP addresses individually, but it is easier to configure them in a range. However, the IP addresses on both the private and public sides must be consecutive to configure a range of addresses.

 6. Click OK.
 7. Click Apply.
 8. Click Firewall, then Access Rules.
 9. Click Add.
 10. Configure the following settings:


• Allow
• Service - HTTP
• Source - WAN
• Destination - LAN 192.168.1.10 - 192.168.1.12
 In the Options tab, select Always from the Apply this Rule menu.

11 Click OK.

 Requests for <http://208.1.2.4> are answered by the server at 192.168.1.10. Requests for <http://208.1.2.5> are answered by the server at 192.168.1.11, and requests for http://208.1.2.6 are answered by the server at 192.168.1.12. From the LAN, the servers can only be accessed using the private IP addresses (192.168.1.x), not the public IP addresses or domain names. For example, from the LAN, you must use URLs like <http://192.168.1.10> to reach the web servers. An IP address, such as 192.168.1.10, on the LAN cannot be used in both public LAN server configurations and in public LAN server One-to-One NAT configurations
0
 
jjspicoliAuthor Commented:
I have just found out that they have a second ISP connected to their OPT1 port on the Sonicwall.

I think, and correct me if I'm wrong, that it would be easiest and quickest to just "tell the sonicwall to send outgoing traffic (smtp port25)  from Exchange (192.168.0.9) via OPT1" this way i would not have to change MX records, only SPF and RDNS,

So how do i go bout making that change , without "breaking"  anything?

Please excuse my lack of knowledge, but this is the first sonicwall I have ever dealt with, and having no technical support is no picnic.

Rest assured that this device will be retired ASAP, but in the interim I'm stuck
0
 
jjspicoliAuthor Commented:
Happy to report that my work-around worked,  I was able to set the outbound smtp traffic from the email server, to use the second ISP IP address  that was connected via OPT port- I did this using the route policies in the Sonicwall.
0
 
carlmdCommented:
What to do depends upon how the Sonicwall is configured.

I don't have a Sonicwall with the standard OS , so you may have to search a bit.

Under Network -> Routing look for anything that has a service of SMTP. Please report the Source, Destination, Service, Gateway and Interface for any that you find. Hopefully there will only be one.
0
 
carlmdCommented:
Look like you did it before I got to type the instructions. Nice work!
0
 
jjspicoliAuthor Commented:
I still want to be able to add the second IP to the original interface,  as I never actually resolved the issue the way I wanted to.  I feel like i just got "lucky" that they happened to have a second ISP on the OPT port.

At the same time I don't want to "test / experiment" with someone's production environment.
0
 
carlmdCommented:
Before you attempt to do that, I would consider the following.

1. Since device is EOL, are you planning to replace it?
2. If the RBL block on the ip or domain. Either is possible.
3. With 4 ip address, are you sure the others aren't being used for something you might not be aware of? Sounds like you might be getting the info a piece at a time.

IMHO you should consider leaving the setup as is, unless there is some reason you do not want to use the second ISP for email.

If you really want to attempt to add a second address on the the origianl ISP you have all the info above to do it.

If you have more questions, please post back.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now