Avatar of Shab
ShabFlag for United Arab Emirates asked on

How can I access a web server with dynamic IP on sonicwall NSA

How can I access a web server with dynamic IP on sonicwall NSA?

Scenario:

Web server: 10.10.10.1 (LAN)

Sonicwall: No-Ip configured on WAN - it's getting updated with WAN IP

No-IP site: I have created a HOST with CNAME on No-IP called webserver.mydomain.com

What next? Please help!
Hardware FirewallsRoutersMicrosoft SharePointNetworkingNetwork Management

Avatar of undefined
Last Comment
Blue Street Tech

8/22/2022 - Mon
S Z

you will need some nat and firewall rules.
but to make it easier, sonicwall added a wizard on the web interface (top right)
within the wizard you can choose the "public server wizard".
this should do it.
ASKER
Shab

I have done this with static IP but for the dynamic there is no option!

Does anyone has idea how to bring Dynamic IP masked domain as a pubic IP?
S Z

as i understood, you already did what you asked for:
you configured no-ip on sonicwall and created a cname on no-ip.

that means that you already made your sonicwall available to the public under webserver.mydomain.com

now you only need to forward all traffic (is it http or https?) to your server on LAN.

you need to create a new firewall rule from wan to lan, allowing http and https traffic to your server (source any; destination your server - you might need to create a new address object to do that; service http; create a second rule for https)
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
Shab

Yes here come the issue!!!

I have done the rule on firewall - all good! but not able to do the NAT on sonicwall!

I can create a address object with FQDN: webserver.mydomain.com
but on the NAT section drop down FQDN address object is not not showing?

Is this possible with sonicwall? using dynamic ip as a public ip for the web server?
N-W

Attached are the required NAT and firewall rules you'll need. They assume the traffic is going from the WAN zone (X1 interface) to DMZ zone (X2 interface), you'll need to modify them as required.

If you use the address object "X1 IP" or "WAN INTERFACE IP" for the rules, it should automatically populate when your WAN interface receives the IP address.
SonicWALL-Dynamic-IP.txt
S Z

yes it is definitely possible.

your address object needs to reflect the internal IP of your server, not the public fqdn. forget about the public fqdn on sonicwall you do not need it there except in the dynamic dns settings
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Blue Street Tech

wshty is right.

If you want to have your company domain be the main point to access the server all you have to do is add a CNAME in your External DNS server such as host: @ or www entry: webserver.mydomain.com. This will route all web traffic @ your root or www.domain.com to your web server.
ASKER
Shab

Guys, you may confused with my question!

I have two WAN IP

X1 - static IP and working well no issues I can reach web server via X0!

X2 - Dynamic IP from the ISP so isntalled No-IP and trying to reach web server but no luck!
Here comes I need your help
Blue Street Tech

Gotcha!

Provided you have already setup the following up, proceed to the next paragraph below.

Setup DDNS.
Setup PortShield Groups to allow for 2nd WAN & assign it its own Zone.
Setup an Address Object for the DDNS FQDN.

Create a NAT policy to direct any traffic going to the WAN2 IP(s) to go to the Web Server. Here's how: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=4535
P.S. The Public Server Wizard will do all of this for you.

Let me know how it goes.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
N-W

I've updated my original attachment. These firewall/NAT rules should work for exactly what you need (i.e. static WAN IP on X1 and dynamic WAN IP on X2).

I highly recommend not using the Public Server Wizard in this case, it will only mess things up for you.
ASKER
Shab

@N-W, thanks for your assistance!

Could you please make sure your NAT rules are correct! Inbound x2 Outbound x1 ?
N-W

Apologies, it seems I didn't upload the updated attachment in my past post.

Here it is now.
SonicWALL-Dynamic-IP-Updated.txt
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Blue Street Tech

@N-W - The Public Server Wizard is a SonicWALL recommended Best Practice...how do you figure that he shouldn't run it? If anything it's a complete approach to getting this up & running quickly. Multiple web servers, multiple WANs...doesn't affect the Wizard either!
Blue Street Tech

Any update on this?
Blue Street Tech

Hi petertwliu,

How's it going? Let me know how I can help. Thanks.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
Shab

@Diverseit

Sorry for the delay! I tried but not successful!
Blue Street Tech

Some questions:
Whats the model # of the NSA (e.g. NSA 220, NSA 3600)?
What SonicOS firmware version are you running?
How do you have the dual WANs configured (e.g. Load balanced, independent, etc)?
When you say,
X2 - Dynamic IP from the ISP so isntalled No-IP and trying to reach web server but no luck!
Here comes I need your help
1. When you say above "...installed No-IP..." what do you mean by that. You shouldn't install anything from them...no agent - nothing. You need to configure it within the SonicWALL under Network > DDNS. Have you done that?

2. When you say above "...trying to reach web server but no luck!" Are you try to access the Web Server from it's Public IP or Private IP? Which can you gain access to? If you can access from the Private IP but can't on the Public IP you need a Loopback policy in order to do so. After clicking on Add... under Network > NAT Policies configure the policy as follows:
Original Source: Firewalled Subnets
Translated Source: WAN Secondary IP or X2
Original Destination: WAN Secondary IP or X2
Translated Destination: Web Server Private IP
Original Service: HTTP
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Comment: Loopback policy
Enable NAT Policy: Checked
Create a reflexive policy: unchecked

Please answers these so I can get this up & running for you!
Blue Street Tech

Did you try my last post?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Shab

I have two WAN IP

X1 - static IP and working well no issues I can reach web server!

X2 - Dynamic IP from the ISP so configured DDNS (No-IP) and trying to reach web server but no luck!

on the second scenario which is via X2 - I am trying to access it from the DDNS domain name not from the public IP since I don't have a static IP!!!
Blue Street Tech

For a web server you should really buy another Static IP.

Can you access the web server via the DDNS current IP address?

Have you assigned the DDNS to the correct Interface?
ASKER
Shab

Sorry mate, I don't get you now?

I clearly said on my question that I am looking to access web server with DDNS domain name as I don't have static IP on the second scenario which is X2!

My question now is what is the use of DDNS then?


Can you access the web server via the DDNS current IP address?
NO

Have you assigned the DDNS to the correct Interface?
YES
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Blue Street Tech

When I say,
For a web server you should really buy another Static IP.
I am giving you the best advise possible as a side note - not to defer from your issue - but rather to provide advice. You should purchase of static IP for a number of reasons including, security, SEO and reliability.

I understand your rhetorical question of what is the point of DDNS, but you must understand it has drawbacks and is not the same as having a static IP. Here are some drawbacks using DDNS vs Static IP:
Degraded Performance - ISP blocks in dynamic pools are typically blacklisted due to the high probability that the previous users could have abused or misused the IPs through SPAM or other illegal means and then you get issued that IP and have to mitigate the repercussions (blacklists, etc.) of others.
Not Reliable - you must rely on a third-party services (No-IP), which increases liability. You must rely on the firewall's manufacturer to create bug-free releases too. Some examples of this are when No-IP suffered a major downage 14 months ago for two days. Another was the SonicWALL SonicOS DDNS SSL bug three versions ago - it plain didn't work until they created a new release!
Security Risks - DDNS is susceptible to DNS Attacks.
Degraded SEO - one of the fundamentals rules in good SEO is to have the same IP address for better search results.
But back to the issue at hand.

Are you trying to gain access to the web server from inside or outside the network?
Blue Street Tech

Make sense?
Blue Street Tech

Are you trying to gain access to the web server from inside or outside the network?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Shab

I've requested that this question be deleted for the following reason:

I will re open this case so some other expert can answer my question!
I am not getting what I want from the attended experts! We are Just wasting both of us time!
Blue Street Tech

I'm not sure if you are aware of this but we can make a call for more experts if you like so that you can continue the thread with new experts? Just respond either way and let me know. Thanks.
ASKER CERTIFIED SOLUTION
Blue Street Tech

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question