How can I access a web server with dynamic IP on sonicwall NSA

How can I access a web server with dynamic IP on sonicwall NSA?

Scenario:

Web server: 10.10.10.1 (LAN)

Sonicwall: No-Ip configured on WAN - it's getting updated with WAN IP

No-IP site: I have created a HOST with CNAME on No-IP called webserver.mydomain.com

What next? Please help!
LVL 1
ShabAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wshtyCommented:
you will need some nat and firewall rules.
but to make it easier, sonicwall added a wizard on the web interface (top right)
within the wizard you can choose the "public server wizard".
this should do it.
0
ShabAuthor Commented:
I have done this with static IP but for the dynamic there is no option!

Does anyone has idea how to bring Dynamic IP masked domain as a pubic IP?
0
wshtyCommented:
as i understood, you already did what you asked for:
you configured no-ip on sonicwall and created a cname on no-ip.

that means that you already made your sonicwall available to the public under webserver.mydomain.com

now you only need to forward all traffic (is it http or https?) to your server on LAN.

you need to create a new firewall rule from wan to lan, allowing http and https traffic to your server (source any; destination your server - you might need to create a new address object to do that; service http; create a second rule for https)
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ShabAuthor Commented:
Yes here come the issue!!!

I have done the rule on firewall - all good! but not able to do the NAT on sonicwall!

I can create a address object with FQDN: webserver.mydomain.com
but on the NAT section drop down FQDN address object is not not showing?

Is this possible with sonicwall? using dynamic ip as a public ip for the web server?
0
N-WCommented:
Attached are the required NAT and firewall rules you'll need. They assume the traffic is going from the WAN zone (X1 interface) to DMZ zone (X2 interface), you'll need to modify them as required.

If you use the address object "X1 IP" or "WAN INTERFACE IP" for the rules, it should automatically populate when your WAN interface receives the IP address.
SonicWALL-Dynamic-IP.txt
0
wshtyCommented:
yes it is definitely possible.

your address object needs to reflect the internal IP of your server, not the public fqdn. forget about the public fqdn on sonicwall you do not need it there except in the dynamic dns settings
0
Blue Street TechLast KnightCommented:
wshty is right.

If you want to have your company domain be the main point to access the server all you have to do is add a CNAME in your External DNS server such as host: @ or www entry: webserver.mydomain.com. This will route all web traffic @ your root or www.domain.com to your web server.
0
ShabAuthor Commented:
Guys, you may confused with my question!

I have two WAN IP

X1 - static IP and working well no issues I can reach web server via X0!

X2 - Dynamic IP from the ISP so isntalled No-IP and trying to reach web server but no luck!
Here comes I need your help
0
Blue Street TechLast KnightCommented:
Gotcha!

Provided you have already setup the following up, proceed to the next paragraph below.

Setup DDNS.
Setup PortShield Groups to allow for 2nd WAN & assign it its own Zone.
Setup an Address Object for the DDNS FQDN.

Create a NAT policy to direct any traffic going to the WAN2 IP(s) to go to the Web Server. Here's how: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=4535
P.S. The Public Server Wizard will do all of this for you.

Let me know how it goes.
0
N-WCommented:
I've updated my original attachment. These firewall/NAT rules should work for exactly what you need (i.e. static WAN IP on X1 and dynamic WAN IP on X2).

I highly recommend not using the Public Server Wizard in this case, it will only mess things up for you.
0
ShabAuthor Commented:
@N-W, thanks for your assistance!

Could you please make sure your NAT rules are correct! Inbound x2 Outbound x1 ?
0
N-WCommented:
Apologies, it seems I didn't upload the updated attachment in my past post.

Here it is now.
SonicWALL-Dynamic-IP-Updated.txt
0
Blue Street TechLast KnightCommented:
@N-W - The Public Server Wizard is a SonicWALL recommended Best Practice...how do you figure that he shouldn't run it? If anything it's a complete approach to getting this up & running quickly. Multiple web servers, multiple WANs...doesn't affect the Wizard either!
0
Blue Street TechLast KnightCommented:
Any update on this?
0
Blue Street TechLast KnightCommented:
Hi petertwliu,

How's it going? Let me know how I can help. Thanks.
0
ShabAuthor Commented:
@Diverseit

Sorry for the delay! I tried but not successful!
0
Blue Street TechLast KnightCommented:
Some questions:
Whats the model # of the NSA (e.g. NSA 220, NSA 3600)?
What SonicOS firmware version are you running?
How do you have the dual WANs configured (e.g. Load balanced, independent, etc)?
When you say,
X2 - Dynamic IP from the ISP so isntalled No-IP and trying to reach web server but no luck!
Here comes I need your help
1. When you say above "...installed No-IP..." what do you mean by that. You shouldn't install anything from them...no agent - nothing. You need to configure it within the SonicWALL under Network > DDNS. Have you done that?

2. When you say above "...trying to reach web server but no luck!" Are you try to access the Web Server from it's Public IP or Private IP? Which can you gain access to? If you can access from the Private IP but can't on the Public IP you need a Loopback policy in order to do so. After clicking on Add... under Network > NAT Policies configure the policy as follows:
Original Source: Firewalled Subnets
Translated Source: WAN Secondary IP or X2
Original Destination: WAN Secondary IP or X2
Translated Destination: Web Server Private IP
Original Service: HTTP
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Comment: Loopback policy
Enable NAT Policy: Checked
Create a reflexive policy: unchecked

Please answers these so I can get this up & running for you!
0
Blue Street TechLast KnightCommented:
Did you try my last post?
0
ShabAuthor Commented:
I have two WAN IP

X1 - static IP and working well no issues I can reach web server!

X2 - Dynamic IP from the ISP so configured DDNS (No-IP) and trying to reach web server but no luck!

on the second scenario which is via X2 - I am trying to access it from the DDNS domain name not from the public IP since I don't have a static IP!!!
0
Blue Street TechLast KnightCommented:
For a web server you should really buy another Static IP.

Can you access the web server via the DDNS current IP address?

Have you assigned the DDNS to the correct Interface?
0
ShabAuthor Commented:
Sorry mate, I don't get you now?

I clearly said on my question that I am looking to access web server with DDNS domain name as I don't have static IP on the second scenario which is X2!

My question now is what is the use of DDNS then?


Can you access the web server via the DDNS current IP address?
NO

Have you assigned the DDNS to the correct Interface?
YES
0
Blue Street TechLast KnightCommented:
When I say,
For a web server you should really buy another Static IP.
I am giving you the best advise possible as a side note - not to defer from your issue - but rather to provide advice. You should purchase of static IP for a number of reasons including, security, SEO and reliability.

I understand your rhetorical question of what is the point of DDNS, but you must understand it has drawbacks and is not the same as having a static IP. Here are some drawbacks using DDNS vs Static IP:
Degraded Performance - ISP blocks in dynamic pools are typically blacklisted due to the high probability that the previous users could have abused or misused the IPs through SPAM or other illegal means and then you get issued that IP and have to mitigate the repercussions (blacklists, etc.) of others.
Not Reliable - you must rely on a third-party services (No-IP), which increases liability. You must rely on the firewall's manufacturer to create bug-free releases too. Some examples of this are when No-IP suffered a major downage 14 months ago for two days. Another was the SonicWALL SonicOS DDNS SSL bug three versions ago - it plain didn't work until they created a new release!
Security Risks - DDNS is susceptible to DNS Attacks.
Degraded SEO - one of the fundamentals rules in good SEO is to have the same IP address for better search results.
But back to the issue at hand.

Are you trying to gain access to the web server from inside or outside the network?
0
Blue Street TechLast KnightCommented:
Make sense?
0
Blue Street TechLast KnightCommented:
Are you trying to gain access to the web server from inside or outside the network?
0
ShabAuthor Commented:
I've requested that this question be deleted for the following reason:

I will re open this case so some other expert can answer my question!
I am not getting what I want from the attended experts! We are Just wasting both of us time!
0
Blue Street TechLast KnightCommented:
I'm not sure if you are aware of this but we can make a call for more experts if you like so that you can continue the thread with new experts? Just respond either way and let me know. Thanks.
0
Blue Street TechLast KnightCommented:
I have verified this setup on my end - it works perfectly. It has also been verified by SonicWALL L2 support as a fully supported functionality. If you still can't access it then either a) you are not setting it up correctly (or following the steps we have provided) or b) it is an issue with the web server.

Here is the recommended way to do this:

1. Make sure your SonicOS firmware is up-to-date (at least 5.8.1.13 as the previous version had a DDNS bug).
2. Make sure you have setup the Secondary WAN Interface correctly - can you pass any traffic on it?
3. Setup DDNS and bound it to X2. Make sure the status is displaying "online".
4. Use the Public Wizard to setup access to the Web Server and select Web Server from the drop down.
The Public Wizard will setup the following items automatically:
      Server Address Objects
      1. Create "SharePoint Server (private)" assigned to LAN Zone for Host 10.10.10.1.
      2. Reuse "WAN Primary IP" address object assigned to WAN Zone for 1.1.1.1.

      Server Service Group Object
      1. Create "SharePoint Server (private) Services" with HTTP and HTTPS Services.

      Server NAT Policies
      1. Create Inbound Server NAT Policy to rewrite packets to original destination "WAN Primary IP" to translated destination "SharePoint Server (private)".
      2. Create Outbound Server NAT Policy to rewrite packets from "SharePoint Server (private)" to translated source "WAN Primary IP".
      3. Create Loopback NAT Policy to allow access from all internal zones to the server at public IP address 1.1.1.1.

      Server Access Rules
      1. WAN > LAN - Allow "Any" to "WAN Primary IP" for Service Group "SharePoint Server (private) Services".
      Similar rules will be created from all lower security zones to the LAN zone.

5. Now all you need to do is go into the NAT Policies and Access Rules to change WAN Primary IP to WAN Secondary IP or X2.

Therefore your Access Rule should read as follows:

From: WAN
To: LAN
Priority: <auto-generated>
Source: Any
Destination: WAN Secondary IP or X2
Service: SharePoint Server (private) Services
Action: Allow
Users Incl.: All
Users Excl.: None

Your NAT Policies should read like this:

INBOUND
Original Source: Any
Translated Source: Original
Original Destination: WAN Secondary IP or X2
Translated Destination: SharePoint Server (private)
Original Service: SharePoint Server (private) Services
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Comment: <whatever you want for documentation purposes>

OUTBOUND
Original Source: SharePoint Server (private)
Translated Source: WAN Secondary IP or X2
Original Destination: Any
Translated Destination: Original
Original Service: SharePoint Server (private) Services
Translated Service: Original
Inbound Interface: Any
Outbound Interface: X2
Comment: <whatever you want for documentation purposes>

LOOPBACK
Original Source: Firewalled Subnets
Translated Source: WAN Secondary IP or X2
Original Destination: WAN Secondary IP or X2
Translated Destination: SharePoint Server (private)
Original Service: SharePoint Server (private) Services
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Comment: <whatever you want for documentation purposes>

Try this one last time...as I said it works perfectly on my end...if it still doesn't something is either not being followed or there is an issue with your SharePoint server. Do a Packet Capture to see what is happening to the packets.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.