Solved

Sonicwall TZ 210 setting up a block of IPs from ISP

Posted on 2013-11-04
15
1,901 Views
Last Modified: 2014-01-24
I am running a Sonicwall TZ 210 with SonicOS Enhanced

We have a block of IP addresses from our ISP.

One of the IP addresses are being utilized on our Sonicwall lets call it 99.88.77.146.
The other is configured on a D-Link router lets call it 99.88.77.150.

We currently have clients accessing two servers via the D-Link router. However randomly during the day our clients will lose connection even though we are still able to access the internet using the connection from the Sonicwall. The only way to resolve the problem is to power cycle the ISP's modem, but the frequency that we are having to do this has increased dramatically leading me to believe we may have some possible hardware failure involved.

As part of the troubleshooting process I have tried to get rid the D-Link and configure the Sonicwall to handle all of the traffic for both IP addresses, which I believe is the way it should have been set up originally. However, all of my attempts to make this work have failed.

I've created the services to the ports that both of the servers need, created the service groups. And have gone through the public server wizard to configure the address objects, NAT policies, and access rules but it is not working.

According to the posts I have read, once you have one WAN port configured with an IP from the block of IP addresses assigned that what I have done is all that you have to do. Do I need to get my ISP involved and have them replace the modem?
0
Comment
Question by:mednet
  • 8
  • 7
15 Comments
 
LVL 21

Accepted Solution

by:
mcsween earned 280 total points
ID: 39622576
You will need a NAT rule in addition to the firewall rule to translate the traffic.

Original Source - Any
Translated Source - Original
Original Destination - (Public IP this service is accessed on) Address Object
Translated Destination - (Private IP this service is hosted from) address Object
Original Service - Service object used to access (if you have more than one port to translate you need a rule for each port or you can use Any in a single rule.  Do not use a Service Group here)
Translated Service - Most likely Original unless the internal port is different form the external port.  If so use the internal port here and external port on original service
Both interfaces to Any

Also make sure you have the subnet mask defined correctly on your WAN interface and of course remove the d-link router or power it down so you don't cause an address conflict.  When you create the NAT rule the SonicWALL will start listening on that IP/Port.
0
 

Author Comment

by:mednet
ID: 39622688
Thanks for the swift reply. Unfortunately the connection is active right now and our clients are currently accessing the servers. I will have to try this out in the morning.
0
 

Author Comment

by:mednet
ID: 39624223
Unfortunately the changes did not resolve the problem. I am still unable to access the server via the 99.88.77.150 outside IP address when using the SonicWall.

The WAN port in configured properly, at least to my knowledge. I am unable to access the configuration of the modem so I am unsure how it is configured.
0
 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 280 total points
ID: 39624442
You aren't trying to test from a computer that's behind the firewall, are you?  That will not work as loopback connections are prohibited on a SonicWALL.  You have to do your test using a machine that is outside your network.

To allow access from the inside using a public IP you will need a loopback NAT policy.

Original Source - Firewalled Subnets
Trans Source - Origingal
Original Dest - Public IP
Trans Dest - Private IP
Orig service - Any
Trans Service - Original
0
 

Author Comment

by:mednet
ID: 39624872
I was testing access from outside of our network.
0
 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 280 total points
ID: 39627133
Please provide the following information (use 99.88.77.x for external addresses and 192.168.0.x for internal)

1. IP and subnet assigned to X1
2. IP and subnet assigned to X0
3. Public IP the server will be accessed on
4. Private IP of the server we are trying to publish
5. Which service ports it is accessed on

Also is the SonicWALL plugged directly into the ISP's router?  What type of router has the ISP provided (cable/dsl modem/router or enterprise class equipment).
0
 

Author Comment

by:mednet
ID: 39627281
Part of the problem could be because the servers we are routing to are on a separate network IP scheme (which I do not understand why it was done that way), but I should at least be able to ping 99.88.77.150.

1) X1
    IP: 99.88.77.146
    Subnet: 255.255.255.248

2) X0
    IP: 192.168.0.253
    Subnet: 255.255.255.0

3) Public IP
    99.88.77.150

4) Private IP
    172.17.2.5 and
    172.17.2.3

5) Ports
    7014 TCP&UDP
    7013 TCP&UDP

The Sonicwall is connected directly to a cable modem (SMC8014W-G). The modem does not appear to be in bridged mode. If you connect to it you get an IP address assigned by the DHCP server on the SMC.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 280 total points
ID: 39628461
I see two potential issues here.  The first is you need to get that cable modem in bridged mode so the public IPs are assigned directly to the SonicWALL; otherwise you will have to forward traffic from the public IP to the X1 IP of the SonicWALL, then forward again to the internal server.  That can get complicated really quick.  Is the actual public IP assigned to the SonicWALL or is that using one of the SMC's IPs?

The second is you cannot forward traffic from the same IP/port to multiple servers.  You either have to use multiple public IPs and NAT each one to the server or you have to use PAT (Port Address Translation) and use different public ports.

I was planning on providing the exact NAT/Firewall rules you need using your addresses but it doesn't appear it would work anyway as you have that extra device in the mix.  I would call the ISP and get that SMC into bridged mode.  Once that is done reply again here and let me know if it is working.  If not I will write out the firewall and NAT rules you need.
0
 

Author Comment

by:mednet
ID: 39629242
172.17.2.3 is using port 7014
172.17.2.5 is using port 7013

With that configuration it should work. That is of course after I get the ISP involved and get them to change the modem to bridged mode.

I will reply as soon as that is done.
0
 

Author Comment

by:mednet
ID: 39633309
I'm still waiting for my ISP to get back in touch with me. Since we have more than one static IP address is there any problem with placing the modem in bridged mode?
0
 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 280 total points
ID: 39634253
It won't be a problem, just assign the first IP in the group to the interface and the correct subnet.  When you setup additional NAT rules the SonicWALL will start listening on the extra addresses.
0
 

Author Comment

by:mednet
ID: 39634886
Okay the modem has been placed in bridged mode, but I am still unable to access anything utilizing 99.88.77.150.
0
 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 280 total points
ID: 39635802
The following rules use these assumptions:
Public IP - 99.88.77.150
Access Server 172.17.2.3 using port 7014 TCP & UDP
Access Server 172.17.2.5 using port 7013 TCP & UDP
X1 IP is 99.88.77.146, 255.255.255.248

Create the following address objects (Name, Type, Address):
WAN-150-IP: Host, 99.88.77.150
LAN-Server1: Host, 172.17.2.3
LAN-Server2: Host, 172.17.2.5

Create the following Service Objects (Name, Protocol, Port):
TCP 7014, TCP, 7014
UDP 7014, UDP, 7014
TCP 7013, TCP, 7013
UDP 7013, UDP, 7013

Create the following Service Group and add all 4 services from the last step to it
IP 7013&7014

Create the following NAT Rules (There will be 4 of them):
Original Source: Any
Translated Source: Original
Original Destination: WAN-150-IP
Translated Destination: LAN-Server1
Original Service: TCP 7014
Translated Service: Original
Create Reflexive Policy: Checked

Original Source: Any
Translated Source: Original
Original Destination: WAN-150-IP
Translated Destination: LAN-Server1
Original Service: UDP 7014
Translated Service: Original
Create Reflexive Policy: Checked

Original Source: Any
Translated Source: Original
Original Destination: WAN-150-IP
Translated Destination: LAN-Server2
Original Service: TCP 7013
Translated Service: Original
Create Reflexive Policy: Checked

Original Source: Any
Translated Source: Original
Original Destination: WAN-150-IP
Translated Destination: LAN-Server2
Original Service: UDP 7013
Translated Service: Original
Create Reflexive Policy: Checked

Create the following Firewall Rule:
Allow
From Zone: WAN
To Zone: LAN
Service: IP 7013&7014
Source: Any
Destination: WAN-150-IP
0
 

Author Comment

by:mednet
ID: 39638671
I've created everything you asked but it is still not working. I can't communicate to anything on 99.88.77.150 from outside.
0
 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 280 total points
ID: 39649109
Can you watch the log in the firewall to see if it is even seeing the packets?  Set the logging level to debug and watch for any firewall dropped packet events or anything.  Set a filter on the log so you only see packets coming from your test machine's public IP.

You can connect to the servers from the LAN using their LAN address and ports 7013 and 7014, correct?

Are there any devices between the SonicWALL and the public internet like a DSL/Cable modem?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now