Solved

SonicWall 2600 multiple wan->lan configuration

Posted on 2014-12-19
20
344 Views
Last Modified: 2014-12-27
Ok,
I am completely baffled here. We are replacing a Forefront TMG firewall with a SonicWall NSA 2600.
We have a block of fixed IP's (5) from our provider 50.xx.xx.2 - 50.xx.xx.5 connected to X1; our primary internal LAN 192.168.xx.xx on X0. We can access the internet, and I have configured for our exchange server so email is functioning too.
NOW, there is one server on site that has multiple NIC's( 11.xx.xx.2,12.xx.xx.2,13.xx.xx.2)  Each NIC has a different website bound to it in IIS. For the life of me I cannot configure the SonicWall to route traffic from say 50.xx.xx.3 to 11.xx.xx.2. I need to do this for each of the connections on this server. I am pretty well versed on the Forefront firewall, but I am absolutely lost on getting this SonicWall set up.
Any help and detailed examples would be greatly appreciated.
Andy

RECAP:
WAN: 50xx.xx.2 ->50.xx.xx.5 on one physical connection
LAN X0: 192.168.xx.xx -> this is the gateway for internal domain works OK
DMZ 1 on X2: 11.xx.xx.2 -> NOT WORKING NEEDS ACCESS FROM 50xx.xx.3
DMZ 2 on X3: 12.xx.xx.2 -> NOT WORKING NEEDS ACCESS FROM 50.xx.xx.4
DMZ 3 on X4: 13.xx.xx.2 -> NOT WORKING NEEDS ACCESS FROM 50.xx.xx.5
0
Comment
Question by:steamngn
  • 10
  • 8
  • 2
20 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40510931
Use the public server wizard, it's really really easy.
0
 

Author Comment

by:steamngn
ID: 40511563
Aaron,
I tried that, several times. After much head-banging I went to the log monitor and tried to ping each fixed IP in our subnet. To my surprise only the first IP (50.xx.xx.2) reaches the firewall; the others never make it. According to Time Warner DHCP is off on their router and it is configured to act as a bridge, but something is wrong....
I have a service call for them Monday morning, will update here after we get that checked out.
Andy
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40511678
Does the server on 50.x.x.2 work then and it's only the others with problems?
0
 

Author Comment

by:steamngn
ID: 40511978
That is correct. If i initiate a ping from outside to 50.xx.xx.2 i see the packet dropped in the firewall log (icmp is blocked) if i ping any other ip nothing reaches the firewall.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40512003
You can add icmp to the services group created by the public server wizard if you want to be able to ping the host. As for the other ips, definately a ISP issue like you sad.
0
 

Author Comment

by:steamngn
ID: 40512143
I dont really need the service, just using it to help narrow down the issue. Will update tomorrow after Time Warner comes in...
0
 

Author Comment

by:steamngn
ID: 40515079
Well...
The new router is in place, and according to Time Warner is in bridge mode. I have changed each internal web server to be an address on out internal lan IE DMZ 1 is now 192.168.xx.05 and updated our internal domain DNS records. I then ran the SonicWall Wizard for each site. So now from the internal LAN all of the sites are accessible. However, I still cannot reach any of these sites from external! We have DNS (A) records in place at our web provider, and these worked fine before. I am just completely stumped as to why we cannot get something downstream from the WAN subnet...
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40515407
Before we worry about dns, can you ping the wan IP and get a response from the server for each of the 5 wan ips? Make sure you remove the old address objects and routes/nat from when you were going with the dmz setup. While the public server wizards creates things easily, there is no such easy delete button.
0
 

Author Comment

by:steamngn
ID: 40515418
Aaron,
was just about to post an update... I downloaded the newest firmware for the firewall and rebooted into a fresh install. I have re-run the wizard for each internal web server and confirmed that webmail and the internet are working as before....
NOW I can see packets being forwarded to the internal servers on each IP, but I am still not able to browse pages. I loaded wireshark on the web server and did some tracing; I notice when I try to view a website that the request DOES get to the server now, but then I get 'TCP Retransmission' errors. So it looks like we are getting closer...
Does this help?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40515446
I think the sonicwall may be passing the external ip though to the server so you might have to add that ip binding to IIS. personally I use a single IP on my servers with host headers so its only the domain name that matters. I run tons of sites on servers with a single NIC and IP address
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:steamngn
ID: 40515488
Aaron,
Ok, we may be zeroing in on a solution here, but I will need a little guidance (Did I mention I'm a DBA, and not a Netguru? :-) )...
So to drop all of this nonsense and get things working, I would need to:
a) change the bindings on the 4 websites to all be on the same NIC
b) change the DNS records at our Internet host to all point to the same fixed IP (the same as our currently working exchange server)
c) change our internal DNS records to all point to the same IP for the web server
d) delete the SonicWall web server policies/rules/routes etc and rerun the wizard for each site? or just rerun it once and create a single forwarding rule?

Am I close? Is this a better practice than all the extra stuff?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 40515498
Not to hijack the answers already provided by Aaron but the simplest way to do this is to take X2/3/4 out of the loop...

When you have a public IP block it comes through X1(I assume this is your WAN yes?) by design anyways...

So you simply run the Public IP wizard and assign each public IP to map to the private IP...and things work...this is the way we do it in our office...I don't use separate physical interfaces to do the public assignments...
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40515517
well there are other considerations:
If you have an older IIS you can only do one ssl site per ip. With 4 nics you are getting 4x the bandwidth

For now to keep it easy Id leave the 4 nics all on the lan and just run the public server wizard 4 times. Add icmp to the service groups. Make sure you can ping all 4 wan IPs through to the lan ips. If you can but can't view websites, it's just IIS bindings settings.
0
 

Author Comment

by:steamngn
ID: 40515521
Nope,
Already took X2/3/4 out of the loop; see previous posts. It is quickly becoming apparent that the current installation is far more complicated than it needs to be; at this point it it time to regroup and fix this fiasco! So, still following Aaron's lead and looking to remap the whole thing...
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 40515527
Ah apologies...must have missed that post...cool see how you get on with the new config...
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 40515540
Don't get me wrong, I'm all for removing your 4 IPs if they don't serve a purpose. I just don't know enought about why it's that way to confidently suggest blowing it away as there may be a good reason.
0
 

Author Comment

by:steamngn
ID: 40515562
Ok,
so these are 4 sites with no SSL at all;  pretty basic and all together don't get much bandwidth.
looking at the wireshark trace some more, I see that when I try to browse one of the sites from my phone externally the SOURCE address is 174.236.0.1 which is a verizon IP; shouldn't the source be the LAN gateway inside the Sonicwall?
Whatever this problem is it is common to all the sites...
0
 

Author Closing Comment

by:steamngn
ID: 40515596
Got IT!
While looking into your suggestions, and looking at the odd SOURCE addresses, I changed the NAT policies for inbound traffic. Changing the translated source to 'LAN Interface IP' from 'original' allows the server to respond to the request properly.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40515652
check out host headers, it's really really easy.
http://www.dotnetscraps.com/dotnetscraps/post/Did-you-know-Add-host-header-to-a-Web-Site-in-IIS-7-IIS-75.aspx

you setup one A record for your machine, then make cnames for the sites. For develpers on local machines, you can add the entry to the windows hosts file.
0
 

Author Comment

by:steamngn
ID: 40519649
Aaron,
We actually had host headers set up for each website, and each website bound to a NIC with an independent IP subnet... After doing some homework I found that it was set up this way to allow advanced firewall configurations on the now-defunct Forefront firewall. At first I was going to tear this all down and reconfigure the web server to use just the host headers, but after re-reading the old firewall rules (and looking at the physical config for the umpteenth time) it occurred to me that I could remove ALL of the external web bandwidth from the internal network if I put them on individual port on the new firewall. The real solution here was actually seeing the traffic with WireShark; that led to the understanding that the firewall actually WAS working, but that the configuration settings from the Wizard isn't correct unless you are using a subnet of your primary LAN. This is in the SonicOS documentation, but it isn't very clear at all. Hope this post helps someone else get their SonicWall configured!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now