Link to home
Start Free TrialLog in
Avatar of steamngn

asked on

SonicWall 2600 multiple wan->lan configuration

I am completely baffled here. We are replacing a Forefront TMG firewall with a SonicWall NSA 2600.
We have a block of fixed IP's (5) from our provider 50.xx.xx.2 - 50.xx.xx.5 connected to X1; our primary internal LAN 192.168.xx.xx on X0. We can access the internet, and I have configured for our exchange server so email is functioning too.
NOW, there is one server on site that has multiple NIC's( 11.xx.xx.2,12.xx.xx.2,13.xx.xx.2)  Each NIC has a different website bound to it in IIS. For the life of me I cannot configure the SonicWall to route traffic from say 50.xx.xx.3 to 11.xx.xx.2. I need to do this for each of the connections on this server. I am pretty well versed on the Forefront firewall, but I am absolutely lost on getting this SonicWall set up.
Any help and detailed examples would be greatly appreciated.

WAN: 50xx.xx.2 ->50.xx.xx.5 on one physical connection
LAN X0: 192.168.xx.xx -> this is the gateway for internal domain works OK
DMZ 1 on X2: 11.xx.xx.2 -> NOT WORKING NEEDS ACCESS FROM 50xx.xx.3
DMZ 2 on X3: 12.xx.xx.2 -> NOT WORKING NEEDS ACCESS FROM 50.xx.xx.4
DMZ 3 on X4: 13.xx.xx.2 -> NOT WORKING NEEDS ACCESS FROM 50.xx.xx.5
Avatar of Aaron Tomosky
Aaron Tomosky
Flag of United States of America image

Use the public server wizard, it's really really easy.
Avatar of steamngn


I tried that, several times. After much head-banging I went to the log monitor and tried to ping each fixed IP in our subnet. To my surprise only the first IP (50.xx.xx.2) reaches the firewall; the others never make it. According to Time Warner DHCP is off on their router and it is configured to act as a bridge, but something is wrong....
I have a service call for them Monday morning, will update here after we get that checked out.
Does the server on 50.x.x.2 work then and it's only the others with problems?
That is correct. If i initiate a ping from outside to 50.xx.xx.2 i see the packet dropped in the firewall log (icmp is blocked) if i ping any other ip nothing reaches the firewall.
You can add icmp to the services group created by the public server wizard if you want to be able to ping the host. As for the other ips, definately a ISP issue like you sad.
I dont really need the service, just using it to help narrow down the issue. Will update tomorrow after Time Warner comes in...
The new router is in place, and according to Time Warner is in bridge mode. I have changed each internal web server to be an address on out internal lan IE DMZ 1 is now 192.168.xx.05 and updated our internal domain DNS records. I then ran the SonicWall Wizard for each site. So now from the internal LAN all of the sites are accessible. However, I still cannot reach any of these sites from external! We have DNS (A) records in place at our web provider, and these worked fine before. I am just completely stumped as to why we cannot get something downstream from the WAN subnet...
Before we worry about dns, can you ping the wan IP and get a response from the server for each of the 5 wan ips? Make sure you remove the old address objects and routes/nat from when you were going with the dmz setup. While the public server wizards creates things easily, there is no such easy delete button.
was just about to post an update... I downloaded the newest firmware for the firewall and rebooted into a fresh install. I have re-run the wizard for each internal web server and confirmed that webmail and the internet are working as before....
NOW I can see packets being forwarded to the internal servers on each IP, but I am still not able to browse pages. I loaded wireshark on the web server and did some tracing; I notice when I try to view a website that the request DOES get to the server now, but then I get 'TCP Retransmission' errors. So it looks like we are getting closer...
Does this help?
I think the sonicwall may be passing the external ip though to the server so you might have to add that ip binding to IIS. personally I use a single IP on my servers with host headers so its only the domain name that matters. I run tons of sites on servers with a single NIC and IP address
Ok, we may be zeroing in on a solution here, but I will need a little guidance (Did I mention I'm a DBA, and not a Netguru? :-) )...
So to drop all of this nonsense and get things working, I would need to:
a) change the bindings on the 4 websites to all be on the same NIC
b) change the DNS records at our Internet host to all point to the same fixed IP (the same as our currently working exchange server)
c) change our internal DNS records to all point to the same IP for the web server
d) delete the SonicWall web server policies/rules/routes etc and rerun the wizard for each site? or just rerun it once and create a single forwarding rule?

Am I close? Is this a better practice than all the extra stuff?
Not to hijack the answers already provided by Aaron but the simplest way to do this is to take X2/3/4 out of the loop...

When you have a public IP block it comes through X1(I assume this is your WAN yes?) by design anyways...

So you simply run the Public IP wizard and assign each public IP to map to the private IP...and things work...this is the way we do it in our office...I don't use separate physical interfaces to do the public assignments...
well there are other considerations:
If you have an older IIS you can only do one ssl site per ip. With 4 nics you are getting 4x the bandwidth

For now to keep it easy Id leave the 4 nics all on the lan and just run the public server wizard 4 times. Add icmp to the service groups. Make sure you can ping all 4 wan IPs through to the lan ips. If you can but can't view websites, it's just IIS bindings settings.
Already took X2/3/4 out of the loop; see previous posts. It is quickly becoming apparent that the current installation is far more complicated than it needs to be; at this point it it time to regroup and fix this fiasco! So, still following Aaron's lead and looking to remap the whole thing...
Ah apologies...must have missed that see how you get on with the new config...
Avatar of Aaron Tomosky
Aaron Tomosky
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
so these are 4 sites with no SSL at all;  pretty basic and all together don't get much bandwidth.
looking at the wireshark trace some more, I see that when I try to browse one of the sites from my phone externally the SOURCE address is which is a verizon IP; shouldn't the source be the LAN gateway inside the Sonicwall?
Whatever this problem is it is common to all the sites...
Got IT!
While looking into your suggestions, and looking at the odd SOURCE addresses, I changed the NAT policies for inbound traffic. Changing the translated source to 'LAN Interface IP' from 'original' allows the server to respond to the request properly.
check out host headers, it's really really easy.

you setup one A record for your machine, then make cnames for the sites. For develpers on local machines, you can add the entry to the windows hosts file.
We actually had host headers set up for each website, and each website bound to a NIC with an independent IP subnet... After doing some homework I found that it was set up this way to allow advanced firewall configurations on the now-defunct Forefront firewall. At first I was going to tear this all down and reconfigure the web server to use just the host headers, but after re-reading the old firewall rules (and looking at the physical config for the umpteenth time) it occurred to me that I could remove ALL of the external web bandwidth from the internal network if I put them on individual port on the new firewall. The real solution here was actually seeing the traffic with WireShark; that led to the understanding that the firewall actually WAS working, but that the configuration settings from the Wizard isn't correct unless you are using a subnet of your primary LAN. This is in the SonicOS documentation, but it isn't very clear at all. Hope this post helps someone else get their SonicWall configured!