Sonic wall and spectrum issues

Has any one seen this issue.  We have two circuits coming into a NSA2600 one from Level 3 and one from Spectrum.  I can get traffic from outside to our email server on the Level 3 side but I can not on the spectrum side.  Please see attached document for an idea of our layout.

If I setup a computer directly connected to Spectrum modem with a public ip address I can ping from the internet.  How do I get traffic to flow from the spectrum modem to my firewall with one connection like I have on the Level 3 side.

Thanks
Simple-NAT-Drawing.pdf
mwatson536Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Blue Street TechLast KnightCommented:
Hi mwatson536,

I have some questions for you. Please answer them so I can solve your problem!
• Do you have load balancing setup? Is your goal to use both connection simultaneously?
• So the mail server will not send outbound on X2 but X1 works perfectly?
• What kind of mail server is it, e.g. Exchange 2007?
• Are you using SmartHosts and are you directly sending mail outbound from your mail server?
• Do you have multiple MX records (privately & publicly) with the same priorities? One MX Record should point to the WAN1 and the other MX Record should point to WAN2.
• Do you have the Access Rules & NAT policies (including Loopback) in place for both WANs?
• Why haven't you setup two NAT policies for both WAN on different private networks? Why not NAT both to one private network?
• Do you have the A Records created for both WANs?

Also keep in mind, Exchange can only announce one PTR (even though you can configure both). So, either you need to make traffic go out of one WAN always or if you are looking to leverage both connections simultaneously; you need to implement an external relay host and send to it.

Let me know!
0
 
mwatson536Author Commented:
Blue here you go.

Do you have load balancing setup? Is your goal to use both connection simultaneously?
The ultimate goal is to setup a Mushroom with fail-over abilities.  The L3 network is our primary
 
I used our email server as an example here, I am just trying to get to our webmail interface not send and receive yet.  So I have DNS for our webmail set to webmail.ourdomain.com pointing to 4.x.x.109 and webmail2.ourdomain.com pointing to 98.x.x.12 on our external DNS servers.  I can get to webmail but not to webmail2.  Now if I pointed webmail 2 to the X2 address it would work because it is directly connected to the spectrum modem.  See the issue?

So the mail server will not send outbound on X2 but X1 works perfectly?
Email is flowing just fine through X1.

What kind of mail server is it, e.g. Exchange 2007?
We use exchange 2013

Do you have multiple MX records (privately & publicly) with different weights on them? One MX Record should point to the WAN1 and the other MX Record should point to WAN2.
I have not setup records except for webmail and webmail2

Do you have the Access Rules & NAT policies (including Loopback) in place for both WANs?
I have access and Nat rules for webmail and webmail 2.

I should say that this is not new to me I have been doing this for years but I have never run into the issue where the public ip's only flow to connected devices.  The X1 interface though static ip'ed to 4.x.x.106 will accept traffic for 4.x.x.109 and allow the firewall to nat it to the inside, but the spectrum modem will not it wants 98.x.x.12 to be a directly connected.  I was just wondering if anyone had seen this before.  If I could get 98.x.x.12 to flow through 98.x.x.10 interface then the firewall would nat it to the internal address.

Make sense?

Thank you
0
 
Blue Street TechLast KnightCommented:
What do you mean by
Mushroom with fail-over abilities
SonicWALL can LB (Load Balancing) a number of different ways and also can incorporate PEPBR (Probe-Enabled Policy Based Routing) so that if/when WAN1 (Primary WAN) fails then all traffic is route to WAN2 and then once WAN1 is back online it receives all or some of the traffic depending on how the LB is configured.

Is the Spectrum modem in Bridge aka Transparent Mode? If it is NOT in Bridge Mode this will cause double NAT issues to occur.

The X1 interface though static ip'ed to 4.x.x.106 will accept traffic for 4.x.x.109 and allow the firewall to nat it to the inside, but the spectrum modem will not it wants 98.x.x.12 to be a directly connected.
That just sounds like you have a 5-pack of Public Static IPs through L3 but with Spectrum you only have 1 Static IP.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
Blue Street TechLast KnightCommented:
I forgot to mention...
DNS for our webmail set to webmail.ourdomain.com pointing to 4.x.x.109 and webmail2.ourdomain.com pointing to 98.x.x.12 on our external DNS servers.
Also, I'd recommend setting up a Load Balanced A Records on the Public DNS side for this so that your users only see webmail.ourdomain.com (which in the back-end points to both WANs) so that when a failure occurs your users will be none the wiser and you won't have to answer support calls about why the webmail is down and now they have to switch to webmail2...

DNSMadeEasy provides a very reasonable way to do this. Also, DYN does as well but it costs a lot more.
0
 
mwatson536Author Commented:
I have a 5 pack on both sides like I said if I hook up a PC  to the modem and ip it to 98.x.x.12 it works and I can ping it from the internet, the modem just won't route the traffic through the 98.x.x.10 like a router would.

I know the Sonic would load balance but we are having issues with the level 3 and our voip so the mushroom was brought in for the voip armor. the load balance is just extra along with the fail over.  



Thanks
0
 
mwatson536Author Commented:
I think your focusing to much on the dns issue, the fact is the ip's 98.x.x.10-14 will not flow through the modem to the firewall the modem wants them to be directly connected to it not behind the firewall.  Yes the modem is in bridge mode per spectrum.

Thanks
0
 
Blue Street TechLast KnightCommented:
Oh so you have a loadbalancer (hardware) added in. OK. Yeah, in most cases you could have done it all on the SonicWALL and lowered the management complexity.

I did see that you have a 5 pack on both sides anywhere in this question I just saw it in your diagram (sorry).

just won't route the traffic through the 98.x.x.10 like a router would.
Correct, it can't route anything...its only job is to translate...

Do you have a Many to One NAT policy setup for all 5 IPs on the Spectrum side?

Some modems will allow multiple IPs to passthrough others will not, but I'd like to think that when the ISP built your order they realized that and gave you the correct modem.

The DNS recommendation was a side-note tip...not a recommendation as a solution!
0
 
mwatson536Author Commented:
Blue,

No issue I understand it was not easy to explain the issue.

Do you have a Many to One NAT policy setup for all 5 IPs on the Spectrum side?
I will check I do not have access to the modem.

Thank you
0
 
Blue Street TechLast KnightCommented:
Any update on this?
0
 
mwatson536Author Commented:
No sorry still waiting for Spectrum to get back to me but it is not looking favorable.
0
 
Blue Street TechLast KnightCommented:
OK, let me know how I can help!

Also, some modems will allow multiple IPs to passthrough others will not (its very dependent on the make/model), but I'd like to think that when the ISP built your order they realized that and gave you the correct modem...but ISP are the very worst in terms of technical ability, customer support, and basically everything! :)
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
mwatson536Author Commented:
As it turns out I am getting a true business circuit in place of this cable circuit.

Thank you
0
 
Blue Street TechLast KnightCommented:
Nice! I'm glad you got it sorted out and thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.