SonicWALL TZ 215 - Configuring second public IP address from different subnet

InTech97

The data center where my TZ 215 firewall and physical server is colocated is issuing me a new public IP address scheme. The data center will temporarily configure their equipment to route both the old, existing IP address scheme and the new IP address scheme to my firewall to ensure uninterrupted, simultaneous access to services during the transition effort. Windstream owned the old IP address scheme and has requested that the data center return the IP addresses. Consequently, the data center is issuing new IP addresses to me that the data center owns.

Both the old and new IP address schemes provide me with three (3) client usable IP addresses. The IP address schemes are completely different such that the old, client usable IP addresses are (for example) 1.1.150.226 - .228 and the new client usable IP addresses are 2.2.9.220 - .222. Subnet / CIDR masks are: OLD 1.1.150.224/29, NEW 2.2.9.216/29. Netmasks for both schemes are 255.255.255.248. I can provide further details on network, default gateway, routers and broadcast IP addresses if needed. In the examples above, the first two octets are fictitious (i.e. OLD 1.1.x.x and NEW 2.2.x.x) but the second two octets are the actual values (i.e. OLD x.x.150.226, NEW x.x.9.220).

The TZ 215 is currently configured for the old IP address scheme (i.e. 1.1.150.x) and is working fine. I can manage the firewall and users can access services behind the firewall through various NAT policies and Access rules that someone else configured years ago.

My conundrum is that I need to be able to manage the firewall and access all services behind the firewall using both IP address schemes simultaneously. However, I'm somewhat stumped as firewall configuration is a bit out of my wheelhouse.

Does the TZ 215 even support this simultaneous access? I've scoured the Internet and found all kinds of instructions related to newer SonicWALL firewall appliances but nothing seems to apply to the TZ 215.

My first effort, which failed, was to see if I could manage the firewall from both IP address schemes. I created a static ARP entry for the new IP linked to the X1 interface. However, I see lots of notes online that indicate that the SonicWALL firewall will not respond to HTTPS Management traffic over static ARP. I've tried various combinations of static ARP entries, NAT rules, Access rules but nothing works. Clearly, I am over my head and need guidance ... or it's true that the TZ 215 will not respond to HTTPS Management traffic over static ARP.

From what I've gleaned thus far, I need to create an Address Object for the new IP address, a NAT policy, and an Access rule. However, I still cannot get a response from the TZ 215 for HTTPS Management traffic using the new IP address of 2.2.9.220. Is it true that the TZ 215 will not respond to HTTPS Management traffic over static ARP?

My second effort (not yet pursued due to my newbie status on firewall configuration) would be to gain access to a web application hosted on a virtual server behind the firewall with one of the new public IP addresses (i.e. 2.2.9.221). What kinds of records do I need to create on the TZ 215 to get this to work?

As a first step, I have already modified the DNS entry at my domain name provider to map the web application of interest to public IP 2.2.9.221 setting the lowest TTL possible. After a few minutes, the ping of that web application confirmed that my local DNS cache contains the new IP address (2.2.9.221) for the web application of interest even though the ping request times out. So, the second effort would look something like this from a request standpoint:

NOTE: The web application of interest was accessible from the old public IP address prior to changing its DNS entry.

• DNS entry for web application changed to 2.2.9.221 (DONE)
• Incoming request for https resource on 2.2.9.221 (e.g. https://mywebapp.yadda.com)
• The virtual NIC on the Virtual server hosting the web application is only configured with a static private IP address of 192.168.2.21 and probably should stay that way. Consequently (and here's where my knowledge is sketchy), I assume I need a NAT policy record, among other things, to get from public 2.2.9.221 to private 192.168.2.21 where the only allowed services on that NAT policy record are http and https?

So for the second effort described above, what exactly are all the records/objects/things I need to configure on the TZ 215 to get this to work?

Any guidance would be greatly appreciated..

Arkwright

Can you configure your new network on a second WAN interface and have the DC remote hands plug that in for you?

Sonicwall does not support alias IPs either at all or in any straightforward way, so this is probably going to be your best approach long-term.

TKWITS

"Is it true that the TZ 215 will not respond to HTTPS Management traffic over static ARP?"

True, Sonicwalls will not do that no matter what the model or firmware.

As Arkwright suggested, getting another WAN interface connected would be the most solid and, considering your experience, least stressful for you. Otherwise you will be risking losing access completely.

But you are on the right track. Not only will you have to address your NAT policies, but also, eventually, your WAN interface IP.

That said asking a forum to do your work for you is a bit much. Come back with more steps to your plan and we can guide you.