Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NAT Issues?

Hello guys.

I hope that someone can help me with this one.

We've Drayteks and we're in the process of changing to SONICWALLs TZ 670.

So, we've a fixed IP that should be configured on the WAN port and a block of IPs that should be routing to this fixed IP, at least I think they're being routed.

The Drayteks, have this option that lets us add "Alias" to the WAN port, so I can configure all of the IPs on the WAN port.

We've internal servers that use those ALIAS IPs.

I've read that for this the SONICWALLs only need NAT. So I've configured all the NATs and Access Rules for those IP ALIASEs, but it didn't work, not even a hit on the NAT nor the ACL. Funny thing, if i change the NAT rule and the Access rule to match the fixed IP configured on the WAN port, it works, I can access the servers from the outside...it just doesn't work with the other IP ALIASEs...

Any suggestions on this one?

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    AjishlalAjishlal Community Legend ✭✭✭✭✭
    Answer ✓

    Hi @César_S

    Ping enable on the WAN port is high risk and it's not recommended for the production environment. If you are failing with static ARP configuration in Firewall, follow the below suggestion;

    If your company have hosted their website, point the public IP in the DNS zone where the company website hosted.

    For example your company website is example.com, Navigate to the example.com cpanel and edit the DNS entry and add the public IP pool which you received from the ISP and point to each your internal server service name.

    for example, if you have sap server need to publish and assign a public IP, create the DNS (A record) entry in your website cpanel with your public IP like; sap1.example.com point to your public IP 1.1.1.1 so on.

    in this above scenario no need to do any static ARP configuration in firewall other than the NAT and ACL.

Answers

  • Hello,

    Along with the NAT and access rules, could you please add a static ARP and route for those additional IP addresses as per this KB below and then test it out?

    https://www.sonicwall.com/support/knowledge-base/configuring-multiple-wan-subnets-using-static-arp-with-sonicos-enhanced/170503911164326/

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭


    I saw that KB before, but It says that I should add an IP that belongs to the other IPs subnets and not the IP that I want to NAT to the internal server.

    It will be hard for me to test this out, as this will cause some services to stop.

  • The IP address that needs to be added as alias, are they on the same subnet of your existing WAN IP or belong to a totally different subnet?

    If they are from the same subnet, then you can do a packet capture and see if the traffic is even reaching the SonicWall. The KB is useful when a different subnet is used.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭

    Yes, they are in a different subnet from my WAN IP.

    But should I add to the ARP the IPs or should I add an IP that belongs to the same subnet as those ALIASES IPs?

  • For example if WAN IP is 1.1.1.1 and the secondary subnet is 2.2.2.1-2.2.2.6, you can use one of the IPs e.g. 2.2.2.1 from the secondary subnet for static ARP and use that entire secondary subnet in the route.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭

    Ok, so I need to configure the ARP with one of the IPs that the ISP gave me and create the route, after that the NATs that I have should work fine?

    Does the subnet mask matters? Because the ISP didn't gave me any, they only sent me the IPs.

  • No, it does not. You can add it as a type range too. It should work with that.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭

    Hello, today I tried it, didn't work.


    As example:

    I have a range of IPs from (IPs are not the real ones)

    10.0.0.5 to 10.0.0.10

    So what I did was, create a range with those IPs and add the route as explained in the KB.

    Created both Access rule and NAT police as the KB.

    And added the IP 10.0.0.5 to the Static arp and published it, like the KB said.


    But didn't work...

  • César_SCésar_S Newbie ✭

    Shiprasahu93, do you have any other idea on how I can do it?


    Thank you! :)

  • @César_S, it would help if you posted screenshots of your address objects, static arp entries and NAT/Access rules. You can blur out the actual IP addresses but keep everything else. This config is not uncommon and I have seen it many times.

  • César_SCésar_S Newbie ✭

    Hello Master, I hope that you're doing well.

    Ok so here is the static arp, the IP address is the IP from the range of IPs that the ISP gave me.

    Grabbing the example that I gave, I have a range from 10.0.0.5 to 10.0.0.10, and lets say that this IP is 10.0.0.8


    This is the access rule:

    The IP is 10.0.0.8 and I added the port that I need people to access it.



    This is the NAT rule

    Also the same IP 10.0.0.8 and the ports



    The route

    The "X1_ALIASES" is the IP range 10.0.0.5-10.0.0.10


    Thank you for your help.

  • Try removing the route and test again.

  • César_SCésar_S Newbie ✭

    Hello MasterRoshi,


    Just did it, no luck. :(

  • @César_S, can you confirm you used the configuration wizard to create the NAT/Access rule? If not, please delete your access rule and NAT and use the public server guide wizard to do it.

  • César_SCésar_S Newbie ✭

    I did it manually. Ok, I'll try it.

  • César_SCésar_S Newbie ✭

    No luck, but the rules were working, if I change the rules to match the IP that I've configured on the x1 interface it works.

  • César_SCésar_S Newbie ✭

    Is it possible for the ISP to be forwarding those IPs to the MAC of my old firwalls? And that's why this one isn't working? 🤔

  • It is definitely possible, you can see in a packet capture if the traffic destined for those additional addresses is arriving at the firewall or not.

  • César_SCésar_S Newbie ✭

    I started a packet capture, but I'm not seeing any IP from the secondary subnet that the ISP provided.

  • César_SCésar_S Newbie ✭

    We can close this topic.

    For the routing to be made I had to enable ping on the WAN port.

    After that, I don't even need anything from this KB, just the NATs and the ACLs

  • For the routing to be made I had to enable ping on the WAN port.

    Hello @César_S,

    I hope you are well.

    It sounds like this issue is resolved based on the above comment by you. Please, can you mark "Yes" to the appropriate comment so that others can benefit from this discussion in the future?

    Kind Regards,

    @micah - SonicWall's Self-Service Sr. Manager

  • César_SCésar_S Newbie ✭

    Hello Ajishlal,

    Hope that you're well.


    I had to talk with the ISP, they were the ones that told me that for the second subnet to be routed for my first subnet I had to enable ping.

    Also we're using CLOUDFLARE, to help with the DDOS attacks and other issues that might arise.

  • César_SCésar_S Newbie ✭

    I know that this is a different topic, but is there a way to restart on a TZ670 the SSL VPN services?

    I had a issue with the SSL VPN, users couldn't log to it, they were getting an error about the "Server can't be reached", I had to restart the SONICWALL.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @César_S ,

    If you are using cloudflare or any other WAF service for preventing attack, Please make sure the SSL VPN service should not block. If you are using default SSL VPN, the port should be 4433 and it will block by WAF if there is no custom rule.

  • César_SCésar_S Newbie ✭

    I changed the port to other port, but it was working before, just today stopped working, i had to restart the Sonicwalls for it to start working again.

Sign In or Register to comment.