Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ setup 2

Status
Not open for further replies.
Trekk

Trekk

Programmer
Aug 16, 2001
66
US
I have a sonic wall PRO 4060. I would like to setup a DMZ.

When I try to assign a static external (internet) IP address I get an error that says Subnet on this interface overlaps with another interface.

When creating a DMZ do you give it an external or private IP address?

Thanks
 
Sort by date Sort by votes
Generally each zone requires to have different private IP subnets. You will have to allocate a private IP / subnet to the DMZ port you want to use.

Given that the 4060 has Enhanced OS, there should be a rules wizzard for this.

Suggest you contact Sonicwall support, the 4060 should be licenced for 12months support from new. Go to you mysonicwall account and create a new support request.

Sonicwall CSSA
 
Upvote 0 Downvote
Thank you for the info, that clears it up some. if I understand you right. I need to NAT a internet IP to a priviate IP zone different from my normal internal IP schema



Thank you
 
Upvote 0 Downvote
Hi, your one the right lines, if you want to use DMZ on wan side, allocate a different private ip range one of your ports.

What is it your setting up on DMZ?, webserver / mail server?



Sonicwall CSSA
 
Upvote 0 Downvote
I'm trying to do this too.. setup an DMZ on the wan side, but it still needs to be accessed from the LAN.

It's for an IP Phone system. I'd like to have it available from 2 IP addresses, one internal and one external and it has to be on a DMZ - it won't work via NAT according to the phone system company (Inter-Tel) as well as my trying anyway.

Right now it's set up in transparent mode - is this correct? i tried seting it to one of my 6 public addresses and it gave me the same error of overlap. I want to make sure its setup correctly as I haven't tried the switch over yet and when i do it's going to have to be at night (cuz it'll boot everyone off the system). So when i stay one night to do it I want to make sure it works by the time I leave.

Thanks,
Andy
 
Upvote 0 Downvote
Hi Andy,

That puts a different light on it,

You need to map out the services / ports used by the IP-PBX used to initial / during call and end of call. First. This info should be available from PBX manufacturer.

You need to consider the various VOIP options that are built in to the Sonicwall OS Enhanced platform.

It may be neccesary to look are QOS / TOS to prioritise VOIP packets over your network, you need to not only look at the Sonicwall but allso your LAN Switches.

Assuming you have all the above sorted, you will be able to plan your 4060 firewall rule set.

I would suggest, this is one for Sonicwall Support, it is relatively easy to set-up a webserver in the DMZ or other single service, but to deploy IP-PBX needs carefull planning to get right.

NAT isn't really an issue, Sonicwall has a setting for consistant NAT by the way.

Your Pro4060 must be registered with Sonicwall for Support, I would suggest you draw up a network diagram, post it with your quiry to Sonicwal, Technical at
Sonicwall will be best source of help for you.

Kind regards,

Owen

Sonicwall CSSA
 
Upvote 0 Downvote
Good advice Owen, seems like you are very experienced in this issue.

Roger L White CISSP, CISA, CISM, GSEC
Certified SonicWALL Instructor
Security Team
Invenio Technology
(212)244-4994 ext. 715
(917)326-0386
Need Help call anytime.
 
Upvote 0 Downvote
Thanks for the reply. Everytime i've tried to call sonicwall support i've been on hold for 30 - 45 minutes and get busy with other things and have to hang up. Quote frustrating seeing the amount i've paid them for past sonicwalls, support, and this new 2040 with enhanced.

I'm trying to test this DMZ setup with a winxp box (with a "succesful" test being able to get to it via Terminal Services while it sits on the DMZ) the i'd hope to somehow convert taht setup to the phone system.

I do have the port numbers from Inter-Tel
IP Terminal TCP Call Control Port: 5566
IP Terminal General Purpose UDP Port: 5567
Audio Stream Transmit Port: 5008
Audio Stream Receive Port: 5006

The reason i bought this 2040 was because when I tried the Public Server wizard of my Tz-170 and speaking with sonicwall support (when i got through) i couldn't get anything more then 1 way audio on an IP phone (that was outsiide of our lan connecting through the public address NATed to the Private address)

The phone system manufacturer said that i'd have to set the system up on a DMZ and not with NAT to get it to work properly.

Could you just tell me how i'd go about setting up a regular server - say my test XP box for now - to work on the DMZ? Does it have to be on a seperate subnet? I want to use one of the public Ip's provided by my T1 carrier (when i try to configure it it errors saying it overlaps with my X1 settings). I put it on a transparent , then created an address object of the public IP i want for the DMZ, is that correct?

I'm a DMZ newb... thanks for your pitty and help.

- Andy
 
Upvote 0 Downvote
Hi Andy,

There are wizards in the OS Enhanced software to set-up public servers, I would suggest you use them. The enhanced OS is a bit tricky is you are not used to it, it is very easy to miss a setting or service / rule. The wizzards do most of the work for you.

The test you are trying to do isn't very effective in terms of VOIP set-up.

My advice is not to try calling Sonicwall by phone. I would buy the 24 by 7 support pack from your Sonicwall Dealer, then upgrade the service on Mysonicwall. Submit the techical assistance request via the online service at Mysonicwall.com (24by7 gives you priorty access to Sonicwall). Sonicwall part no: 01-ssc-5706

If you provide a full network diagram, as much info as you can the Sonicwall techs will do there very best to help.

The issue will remain live on the Sonicwall helpdesk untill closed off. If there are any bugs in the Sonftware OS, they will be discovered.

Andy, the local Sonicwall Agent / Dealer that you purchased it from should be able to help?????

If you are deploying this in a commercial arena, either get yourself trained by Sonicwall on the OS Enhanced, or seek assitance of your local Sonicwall Dealer / Technical resource to help with the implientation.

Kind reagrds,

Owen



Sonicwall CSSA
 
Upvote 0 Downvote
Rodger,

Thanks for message, Yes, I have a wee bit of experience with VOIP/Sonicwall integration. Got about four years experiance on Sonicwall as reseller, based in UK.

Kind regards,

Owen

Sonicwall CSSA
 
Upvote 0 Downvote
Thanks for the reply. I actually was able to get through to SW Support and got my test XP Box setup on the DMZ. They showed me how to set it up with both Transparent and Static modes. One of these days i'm going to stay late and try getting the phone system hooked into the DMZ and see how that goes.
The one problem i'm facing now is if I can't use NAT as the phone provider says (but will try again just incase this NAT DMZ might work) I'll have to change the ip address on my VOIP Server to be a public IP which is ok but I dont' want the 12 IP phones that are on the LAN to have to connect via the public IP. Is there a way some sort of access rule could fix this? The only other option is to get another Ip Resource Card for the phone system (they are like 600 bucks though) and have it setup on 2 IPs, one public and one private.

FYI - I've used the wizards to set up all of my other servers with NAT Policies however the Wizards dont' seem to apply to DMZ stuff.

Thanks for all info and help,
Andy
 
Upvote 0 Downvote
I tried just NATing my desired public IP to the private one of the phone system and as before I am only getting one -way audio.
I went into the VOIP menu and enabled Consistent NAT but still no dice. Do i have to do something to the NAT policy itself to get Consistent NAT to work, or does checking this box make all NAT Policies Consistent?
 
Upvote 0 Downvote
I ended up getting a 2nd IP Card for my phone system and put that directly on the DMZ with a transparent setup. It works great now!
 
Upvote 0 Downvote
i know this is not related but i need help with a sonicwall soho3. i am trying to setup a rdc to the server and i keep getting the error
tcp connection droped x.x.x.x,2113 wan [source] (my ip) z.z.z.z,3389 wan [detination](the company i am working with) terminal services rule 0
i have set up access rules to route port 3389 to the proper location but it is not working. can anyone help me please


Nick
 
Upvote 0 Downvote
I have RDC setup on a few computers. I'm not entirely sure if this will help but here are my NAT policy entries:

Entry 1
Source: Private IP
Translated: Any
Destination original: Original
Service Original: Terminal Services (port 3389)
Translated original: original
Inbound: Any
Outbound: X1

Entry 2
Source Original: Private IP
Translated: Public IP
Destination Original: Any
Translated: Original
Service Original:Terminal Services (Port 3389)
Translated: Original
Interface Inbound: Any
Outbound: X1

Entry 3:
Source Original: Any
Translated: Original
Destination Original: Public IP
Translated: Private IP
Service Original: Terminal Services
Translated: Original
Interface Inbound:Any
Outbound: Any


Entry 4:
Source Original: Private IP
Translated: Public IP
Destination Original: Any
Translated: Original
Service Original: Terminal Services
Translated: Original
Interface Inbound: Any
Outbound: X1


That's how i get mine to work.
Give it a try and see if that does it for ya.

-Andy
 
Upvote 0 Downvote
i do not have nat enabled every time i enable the one to one nat i cannot get online any reason y?
 
Upvote 0 Downvote
How do you have your WAN setup? I have it on NAT enabled. Not sure if the 2040 is that different, but when you have NAT enabled you need to have rules for all wan to go to it's original source.

You may need to contact sonicwall if you haven't got it configured properly.. as i'm not sure on your specific model..


I'll help if I can though!

Andy
 
Upvote 0 Downvote
it is a soho3 it does have nat enabled selected.
and it is currently acting as a dhcp server. I know nothing about soho so i am totally confused by the rules you gave me


-nick
 
Upvote 0 Downvote
the rules i gave you are for the NAT Policies line (under the network tab on my sonicwall).
Since you have a completely different model this may not even be the same configuration.

I know as much as there is to know about RDC, and the problem you are most likley having is routing port 3389 from your ISP provided Public IP to the internal private ip of your desired RDC server.

I have this setup at my house on a dlink router that's about 5 years old, all I did was go into the port forwarding options and forward port 3389 to the internal IP of my computer i want to be able to connect to.

I'm not sure if its that simple in the SOHO, but i'd look for a port forwarding option - maybe that's all you need.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
146
kythri
kythri
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
168
hairlessupportmonkey
hairlessupportmonkey
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
92
joepc
joepc
galvanize
  • Locked
  • Question
FTP Deployment (DMZ)
Replies
1
Views
99
galvanize
galvanize
basball
  • Locked
  • Question
VLAN Setup
Replies
0
Views
105
basball
basball

Part and Inventory Search

Sponsor

Back
Top