Sonicwall 3060 - NAT woes

[Ping7000]

I have a customer with a Sonicwall 3060 firewall and am having trouble getting some new NATing to work. I need to allow ICMP(temporarily), SSH, IKE, and ESP through to an inside host. When I initiate traffic from the internet to the public NAT, I believe the Sonicwall is allowing the traffic and NATing it correctly as when I packet sniff the inside host, I see the traffic reach it and it responds with either ICMP echo-reply's or return TCP sessions for SSH or return IKE packets for VPN. The problem is that the traffic never makes it back to the host on the internet that initiated the connections indicating there is a problem with the reverse path. My setup is as follows:

The Sonicwall is using 3 interfaces...

X0 = LAN
X1 = ISP #1 (24.x.x.x)
X2 = ISP #2 (66.x.x.x)

The unit is setup to do percentage based load balancing with the "Use source and destination IP address binding" selected.

I have the NATs setup as follows (I am showing real IPs, not the objects):

Inside to Outside NAT

Source Original: 10.128.0.250
Translated: 24.x.x.19
Destination Original: Any
Translated: Original
Service Original: Any
Translated: Original
Interface Inbound: X0
Interface Outbound: X1

Outside to Inside NAT

Source Original: Any
Translated: Original
Destination Original: 24.x.x.19
Translated: 10.128.0.250
Service Original: Any
Translated: Original
Interface Inbound: X1
Interface Outbound: Any

The access rules are setup as follows:

WAN -> LAN

Source: Any
Destination: 24.x.x.19
Service: IKE+ESP, SSH, ICMP
Action: Allow
Users: All


I have a sneaking suspicion that the load balancing is causing an issue. I only want to do NATing for this host on ISP#1, not ISP #2.

Any ideas?????????

Thanks!

 

[pulsar1]

Heres a thought.... If the traffic is coming in on ISP#1 then the return via ISP#1 is not being permitted. Can you guarantee that only ISP#2 is being used for the incoming query? If not, you will have to handle both cases.

 

[cajuntank]

I had a simular scenario with friend using a TZ170 with cable and dsl ISP(s) and having issue going to https sites and I quickly determined that since the firewall was set to load balance, that the secure connection had the potential to break, the site securing the connection would initiate the connection with IP(1) and after a few seconds break because IP(2), from the other WAN interface was trying that same connection. Same would go for anything connection oriented like the VPN scenario. Access rules have to be defined for specific traffic to use so that they use a particular interface always (preferably the more reliable ISP connection).

 

[SonicWALLInstructor]

Hi Ping7000 welcome to our forum, there are many experienced and knowledgable techs on SonicWALL products, so don't be afraid to post your sonicWALL related problems here. Also there is another good forum exclusive for SonicWALL products only at

http://www.sonicusers.com.

Post your problems at both places. The more the better.

Now onto your problem, I think the best way to help you is if you tell us what you are trying to do (or what solution you are trying to implement) so we can have a better picture of what is going on. Then I can give you maybe a simple solution.

Roger White CISSP, CISA, CISM, GSEC
Certified SonicWALL Instructor
Certified Security Architect and Auditor
SonicWALL Curiculum Developer and Senior Trainer
SonicWALL Academy
(718)450-8127