[TCLUG] colo and POS Sonicwall

Wed Jun 5 20:19:13 CDT 2002

On Wed, 2002-06-05 at 16:36, Brian wrote:
> I admin a server on a network that is for the most part out of my
> control.  An IT "consultant" came in and decided that my linux box should
> reside in the NAT rather than the DMZ.  I would have much rather been in
> the DMZ, but at least inside the NAT I have access to printers and
> such.  Anyway, he then proceeded to install a Sonicwall
> firewall/router.  As I understand it, these are possibly the worst choice
> as a firewall as I've been told by others who've used them.

Any idea why they are such a bad choice? I've never worked with one, and
(perhaps unfortunately) my company just sold one (SonicWALL 200) to a
customer, which I will be configuring when it arrives.

> I have an issue with routing.  The workstations on the LAN are on the same
> masq'd IP subnet as my linux box.  If I try to hit my server on its
> registered IP (NAT'd by the Sonicwall), it times out.  I asked the
> "consultant" about this, he tells me that it's a problem with the
> Sonicwall and there's no configuration that can fix it.  He proceeds to
> remind me that the Sonicwall is the greatest thing since sliced bread.

Is the Apache server in the DMZ, with the SonicWALL protecting both the
LAN and DMZ and doing NAT for both (probably different subnets, but
still in non-routable networks like 192.168.1.x and 192.168.2.x)?

> The reason I need its outside IP is that Apache is virtual hosting off of
> one IP for a handful of domains and without the DNS headers, I can't get
> to any site other than the default.  Last I checked, this can't be spoofed
> with a hosts file, it NEEDS the DNS header.  Any ideas if the Sonicwall
> can actually do this?

Were you told that the SonicWALL is unable to route your NAT'd packets
back through to the DMZ and/or the local network?

Could you (or someone else) setup a DNS server inside the firewall, that
would resolve your domains to local (and DMZ) IP addresses?

-- 
Dave Sherman               Do not meddle in the affairs of dragons, 
MCSE, MCSA, CCNA             for you are crunchy,
                             and good with ketchup.
"lynx -source http://sildara.dyndns.org/davepub.asc | gpg --import"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020605/061a71c3/attachment.pgp