Monday, May 14, 2018

Sonicwall One to One NAT

One to One NAT
This is another common NAT policy on a SonicWall, and allows you to translate an internal IP address into a unique IP address. This is useful when you want specific systems, such as servers, to use a specific IP address when they initiate traffic to other destinations. Most of the time, a NAT policy such as this is used to map a server’s private IP address to a public IP address, and it’s paired with a mirror policy that allows any system from the public Internet to access the server, along with a matching firewall access rule that permits this.
In this example we have chosen to demonstrate a webserver using HTTP service, however the following steps apply to any service you wish to use (like HTTPS, SMTP, FTP, Terminal Services, SSH, etc).
Creating the necessary Address Objects 
1.   Click Manage in the top navigation menu.
2.   Navigate to Objects | Address Objects.
3.   Click the Add button and create two address objects one for Private IP of the device in question and one for the public IP.
  • Click the OK button to complete creation of the new address objects.
https://sonicwall.rightanswers.com/portal/app/images/content_example.gif EXAMPLE: Example provided below for a webserver
Address Object for Server on LAN
Name: Webserver Private 
Zone AssignmentLAN  
TypeHost 
IP Address192.168.1.100


Address Object for Server's Public IP
Name: Webserver Public
Zone AssignmentWAN
TypeHost 
IP Address1.1.1.1

Creating an Inbound NAT Policy
This policy allows you to translate an external public IP address into an internal private IP address. This NAT policy, when paired with a Allow access rule, allows any source to connect to the internal server using the public IP address; the SonicWall will handle the translation between the private and public address. Below, we will be creating the NAT Policy as well as the rule to allow HTTP access to the server.
1.   From the SonicWall’s management GUI, Click Manage in the top navigation menu.
2.   Navigate to the Rules | NAT Policies page.
3.   Click the Add button and chose the following settings from the drop-down menu:
Inbound NAT Policy
Original SourceAny
Translated SourceOriginal
Original DestinationWebserver Public
Translated DestinationWebserver Private
Original Service: HTTP
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Enable NAT Policy: Checked
Create a reflexive policy:  When you check this box, a mirror (outbound or inbound) NAT policy is automatically created as per the settings configured in the Add NAT Policy window. In the example NAT Policy, when the box Create a reflexive policy is checked, it will create an outbound NAT Policy as per the screenshot below.

Example Outbound/Reflexive Policy

https://sonicwall.rightanswers.com/portal/app/images/content_note.gif NOTE: If you need to create an access rule to allow the traffic through the firewall for an inbound NAT policy, refer to How to Enable Port Forwarding and Allow Access to a Server Through the SonicWall

DNS Loopback NAT Policy
The purpose of a DNS Loopback NAT Policy is for a host on the LAN or DMZ to be able to access the Webserver on the LAN (192.168.1.100) using the server's public IP address (1.1.1.1) or by its Fully Qualified Domain Name (FQDN).
1.   Login to the SonicWall Management Interface
2.   Click Manage in the top navigation menu.
3.   Navigate to Rules | NAT Policies
4.   Click Add and create a NAT Policy following the below example from the drop-down menus
https://sonicwall.rightanswers.com/portal/app/images/content_example.gif EXAMPLE: In the example below Firewalled Subnets is used as the original source, but this may need adjusted to include all subnets behind the SonicWall if you are routing additional subnets through a layer 3 device behind the SonicWall.  Traffic is translated to the webserver's public IP (but this can be any public address) to be able to communicate and translate back through the SonicWall appliance.  This process can be bypassed by creating a local DNS entry to translate your webserver to it's private IP instead.

  • Original Source: Firewalled Subnets 
  • Translated Source: Mywebserver Public
  • Original Destination: Mywebserver Public
  • Translated Destination: Mywebserver Private
  • Original Service: HTTP
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Any
  • Enable NAT Policy: Checked
  • Create a reflexive policy: unchecked

Creating a Firewall Access Rule
  • Go to Firewall | Access Rules page.
  • Select the type of view in the View Style section and go to From WAN To LAN.
  • Click Add and create the following rule:
Action: Allow 
From Zone: WAN
To Zone: LAN
Service: HTTP 
Source: Any 
Destination: My webserver Public 
Users Allowed: All
Schedule: Always on
Enable Logging: checked
Allow Fragmented Packets: checked

Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Booting a Brocade Netiron XMR/MLX card into interactive mode

Yesterday I had to replace a 2X 10Gb module in one of my XMRs. The card itself was running a lower version of code than the box itself...