• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1283
  • Last Modified:

SonicWall SOHO3 one-to-one NAT configuration

My company's LAN has a SonicWall SOHO3 that serves as a NAT/Firewall/VPN appliance. There is a web server behind it running Windows 2000 Server / IIS 5 for a custom ASP application (live site). The previous IT person had a Redhat 9 server running as webserver, FTP server, and mail server outside the firewall. I would like that LINUX box to be inside the firewall for obvious reasons. This LINUX box HAS TO RUN the apache web server ! There are perl scripts written exclusively for linux and they will not run on Windows. This is also a live server and can not be taken down for too long. It has been relying on the Linux firewall for protection until now.

We have a T1 line with multiple IP addresses and I wanted to implement One-to-One NAT so that if the request was for IP 206.111.111.5 (example) then SonicWall would do port forwarding to multiple LAN PCs including the port 80 request for HTTP to the Windows 2000 server, FTP requests to come to my workstation etc..., if the request was for IP 206.111.111.8 (example) it would forward all requests, HTTP, FTP, SMTP, POP to the LINUX server.

Is this a working solution? Has anyone implemented it? Any other solutions?
0
Brainstormer
Asked:
Brainstormer
  • 5
  • 2
2 Solutions
 
idyllicsysCommented:
Very easy. Create a ruile the appropriate rules on the SOHO3 to forward the traffic to private IP of the Linux after you move it. Then turn on one to one NAT and set the Public IP to 206.111.111.8 and the private IP to whatever you set the new inside IP too (same as in the rules, ex. 10.0.0.2) and set the range to one.

That's it
0
 
BrainstormerAuthor Commented:
I was hoping someone had implemented this sucessfully using One-To-One NAT. I know the procedure to put the server behind the firewall. I guess I will bring a spare PC and test that first with a different public IP address, if that works great I will move the live server.

A question I came up is: Is One-To-One NAT a DMZ form (for many PCs) or does the SonicWall provide any protection????? Logic suggests this is a DMZ :-(

Are there any alternatives?
0
 
idyllicsysCommented:
I have used One to One NAT many times. In the SonicWall configuration, it only maps the Public IP to the Private IP. You still need to setup the specific rules to access the services you want to expose.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
BrainstormerAuthor Commented:
My company is changing ISP. The whole IP block will change with it. I will report of my sucess/failure once I perform the transition. This is a great opportynity/risk to try this.
0
 
BrainstormerAuthor Commented:
I still have not figured out how to split the webserver issue.

Server A - Windows 2000, IIS running a ASP app in port 80- public IP #1 using port forwarding from Sonicwall. This IP is used for all NAT PCs behind the firewall.
Server B - Linux, Apache running HTML/Perl scripts in port 80 - Public IP #2 using 1-to-1 NAT.

I can access Server 2 from the internet if HTTP is served in any port other than 80. Port forwarding 80 only works for the 1st entry, which is Server A.

I want:

if IP #1 or domain_aaa_.com -> Server A
if IP #2 or domain_bbb_.com -> Server B

when both servers are behind SonicWall SOHO3.

I am thinking about deploying a Reverse Proxy server (apache or squid) in the linux box (Server B) at port 80 which will forward all HTTP requests to:

Server A, port 80 if for domain example_aaa_.com
Server B, port 8080 if domain is example_bb_.com

Any suggestions are welcome at this point. The reverse proxy is a last resort as ASP and Perl do not cache well and I don't think they work properly with a reverse proxy server.
0
 
BrainstormerAuthor Commented:
well, this is my solution to this. It's not perfect, but it works.

Move the linux server behind the firewall.
Modify internet DNS to point both websites to same IP
Forward all HTTP traffic from that external IP port 80 to the LINUX server
Run SQUID as a reverse proxy on port 80. Modify the internal DNS or /etc/hosts file so squid redirects information based on domain header in HTTP request.

If domain_aaa_.com -> Server A:8000 (Windows 2000, IIS)
If domain_bbb_.com -> Server B:8000 (linux, apache)

implement port forwarding for other services based on requirements.

Reverse Proxy Servers considered for the job:

SQUID - it works, but it can not be customized. All HTTP servers need to listen on same port
APACHE - does not support domain forwarding
POUND - it was very customizable, but I had problems with the process PID and killing the process.


Problems do far: 1

I am no longer able to access my email via SquirrelMail webmail. Squirrelmail sits in the linux server and acceses email via IMAP. This is a problem when the webmail is accessed from remote PCs that have no direct access to port 8000. All traffic is routed thru squid reverse proxy in port 80.

 All works and I can access the webmail if I login locally and access the webmail via a browser in the linux server. This is true for both port 80 and 8000.

I suspect this is a SQUID ACL problem. Does anyone have experience configuring squid as reverse proxy to allow Safe_Ports? I can post the squid.conf file if necessary.


PS: so far no one has offered a good alternative solution, the points are still available for grabs.

0
 
BrainstormerAuthor Commented:
Seems like even my temp solution did not work. SonicWall does not have the capabilities I am looking for. I finally settled on thi setup:

All PCs with ServerA behind SonicWall using 1 external static IP and port forwarding
Linux Server running Iptables behind a simple Linksys router using 1 external static IP and port forwarding

I will close this question. Thank you all for participating.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now