Solved

SonicWall SOHO3 one-to-one NAT configuration

Posted on 2004-09-28
7
1,226 Views
Last Modified: 2010-05-18
My company's LAN has a SonicWall SOHO3 that serves as a NAT/Firewall/VPN appliance. There is a web server behind it running Windows 2000 Server / IIS 5 for a custom ASP application (live site). The previous IT person had a Redhat 9 server running as webserver, FTP server, and mail server outside the firewall. I would like that LINUX box to be inside the firewall for obvious reasons. This LINUX box HAS TO RUN the apache web server ! There are perl scripts written exclusively for linux and they will not run on Windows. This is also a live server and can not be taken down for too long. It has been relying on the Linux firewall for protection until now.

We have a T1 line with multiple IP addresses and I wanted to implement One-to-One NAT so that if the request was for IP 206.111.111.5 (example) then SonicWall would do port forwarding to multiple LAN PCs including the port 80 request for HTTP to the Windows 2000 server, FTP requests to come to my workstation etc..., if the request was for IP 206.111.111.8 (example) it would forward all requests, HTTP, FTP, SMTP, POP to the LINUX server.

Is this a working solution? Has anyone implemented it? Any other solutions?
0
Comment
Question by:Brainstormer
  • 5
  • 2
7 Comments
 
LVL 5

Accepted Solution

by:
idyllicsys earned 500 total points
ID: 12204825
Very easy. Create a ruile the appropriate rules on the SOHO3 to forward the traffic to private IP of the Linux after you move it. Then turn on one to one NAT and set the Public IP to 206.111.111.8 and the private IP to whatever you set the new inside IP too (same as in the rules, ex. 10.0.0.2) and set the range to one.

That's it
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12220629
I was hoping someone had implemented this sucessfully using One-To-One NAT. I know the procedure to put the server behind the firewall. I guess I will bring a spare PC and test that first with a different public IP address, if that works great I will move the live server.

A question I came up is: Is One-To-One NAT a DMZ form (for many PCs) or does the SonicWall provide any protection????? Logic suggests this is a DMZ :-(

Are there any alternatives?
0
 
LVL 5

Assisted Solution

by:idyllicsys
idyllicsys earned 500 total points
ID: 12307748
I have used One to One NAT many times. In the SonicWall configuration, it only maps the Public IP to the Private IP. You still need to setup the specific rules to access the services you want to expose.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 6

Author Comment

by:Brainstormer
ID: 12346694
My company is changing ISP. The whole IP block will change with it. I will report of my sucess/failure once I perform the transition. This is a great opportynity/risk to try this.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12474649
I still have not figured out how to split the webserver issue.

Server A - Windows 2000, IIS running a ASP app in port 80- public IP #1 using port forwarding from Sonicwall. This IP is used for all NAT PCs behind the firewall.
Server B - Linux, Apache running HTML/Perl scripts in port 80 - Public IP #2 using 1-to-1 NAT.

I can access Server 2 from the internet if HTTP is served in any port other than 80. Port forwarding 80 only works for the 1st entry, which is Server A.

I want:

if IP #1 or domain_aaa_.com -> Server A
if IP #2 or domain_bbb_.com -> Server B

when both servers are behind SonicWall SOHO3.

I am thinking about deploying a Reverse Proxy server (apache or squid) in the linux box (Server B) at port 80 which will forward all HTTP requests to:

Server A, port 80 if for domain example_aaa_.com
Server B, port 8080 if domain is example_bb_.com

Any suggestions are welcome at this point. The reverse proxy is a last resort as ASP and Perl do not cache well and I don't think they work properly with a reverse proxy server.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12618021
well, this is my solution to this. It's not perfect, but it works.

Move the linux server behind the firewall.
Modify internet DNS to point both websites to same IP
Forward all HTTP traffic from that external IP port 80 to the LINUX server
Run SQUID as a reverse proxy on port 80. Modify the internal DNS or /etc/hosts file so squid redirects information based on domain header in HTTP request.

If domain_aaa_.com -> Server A:8000 (Windows 2000, IIS)
If domain_bbb_.com -> Server B:8000 (linux, apache)

implement port forwarding for other services based on requirements.

Reverse Proxy Servers considered for the job:

SQUID - it works, but it can not be customized. All HTTP servers need to listen on same port
APACHE - does not support domain forwarding
POUND - it was very customizable, but I had problems with the process PID and killing the process.


Problems do far: 1

I am no longer able to access my email via SquirrelMail webmail. Squirrelmail sits in the linux server and acceses email via IMAP. This is a problem when the webmail is accessed from remote PCs that have no direct access to port 8000. All traffic is routed thru squid reverse proxy in port 80.

 All works and I can access the webmail if I login locally and access the webmail via a browser in the linux server. This is true for both port 80 and 8000.

I suspect this is a SQUID ACL problem. Does anyone have experience configuring squid as reverse proxy to allow Safe_Ports? I can post the squid.conf file if necessary.


PS: so far no one has offered a good alternative solution, the points are still available for grabs.

0
 
LVL 6

Author Comment

by:Brainstormer
ID: 12952112
Seems like even my temp solution did not work. SonicWall does not have the capabilities I am looking for. I finally settled on thi setup:

All PCs with ServerA behind SonicWall using 1 external static IP and port forwarding
Linux Server running Iptables behind a simple Linksys router using 1 external static IP and port forwarding

I will close this question. Thank you all for participating.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
iptables nat port range centos 6.x 21 90
VPN client software 7 41
Windows Firewall Rules for WMI and multiple subnets 4 62
PCAnywhere 2 55
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now