Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1276
  • Last Modified:

Sonicwall 1-to-1 Nat question

Have three public IPs.  For example:
xxx.xxx.xxx.183 is used solely for the internal network.
xxx.xxx.xxx.184 is assigned to DVR1.
xxx.xxx.xxx.185 is assigned to DVR2.
The 2 DVRs are routing traffic TCP/UDP EXCLUSIVELY on port 7700.
Currently this setup is being done by using a switch after the cable modem.

We need to route all 3 through one firewall:
 
Routing would be 1-to-1 Nat:
Assign DVR1 staticIP xxx.xxx.xxx.184 to internal private address 10.10.10.101 for TCP/UDP 7700.
Assign DVR2 staticIP xxx.xxx.xxx.185 to internal private address 10.10.10.102 for TCP/UDP 7700.
 
What would the routing table look like for outgoing?
Is this the correct setup?
THanks
0
PCLANTECHS
Asked:
PCLANTECHS
1 Solution
 
olyrickCommented:
Which Sonicwall router are you using? Also, what is the subnet of these IPs?

I believe you must have SonicOS Enhanced to be able to do 1-to-1 NAT with multiple IP addresses. The funny thing with the Sonicwall is that you cannot tell it explicitly to listen to the 2 IP addresses, but you can tell it to apply NAT to the different IPs.

First, create 2 services (with the same name), one for TCP 7700 and one for UDP 7700.
Create a NAT rule (possibly using the Public Server Wizard) for the new service to point to your internal IPs. In the public server wizard, if you are using SonicOS Enhanced, it will ask you for "Server Public IP Address". Enter x.x.x.184 or .185 here.
Click on Apply, and you're done.
0
 
PCLANTECHSAuthor Commented:
thanks for the response. We are going to use a TZ 170. We actually contacted Sonicwall about this issues and they never mentioned using SonicOS Enhanced?
They stated it would work just as you have. Why would we c reate a service with the same name?
I was just going to setup the one-to-one and create the inbound and outbound rules which looks to be what you suggest.
Also, When you publish the publish the public server does this automatically create the outbound rule?
Thanks
0
 
budchawlaCommented:
PCLANTECHS, in response to your questions:
We actually contacted Sonicwall about this issues and they never mentioned using SonicOS Enhanced? You don't need Enhanced to have the 1-1 nat that you need. In fact, all you need to do is specify a single 1-1 nat range with a length of 2. i.e., add a new range, private range start: 10.10.10.101 public range start xx.xx.xx.184, range length = 2.

I think what olyrick was suggesting was to create a custom service since the sonicwall does not have a default service for tcp 7700 and udp 7700. The same-name thing is just to keep it simple to manage, technically you could name them whatever you wanted.

By default on most sonicwalls (look towards the bottom of the access rules page), there is a rule that says

Priority      Source      Destination      Service          Action      
13              LAN        *                    Any         Allow

This would allow ANY outgoing traffic unless it's specifically blocked by another (higher & more specific) rule. So no, you don't need to create outdound rules.

So the process is quite simple:
1. Create Services for TCP 7700 & UDP 7700 named say custom1 & custom2
2. Create a 1-1 NAT as I mentioned above
3. Create firewall access rules as:

Action: Allow
Service: custom1
Source: WAN *
Destination: LAN 10.10.10.101 - 10.10.10.102

Action: Allow
Service: custom2
Source: WAN *
Destination: LAN 10.10.10.101 - 10.10.10.102

And make sure the rules are enabled!
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now