Cannot access servers on our network by public IP address that are behind firewall with NAT

Posted on 2007-10-05
Last Modified: 2010-04-17
I searched and searched, so I'm starting to wonder if I'm just using poor criteria or describing my issue poorly.  I've narrowed it down to something having to do with NAT or routes...

So here's the scoop.

We have two networks on our LAN that are trusted.  For purposes of this question, We'll call them X0 and X2.  X0 PRIMARY LAN and X2 OFFICE LAN.  

We have servers sitting behind the router for WEB, FTP, etc.  Users from X0 can access our public sites just fine without any issues that are behind this router.  The sites are all behind the router/firewall with public IP's but have one-to-one NAT in use that forward to a local address on the X0 interface from the public side.

Now... when users from the X2 interface try to access public sites that have servers on the X0 interface,  they cannot.  

Sounds like either a route issue or a NAT policy.  This is a Sonicwall product, but either way, this issue may be too specific for a general answer?
Question by:jgantes
    LVL 16

    Expert Comment

    sounds like a route issue-are you using vlans-can they ping the servers or access them by ip address

    Author Comment

    Can't ping or access them by IP.  Various servers, FTP, Web, etc.

    X0 Network ---  Web, FTP Servers, IT

    X2 Network --- All other users

    Both have their own GW and go out on another interface that we've specified as WAN.  However, X2 can't come back in...
    LVL 10

    Accepted Solution

    Sounds like basically what's happening is that you've got policies on the X0 that allow traffic in from the WAN, so it works for the rest of the world, but the traffic from X2 isn't coming from an address object that belongs in the WAN zone, hence it can't pass.

    If you have available public IPs, I would create NAT policies that restrict users of the X2 interface to a different public IP to the one that can be used by the X0 interface... this may sort it.

    Alternatively, adjust your NAT policies & firewall rules for the X0 servers so that you're allowing traffic in from not just the WAN, but ANY... or you may want to create separate rules, depending on your setup & specific requirements.




    Author Comment

    Thanks Bud, that's what we did actually just before I read your post (or something very close to it).  It appears to be working, but I only created on rule and we're actually contemplating leaving their access off now that we went through all of this.

    Thanks for the solution, very helpful.
    LVL 10

    Expert Comment

    Glad to help...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now