Solved

Can't PING SonicWall NSA 2400 from WAN

Posted on 2009-04-07
2
9,100 Views
Last Modified: 2013-11-29
I've read several articles, but still can't get my Sonicwall NSA 2400 to answer pings from the WAN. I understand that I should be able to do this in one of two ways:

1.) Forward PING traffic on to LAN server
2.) Forward to internal interface of Sonicwall

Due to the nature of the tests I need to run (for the ISP, who would REALLY like me to be able to ping the Sonicwall directly in order to remove any LAN device problems from equation), I need to make option 2 work.

I've tried to add firewall and NAT policies, and have pretty much stuck with using the 'Add Public Server Wizard' to create them. Here is what the wizard confirms it's going to do at the end:

---------------------------------------------------------

Public Server Configuration Summary

Please review the settings below and click "Apply" to create the new objects listed below.

Server Address Objects
  1. Create 'SW NSA LAN Interface Private' assigned to LAN Zone for Host 192.168.40.254.
  2. Reuse 'X1 IP' address object assigned to WAN Zone for 'INTERNET IP ADDRESS HERE''.

Server Service Group Object
  1. Create 'SW NSA LAN Interface Services' with Ping Service.

Server NAT Policies
  1. Create Inbound Server NAT Policy to rewrite packets to original destination 'X1 IP' to translated destination 'SW NSA LAN Interface Private'.
  2. Create Outbound Server NAT Policy to rewrite packets from 'SW NSA LAN Interface Private' to translated source 'X1 IP'.
  3. Create Loopback NAT Policy to allow access from all internal zones to the server at public IP address 'INTERNET IP ADDRESS HERE'.

Server Access Rules
  1. WAN > LAN - Allow 'Any' to 'X1 IP' for Service Group 'SW NSA LAN Interface Services'.
  Similar rules will be created from all lower security zones to the LAN zone.

To apply these settings, click Apply. To continue, click Next

----------------------------------------------------------------------------

At this point I click 'Apply' and the OS confirms the process was successful. I can then confirm that all the entries mentioned above seem to be in place, however pings to the WAN address still fail, and the log on the NSA continues to display the following:

------------------------------------------------------------------------------
      04/08/2009 00:34:01.304      Notice      Network Access      ICMP packet dropped due to policy      'MY SOURCE INTERNET IP ADDRESS HERE', 52803, X1      192.168.40.254, 8, X0      ICMP Echo, Code: 0
-------------------------------------------------------------------------------

Any ideas?

0
Comment
Question by:ajahnke
2 Comments
 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
ID: 24095256
Simpler still.

Go into Networks, Interfaces, click on the icon to configure the WAN interface.

At the bottom of the main dialog there's a row of check boxes next to the word "Management". These will all be off by default. Turn on the one marked "ping" and save - the Sonicwall will now respond normally to Ping and Traceroute requests from the WAN side.

If you have a dual-wan setup, do the same on the port being used for the second WAN connection.

0
 

Author Closing Comment

by:ajahnke
ID: 31567900
OMG - how dumb! They're being a little too clever for my own good. Thank you for the solution - worked perfectly. Not to mention that I removed all the rest of the configuration I had tried to add - apparently this management rule sets up its own Access Rules, etc.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Need recommendation for a DNS host provider. 3 65
ASA 5506-X 7 58
asa failover 3 37
OSPF Cost 2 14
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now