• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1446
  • Last Modified:

Sonicwall Enhanced - setup route and nat for PBX

Periodically I get stuck on a config change on my sonicwall.  I need help with this one from an experienced sonicwall user.  I am using sonicwall enhanced with X0-LAN, X1-WAN in a typical setup.  I am now adding X2-SIP which is a dedicated WAN channel talking to my SIP provider.  I need to setup NAT and routing so that (1) the provider sees all traffic as coming from x.x.x.38(x2), (2) all return traffic goes to y.y.y.23(x0).  So basic NAT so far.  But I also need to assure that any incoming traffic on X2 destined for x.x.x.38 goes to y.y.y.23(x0).  Inbound and outbound must be fully NAT so that SIP will work.  I'm not keeping the order of routing vs NATting clear in my head.  I am able to setup a route so that a ping on the LAN-side server will route out X2 to the provider and respond back to me.  I guess since it responds this validates that the "built-in" NAT is working.  What I can't do is get an inbound ping to make it through the FW - all packets get dropped (drop rule 36).  Do I need an incoming route?  Or will NAT alone suffice for incoming?  i have tried a typical two-rule NAT which I have done many times but the different interface is what's throwing me.  Anybody done this specifically on sonicwall enhanced and can help?
0
dvanaken
Asked:
dvanaken
  • 4
  • 3
1 Solution
 
feptiasCommented:
You don't need an inbound route, but you do need to add a firewall rule to allow inbound connections - it is not sufficient to just add NAT rules. Which SonicWall model are you using?
0
 
dvanakenAuthor Commented:
Thank you.

I did add firewall rules, my NAT alone would not route from my LAN to X2 (it natted, but to x1).  I had to add a route. I will post details later.  This is a pro2040.
0
 
feptiasCommented:
You would need an outbound route, but not an inbound route. You also need 2 NAT rules - one for inbound and one for outbound. Then you need the firewall rules for inbound (one is not needed for outbound because the default rules allow outbound connections).

When you create the firewall rule for inbound connections to your PBX, use the external (the NAT'd address) not the internal address of the PBX as the destination. However, it is a WAN -> LAN rule. This is somewhat counter-intuitive!

The SonicWall applies static routes first, then checks the firewall rules before it applies the NAT translations. You have to add the static route for outbound connections because otherwise it sends the packets out through the default WAN port X1. Once it knows to send those packets out on X2, it then applies the correct outbound NAT policy - the NAT policies specify an Inbound and Outbound interface and these are used to match packets that are passing through, not to control which interface to use. i.e. the NAT policy will be applied only if the packet is traversing the specified interfaces. The selection of the interface is determined by the static routes.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
dvanakenAuthor Commented:
This sounds like what I need to get this wrapped up.  I have been confused by the order of routes-nats-rules in the past.  I do have a basic pair of nat rules (in/out) like I have used many times - I think the variable here was the need to send it out X2 not X1.  The NAT rule looks like it handles that but it appears it does not.

I will work on this more tomorrow and let you know how it turns out.  Thanks
0
 
feptiasCommented:
Yes, it is confusing and I only found solutions in the end through trial and error.

Something that I found useful for diagnosing which rules were being used and which were pointless, was to do the following after adding a new rule:
Zero the stats;
Try calling or registering an IP phone (or whatever PBX operation you are trying to get to work);
Now look at the stats for traffic on each rule and see if any packets/bytes passed through.

The stats are shown when you hover the mouse over the little graph icon on the right in firewall rules, but you must first refresh the page each time to see the latest stats. I think there is a similar stats icon for the NAT rules too. Unfortunately, the stats only show packets/bytes passed through and there is nothing to show the number of blocked packets for rules that block.
0
 
dvanakenAuthor Commented:
Turns out I had too much clutter in the box to see what I was doing.  Wiped the config, added two NATs and the outbound rule and all is well.  Thanks
0
 
dvanakenAuthor Commented:
Thanks and all the best to you!
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now