Link to home
Start Free TrialLog in
Avatar of dvanaken
dvanakenFlag for United States of America

asked on

Sonicwall Enhanced - setup route and nat for PBX

Periodically I get stuck on a config change on my sonicwall.  I need help with this one from an experienced sonicwall user.  I am using sonicwall enhanced with X0-LAN, X1-WAN in a typical setup.  I am now adding X2-SIP which is a dedicated WAN channel talking to my SIP provider.  I need to setup NAT and routing so that (1) the provider sees all traffic as coming from x.x.x.38(x2), (2) all return traffic goes to y.y.y.23(x0).  So basic NAT so far.  But I also need to assure that any incoming traffic on X2 destined for x.x.x.38 goes to y.y.y.23(x0).  Inbound and outbound must be fully NAT so that SIP will work.  I'm not keeping the order of routing vs NATting clear in my head.  I am able to setup a route so that a ping on the LAN-side server will route out X2 to the provider and respond back to me.  I guess since it responds this validates that the "built-in" NAT is working.  What I can't do is get an inbound ping to make it through the FW - all packets get dropped (drop rule 36).  Do I need an incoming route?  Or will NAT alone suffice for incoming?  i have tried a typical two-rule NAT which I have done many times but the different interface is what's throwing me.  Anybody done this specifically on sonicwall enhanced and can help?
Avatar of Member_2_1968385
Member_2_1968385
Flag of United Kingdom of Great Britain and Northern Ireland image

You don't need an inbound route, but you do need to add a firewall rule to allow inbound connections - it is not sufficient to just add NAT rules. Which SonicWall model are you using?
Avatar of dvanaken

ASKER

Thank you.

I did add firewall rules, my NAT alone would not route from my LAN to X2 (it natted, but to x1).  I had to add a route. I will post details later.  This is a pro2040.
ASKER CERTIFIED SOLUTION
Avatar of Member_2_1968385
Member_2_1968385
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This sounds like what I need to get this wrapped up.  I have been confused by the order of routes-nats-rules in the past.  I do have a basic pair of nat rules (in/out) like I have used many times - I think the variable here was the need to send it out X2 not X1.  The NAT rule looks like it handles that but it appears it does not.

I will work on this more tomorrow and let you know how it turns out.  Thanks
Yes, it is confusing and I only found solutions in the end through trial and error.

Something that I found useful for diagnosing which rules were being used and which were pointless, was to do the following after adding a new rule:
Zero the stats;
Try calling or registering an IP phone (or whatever PBX operation you are trying to get to work);
Now look at the stats for traffic on each rule and see if any packets/bytes passed through.

The stats are shown when you hover the mouse over the little graph icon on the right in firewall rules, but you must first refresh the page each time to see the latest stats. I think there is a similar stats icon for the NAT rules too. Unfortunately, the stats only show packets/bytes passed through and there is nothing to show the number of blocked packets for rules that block.
Turns out I had too much clutter in the box to see what I was doing.  Wiped the config, added two NATs and the outbound rule and all is well.  Thanks
Thanks and all the best to you!