SonicWall TZ 180 Wireless, port fwd, Only allow a single public static ip access to ftp, telnet & 3003

OK  I have a customer who was convinced to buy a Sonic Wall TZ 180 no by me, it has sat for almost 2 years till they got a tech they like. (Me)  The reason they got it was hackers were trying to hit the ftp and it kept filling up the log file, they were not actually getting in.

I have never configured one of these before from scratch. They HAD a linksys wireless router it is just acting as a switch i disabled the dhcp & wireless all together  for a laptop/desktop on a kvm.

What im trying to do is fwd FTP, Telnet & 3003 To the server with a internal ip of 192.168.1.10

They have a static ip address. (My customer in MO)  
The company on the other end has a static ip. The software company in KS

The goal is to fwd the ports BUT only allow the KS Static ip to be able to access it.
I know this is possible but it seems that I am only going in circles with this.
 
Also they have a fancy copier scanner large scale that can scan directly to each of there computers and since I put this in the the scanning part stopped working I figure that needs some rules also. Don't have the ip for that at the moment.
I have the wireless on the 172 address locked out from the LAN only has internet access which is fine. It's using WPA2
Here is the info on the Sonic Wall

Modem TZ 180 Wireless Enhanced
Firmware version  SonicOS Enhanced 4.2.1.0-20e (I updated it to this latest stable ver)
ROM Version  SonicRom 4.0.1.1
Total Memory 128MB Ram, 16MB Flash



mikebesurfingAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
coalnineConnect With a Mentor Commented:
Ok, this is how to specify access control to firewall rules in the SonicWall:

Log into the web interface of the sonicWall.
Go to the Firewall Tab on the left.
Locate one of the 3 the rules that you've created for the listed ports.
Click the edit button.
On the source line, make the Address Range Begin and Address Range End the same external IP that you want to access it. (software co. in KS)
Click OK and the configuration will be updated.

As for the MFP scanning SMB packets to the workstations:
You won't need to set up any access rules in the router because it's internal traffic.
Did you change the IP scope when you installed the new router?
Or are the clients setup with static IP's that need to be updated due to the changes in the network?
0
 
coalnineConnect With a Mentor Commented:
Keep in mind that you will have to modify ALL of the firewall rules (that you've created/defined) to match the public IP that you want to have access to those ports.
0
 
mikebesurfingAuthor Commented:
Ok I think that makes sense is that in the Network section or Firewall Section?

Thanks
Mike
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
mikebesurfingAuthor Commented:
I will try to get over there tomorrow and look at it.

So are all those settings in the firewall or the network section?? or both  if so which

A step by step would be Wonderful.


Thanks
Mike
0
 
coalnineCommented:
They are located in the Firewall tab on the left side of the page. On the left you see all the navigation buttons, just click Firewall (this is where you need to go to create port forwards etc) and you will see all of your access rules on the right. You will need to find the rules you've created for the ports to be forwarded. Just need to edit them one at a time and specify the remote IP in the rule itself. I will grab some screenshots and post so you know exactly where to look.

Kenny
0
 
mikebesurfingAuthor Commented:
Sweet thanks
0
 
coalnineCommented:
Ok, here's some screenshot examples from the SonicWall at my house.


Firewall-Access-Rules.JPG
0
 
coalnineCommented:
Just as an example (and since you need FTP as well) I highlighted the FTP access rule in the SonicWall.
Click the Edit button to the right of the rule. Will look something like this:

Rule-Edit.JPG
0
 
mikebesurfingAuthor Commented:
Ok that one makes sense but what about narrowing it down to a single ip?

Thanks
Mike
0
 
mikebesurfingAuthor Commented:
Ok I reply to quick.lol

So this is all done in the firewall section, is that also where the I create the service for port 3003?

So I need to also disable all the other rules I created, I had also run the wizard for a public ftp just to make sure that he Could connect, he did then I just disabled the rule that it created do I need to disable anything else so that to be sure that its closed to public? Right now he cant access it of course.

Thanks
Mike
0
 
coalnineConnect With a Mentor Commented:
So, in the source line, specify the traffic to be coming from the WAN and put the internal IP of the desired machine.
In your case it should be 192.168.1.10 in the Address Range Begin and Address Range End.
Also make sure that the destination is set to LAN. They are set to * by default.
Then all you have to do is edit the Telnet and port 3003 rules (so long as they have been created previously) to make the changes to the source IP.

If you need screenshots on how to create custom services (i.e. for the port 3003) and forward them, please let me know.

Kenny
0
 
coalnineCommented:
Sorry, reading through that last post I think I made an error. In the SOURCE line, you want the ethernet to be set to WAN, and then in the Address Range Begin AND Address Range End put the external IP of the customer in MO.

Then, in the DESTINATION line, set the ethernet to LAN, and in the Address Range Begin AND Address Range End you would put 192.168.1.10

Think that I was thinking faster than I was typing.

Kenny
0
 
coalnineCommented:
Also, just re-enable the FTP access rule, then edit it to only allow the MO public IP to access it. Then only that IP will have access to port 21. Same with the Telnet port 23 and the 3003 (CGMS?).
0
 
mikebesurfingAuthor Commented:
I have not gotten over there yet will try to get over there tomorrow when there are fewer people.

Thanks
Mike
0
 
mikebesurfingAuthor Commented:
Shooting for tomorrow.
0
 
mikebesurfingAuthor Commented:
I GOT IT.... Woohooo.  I also had to set the nat for each one, the 3003 is for remote sites to connect, but actually don't need that part.

Thanks
Mike
0
 
coalnineCommented:
glad to hear it..

Kenny
0
All Courses

From novice to tech pro — start learning today.