WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!
Solved
Sonicwall TZ 210 - Need to configure several public IP's for use - How is this possible?
Posted on 2010-09-10
Were moving from ISA 2006 to a Sonicwall TZ 210. I'm starting to work through the configurations but I'm stuck. We have about 30 static IP's that we need to setup, but I don't know how with this new device?
Thanks!
Thanks!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
13-
9
-
6
- +1
32 Comments
THe most simple way to achieve this is to use the public server wizard. If you really don't like wizard you have to do it with 'NAT policies' (found under 'network').
What the public server does, it creates three NAT policies for you and it also creates a firewall rule.
(The three NAT policies are for 1) inbound traffic, 2) outbound traffic and 3) loopback policy.)
Just run the public server wizard and see what it does.
What the public server does, it creates three NAT policies for you and it also creates a firewall rule.
(The three NAT policies are for 1) inbound traffic, 2) outbound traffic and 3) loopback policy.)
Just run the public server wizard and see what it does.
An example of the three policies:
1 = loopback policy (what the sonicwall has to do when an internal client wants to access the local server with it's public ip)
2 = outbound policy (makes sure that the public server uses the correct public ip)
3 = inbound policy which translates the public ip to the private ip
3NAT-policies.png
1 = loopback policy (what the sonicwall has to do when an internal client wants to access the local server with it's public ip)
2 = outbound policy (makes sure that the public server uses the correct public ip)
3 = inbound policy which translates the public ip to the private ip
3NAT-policies.png
Caskrist - sorry - but the Public Server Wizard will create 1:Many nat rules using the WAN ip address only.
To set up full 1:1 mappings you need to do it by hand.
Steps are:-
1) Give each device on the LAN that you need to have a public address a Network Object "Host" name. e.g. "MailServerLAN = 192.169.1.44"
2) Give each public address that you want to map a Network Object "Host" name. e.g. "MailServerPublic = 212.123.12.82". These of course must be chosen from the range of public IP addresses avaiable on your WAN network as supplied by your ISP.
3) Now create an "IN" and an "OUT" NAT mapping to connect these two. BY and large you should map "any" protocol to "orignal" i.e. unless you WANT to re-map port addresses, just map IP and leave services unaffected.
e.g.
Source - Original = MailSvrLAN
Source - Translated = MailSvrPub
Dest - Original = Any
Dest - Translated = Original
for the outboound mapping and
Source - Orignal = Any
Source -Translated = Original
Dest - Original = MailSvrPub
Dest - Translated = MailSvrLAN
for the inbound.
To set up full 1:1 mappings you need to do it by hand.
Steps are:-
1) Give each device on the LAN that you need to have a public address a Network Object "Host" name. e.g. "MailServerLAN = 192.169.1.44"
2) Give each public address that you want to map a Network Object "Host" name. e.g. "MailServerPublic = 212.123.12.82". These of course must be chosen from the range of public IP addresses avaiable on your WAN network as supplied by your ISP.
3) Now create an "IN" and an "OUT" NAT mapping to connect these two. BY and large you should map "any" protocol to "orignal" i.e. unless you WANT to re-map port addresses, just map IP and leave services unaffected.
e.g.
Source - Original = MailSvrLAN
Source - Translated = MailSvrPub
Dest - Original = Any
Dest - Translated = Original
for the outboound mapping and
Source - Orignal = Any
Source -Translated = Original
Dest - Original = MailSvrPub
Dest - Translated = MailSvrLAN
for the inbound.
No, with the wizard you can give an alternate public ip address, see the screenshot of the wizard.
server-wizard.png
server-wizard.png
@ccomley :: caskrist is accurate. Runing the Public Wizard server can be done for each public IP that needs to "map" to an internal server. A address object for each public IP address would be needed and referenced during the wizard.
Thanks, but as you can see you can enter an ip address in the wizard. The wizard creates the address object.
but either way, even when the wizard doesn't ask for the external ip (with older firware), it is easier to change the policies creates by the wizard, then to create them yourself (for new Sonicwall admins).
In my example of the policies you can change 'X1 IP' to an address object which has the external IP. (don't forget the firewall rule).
but either way, even when the wizard doesn't ask for the external ip (with older firware), it is easier to change the policies creates by the wizard, then to create them yourself (for new Sonicwall admins).
In my example of the policies you can change 'X1 IP' to an address object which has the external IP. (don't forget the firewall rule).
Thanks all for the input.
I have been working this weekend on setting up all of our rules. I ran into a few other snags. For example -
(We host about 15 Mail Domains all of which have there own IP)
1 - Using the wizard, when I change the IP address to the domain I'm setting up. The wizard makes the changes, but the subnet is not correct. It is setting up the subnet to be 255.255.255.255 and it should be 255.255.255.192. Short of changing each rule, what could I do? The Network Settings on the WAN is correct.
2 - Working on getting the SSL certs in for each domain. Is there a best practice or wizard?
Thanks again!
I have been working this weekend on setting up all of our rules. I ran into a few other snags. For example -
(We host about 15 Mail Domains all of which have there own IP)
1 - Using the wizard, when I change the IP address to the domain I'm setting up. The wizard makes the changes, but the subnet is not correct. It is setting up the subnet to be 255.255.255.255 and it should be 255.255.255.192. Short of changing each rule, what could I do? The Network Settings on the WAN is correct.
2 - Working on getting the SSL certs in for each domain. Is there a best practice or wizard?
Thanks again!
If you have that many I would *deffo* skip the wizard and get the hang of doing it by hand!!
Start with the Object Names. Create two HOST type objects for each server, one for it's LAN address and one for the public IP you wish it to map to.
Create a Service Group containing all the services you expect to use with them (SMTP, POP, IMAP, possibly HTTP and HTTPS)
Create In and Out rules as per my earlier description.
DON@T FORGET you ASLO need to create a PERMIT rule on the Fierwall WAN-to-LAN grid - just setting up the NAT mapping does NOT do this!!!
NOTE THAT The wizard is setting the subnet to 255.255.255.255 coz you are dealing with a SINGLE ip address not a range of addresses when you set up a mapping light that. It's not wrong!
Start with the Object Names. Create two HOST type objects for each server, one for it's LAN address and one for the public IP you wish it to map to.
Create a Service Group containing all the services you expect to use with them (SMTP, POP, IMAP, possibly HTTP and HTTPS)
Create In and Out rules as per my earlier description.
DON@T FORGET you ASLO need to create a PERMIT rule on the Fierwall WAN-to-LAN grid - just setting up the NAT mapping does NOT do this!!!
NOTE THAT The wizard is setting the subnet to 255.255.255.255 coz you are dealing with a SINGLE ip address not a range of addresses when you set up a mapping light that. It's not wrong!
When you've already got the rules setup, the rules will reference an address object. You'll want to give each address object a unique name so you'll know which one is associated to the proper rule. Then, simply modify the address object. This will update each firewall access rule and NAT rule.
I think, but I'm not sure, that the certs should be created on the servers on and for the servers, not the sonicwall.
SSL - Currently we use ISA 2006 Enterprise. On this setup, we have our the SSL cert on the Mail Server, then we have to export it to the ISA box as a PFX file. ISA accepts it into the rule, then it starts accepting traffic. Without the 2nd piece (ISA/PFX), the rule doesn't allow SSL. I see in the settings there are SSL Control and other SSL settings, but I wanted to get a census on the 'best practices'.
ccomley: With regards to setting up NAT 1:1 - I noticed I can only have 512? or 514 entries. Is there a way to just set up a rule allowing all IP's to accept SMTP, POP and IMAP? This would cut quite a few rules. And this is how I had it setup on ISA (right or wrong, I'm not sure)..
ccomley: With regards to setting up NAT 1:1 - I noticed I can only have 512? or 514 entries. Is there a way to just set up a rule allowing all IP's to accept SMTP, POP and IMAP? This would cut quite a few rules. And this is how I had it setup on ISA (right or wrong, I'm not sure)..
caskrist is right - the SSL certs for HTTPS use should be installed on the web server(s). The only reason to put an SSL cert on the Sonicwall would be to use SSL based VPN type stuff...
WRT rules, yes of course. You can create a Network Object which is a *range* of IP address(es), you can create Group Objects which contain multiple individual objects, and you can create a single rule for the group. So for example, if
MailServer1 = 192.168.1.10
MailServer2 = 192.168.1.20
MailServer3 = 192.168.1.21
MailServer4 = 192.168.1.22
You would already have for your NAT mappings, a "host" object for each. Now you can add
ServerRange1 = 192.168.1.20 through 192.168.1.22 (Range)
And then
ServerGroup = MailServer1Lan, ServerRange1, (plus any others)
And if you have the SERVICE group I suggested above, say
MailServices = POP+IMAP+SMTP+HTTP+HTTPS
And create a single WAN to LAN rule which says
Source = any
Dest = ServerGroup
Service = MailServices
Permit
WRT rules, yes of course. You can create a Network Object which is a *range* of IP address(es), you can create Group Objects which contain multiple individual objects, and you can create a single rule for the group. So for example, if
MailServer1 = 192.168.1.10
MailServer2 = 192.168.1.20
MailServer3 = 192.168.1.21
MailServer4 = 192.168.1.22
You would already have for your NAT mappings, a "host" object for each. Now you can add
ServerRange1 = 192.168.1.20 through 192.168.1.22 (Range)
And then
ServerGroup = MailServer1Lan, ServerRange1, (plus any others)
And if you have the SERVICE group I suggested above, say
MailServices = POP+IMAP+SMTP+HTTP+HTTPS
And create a single WAN to LAN rule which says
Source = any
Dest = ServerGroup
Service = MailServices
Permit
Do you guys know of a resource book available? For example, with ISA I had Tom Schneider's books.
Thanks
Thanks
Another question - (sorry for so many questions!)
Since we have several different mail domains, all of them share port 443 on the Internet, but coming into the Mail Server (IIS 6) I had to change the ports. Domain A uses 443, Domain B uses 444, Domain C uses 445, etc.
On ISA I set it up so the requests come in on 443 then forward to port 445,446, etc. How do I do this on Sonicwall?
Thanks again!
Since we have several different mail domains, all of them share port 443 on the Internet, but coming into the Mail Server (IIS 6) I had to change the ports. Domain A uses 443, Domain B uses 444, Domain C uses 445, etc.
On ISA I set it up so the requests come in on 443 then forward to port 445,446, etc. How do I do this on Sonicwall?
Thanks again!
If each server has it's own private IP address then you don't need to worry about maapping ports. Just include all the ports that MIGHT be used by a session in the Service Group You may first need to create an actual Service for non-standard port numbers.
So 443 is already set up. Create services this
445 = SecureMail5
446 = SecureMail6
(etc)
Now just add the new services to the existing MailServices service group, and traffic on those ports will automatically be permitted by the existing rule. (Assuming you already created the Permit rule to allow MailService traffic in.)
So 443 is already set up. Create services this
445 = SecureMail5
446 = SecureMail6
(etc)
Now just add the new services to the existing MailServices service group, and traffic on those ports will automatically be permitted by the existing rule. (Assuming you already created the Permit rule to allow MailService traffic in.)
Sorry, I wasn't clear.
We have one primary Mail Server. However, each client accesses Web Mail via HTTPs.
So currently ISA takes the different public Static IP's and turns them into the private LAN IP and also converts each domain to the SSL Port that the Mail Server is looking for - 443/444/445/etc.
I'm poling around in the NAT and am unsure how to change the ports on the inside still. i set this up using the wizards for simplicity sake, but also plan to do it manually now that I am starting to understand what the unit is looking for, however I still don't know how to turn those HTTPs's into different ports.
Thanks all!
We have one primary Mail Server. However, each client accesses Web Mail via HTTPs.
So currently ISA takes the different public Static IP's and turns them into the private LAN IP and also converts each domain to the SSL Port that the Mail Server is looking for - 443/444/445/etc.
I'm poling around in the NAT and am unsure how to change the ports on the inside still. i set this up using the wizards for simplicity sake, but also plan to do it manually now that I am starting to understand what the unit is looking for, however I still don't know how to turn those HTTPs's into different ports.
Thanks all!
In the NAT policies you have an 'original service' and a 'translated service' thats what you are looking for.
Or even better:
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5611&SearchType=advanced&referrer=&gpn=&CustID=&bUseEditor=&keyword=port+translation&rfield=&sortmethod=rel&usertype=&gpv=&catID2=&formaction=search&catID1=143&IncludeHTML=&catID3=&TotalResults=4629&submitbutton=Go&match=and
Look for your questions in the sonicwall knowledgebase.
(www.sonicwall.com, support, documentation, knowledgebase)
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5611&SearchType=advanced&referrer=&gpn=&CustID=&bUseEditor=&keyword=port+translation&rfield=&sortmethod=rel&usertype=&gpv=&catID2=&formaction=search&catID1=143&IncludeHTML=&catID3=&TotalResults=4629&submitbutton=Go&match=and
Look for your questions in the sonicwall knowledgebase.
(www.sonicwall.com, support, documentation, knowledgebase)
If I'm thinking through this correctly, if I make a new service that uses port 448 for example - and then go into NAT Policies and change the Translated into the new rule 448, that should translate it from 443 to 448 correct?
Thanks
Thanks
Yes tha should be it, but keep in mind you have three policies. For the inbound policy traffic comes in at 443 at the sonicwall and you wat to redirect it to port 448 on your server. But for the outbound rule I think it should be the other way around. You server responds with traffic on port 448 outbound so the sonicwall should also translate that to 443.
Ah yes - if you have ONE server listening only on port 443 but you wish to present *different* ports to the outside world, then you also need to do PORT TRANSLATION in the NAT table.
To do this it's the same basic idea as doing IP translation. Create services thus:-
SecHTTP1 = 444
SecHTTP2 = 445
SecHTTP3 = 446
etc
(YOu don't need to create one for 443 - it's there by default, called "HTTPS")
Then on the INBOUND NAT map rule for each "server" where it says "Serviecs" instead of Original=Any put Original=(as above) and instead of "translated=original" put "translated=HTTPS". Similarly on the OUTBOUND NAT rule for each server, put Services, Original=HTTPS, Translated=(as above). Just make sure you match the correct SecHTTPx entry with the matching public IP entry, or you'll get very odd results!!
To do this it's the same basic idea as doing IP translation. Create services thus:-
SecHTTP1 = 444
SecHTTP2 = 445
SecHTTP3 = 446
etc
(YOu don't need to create one for 443 - it's there by default, called "HTTPS")
Then on the INBOUND NAT map rule for each "server" where it says "Serviecs" instead of Original=Any put Original=(as above) and instead of "translated=original" put "translated=HTTPS". Similarly on the OUTBOUND NAT rule for each server, put Services, Original=HTTPS, Translated=(as above). Just make sure you match the correct SecHTTPx entry with the matching public IP entry, or you'll get very odd results!!
I got pulled away from it. I worked on it again this weekend. I'm hoping to put it into test later this week. I'll post back with results/questions.
Thanks!
Thanks!
It is up and running. I was waiting to see if something broke to follow up to, but so far, so good. Thank you all for your help! Much appreciated!!
Jeff
Jeff
Featured Post
We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud (http://www.concertocloud.com/about/in-the-news/2017/02/0…
- Storage
- Concerto Cloud Services
- Cisco
- Analytics
- Cloud Computing
- Cloud Services, *CRM, *Virtual Private Cloud (VPC)
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty.
Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month9 days, 1 hour left to enroll
721 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.