Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4637
  • Last Modified:

Port forwarding not working on Sonic Wall NSA 240

I am trying to port forward a custom port on my sonic wall NSA 240 to a system behind my firewall. I need to have HHTp and SSH forwarded to this system. SSh is working fine, but when I try to forward any other port to the same system it fails. If i disable SSH then I can port forward my custom port to the system. Is there something with SSH that blocks any other port from forwarding  to the same system? I confirmed that it is not my custom port as I could forward it to my exchange server with out any issue.

I used the the Sonic Wall How to open non-standard ports (custom service) to s server behind the sonic wall.

any guidance here would be appreciated.
0
Serge Martin
Asked:
Serge Martin
  • 13
  • 11
  • 3
  • +2
1 Solution
 
getzjdCommented:
Have you tried the "Wizard" button in the upper right?  This will step you right through it.
0
 
getzjdCommented:
have you looked in the sonicwall logs to see when the attempt gets blocked?  Do you have a firewall enabled on the other PC?
0
 
uescompCommented:
try disabling the firewall on the pc, and disabling the antivirus (if any) to verify it is not the workstation or you might have to add an exception to them etc.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
Serge MartinIT TechnicianAuthor Commented:
I tried the Wizard and it did not work. There is nothing in the logs that show why it is being blocked. The PC does not have a firewall enabled. I can SSH to the system.
0
 
getzjdCommented:
Change the log settings in the firewall to show all traffic and you will see the request.  Go to Log, Categories and make sure you have the right categories set to see network access traffic  
0
 
Serge MartinIT TechnicianAuthor Commented:
The log settings are set to show all traffic and I have changed from "all" to "network Access" and nothing shows
0
 
digitapCommented:
go back to your sonicwall then go to Firewall > Services.  Click Add Group and create a custom service group for your server and add HTTP and SSH.  Then, modify the firewall access rules and nat policies to use the new service group.  i assume you've got firewall access rules and nat policies for both services needed for the server.

also, make sure you don't have HTTP management enabled on the WAN interface.  if you do, you might disable HTTP and enable HTTPS then change the port for HTTPS under System > Administration.
0
 
Serge MartinIT TechnicianAuthor Commented:
It works okay for the SSh port 22, but the custom port that I created 8181 is still closed.
0
 
digitapCommented:
maybe we should start over.  i'll do this if things just aren't working right.  here's what i do:

- Delete the NAT policies associated with the public server.
- Delete the firewall access rules associated with the public server.
- Delete the address objects and address groups associated with the public server.

Then, create the service group as indicated above and add SSH and the custom service, 8181 to the service group.

Then, run your public server wizard.  when asked to choose the service, select your group.

when complete, you should be good to go.

if that doesn't work, then only thing i can think of is that you've created the service incorrectly.  can you post a screen shot of the details of the 8181 service?

For your information, here is a KB for creating custom ports/services:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7133
0
 
digitapCommented:
what type of server are you trying to get to from the internet, Windows 2003, 2008, XP, etc.?
0
 
Greg HejlCommented:
are you adding the non-standard http port to your http request?

http://domain.tld:8181/ ?

also try telnet 8181 and see what happens in your logs
0
 
Serge MartinIT TechnicianAuthor Commented:
I did a digitap suggested and SSh works but not port 8181. Below is the custom Service that I had created.


# Name  Protocol  Port Start  Port End  Configure Comments
1 Custom Port 8181 TCP 8181 8181  
0
 
Serge MartinIT TechnicianAuthor Commented:
I am attempting to access a linux authentication server for our Library system. I am adding the non-standard Http port to my request.
0
 
digitapCommented:
are you forwarding port 8181 to any other server?  can you connect to your linux box internally on that port?
0
 
Serge MartinIT TechnicianAuthor Commented:
No I am not forwarding 8181 to any other Server. No I cannot connect to your linux box internally on that port.
0
 
digitapCommented:
i think that's your problem.  if you can't connect to the box internally, then you won't be able to connect to it externally.  is my thinking wrong?
0
 
Serge MartinIT TechnicianAuthor Commented:
no it is not but I can connect to the box using SSH......
0
 
digitapCommented:
that makes sense then.  a server isn't going to respond on a port if it's not configured to do so.  your linux box is configured to respond to SSH (port 22) so your external connections via this port work.  however, your Linux box doesn't respond to port 8181 so it drops connection attempts externally and internally.

my summation is, you'll have to configure your Linux box to respond to port 8181.
0
 
Serge MartinIT TechnicianAuthor Commented:
Okay, I am a windows guy not Linux, how can I open that port on the Linux box?
0
 
digitapCommented:
i don't know.  can you connect to the linux box via the standard HTTP port?  why are you wanting the non-standard HTTP?
0
 
Serge MartinIT TechnicianAuthor Commented:
Because the standard HTTP port is being used by our Library catalogue server and when I use that port the catalogue drops and the authentication provider requires access via ssh and HTTP and being that the HTTP port is already used, they accepted the use of any other port.
0
 
digitapCommented:
how many public IP addresses do you have?  you could use an additional public IP address.

or, crazy thought.  you could NAT the port to the server.  externally, you would use 8181, but the sonicwall could NAT to port 80 and back again.
0
 
Serge MartinIT TechnicianAuthor Commented:
I need to forward port 8181 to port 80 on the linux server
0
 
Serge MartinIT TechnicianAuthor Commented:
my linux server is 10.1.2.73 so would i just change my the forwarding to be something like
8181-->10.1.2.73:80 or 10.1.2.73/80?
0
 
digitapCommented:
it might be easier if you have a secondary public IP address.  you'd only need to change the address object representing the public IP for the linux server's NAT policies and firewall access rules.

for the other option, you'd want to change the NAT rules.  i don't think you'll need to change any of the firewall access rule WAN > LAN.  What I'm not sure of here is if the sonicwall will NAT BEFORE the traffic hits the LAN or after.  If BEFORE, then you may need to change the WAN > LAN rules to include a new service group for 22, 80 and 8181.  Otherwise, leaving it as is may be fine.

using the public server wizard, you'll have an ingress NAT policy, an egress NAT policy and a loop back NAT policy.  when you go to Network > NAT Policies, you'll see that you can click a Custom Policies radio button.  click that to just see ones you've created.  then, locate the policies associated with your linux server.  notice toward the end of each line you'll notice a comment bubble.  if you mouse over that, it should indicate whether it's a loop back policy.  i don't believe you need to change the loop back policy, so focus on the egress and ingress.

for the ingress (WAN > LAN), you want the original service to be 8181 and the translated to be 80.  for the egress, you want the original service to be 80 and the translated to be 8181.
0
 
Serge MartinIT TechnicianAuthor Commented:
I get an error when attempting to change the translated service in NAT: Unknown Service class
0
 
digitapCommented:
sorry, just got back from lunch.  review this KB.  it explains what's going on with the error.  easy fix.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6638
0
 
Serge MartinIT TechnicianAuthor Commented:
worked like a charm thanks very much.
0
 
digitapCommented:
you're welcome...glad i could help and thanks for the points!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 13
  • 11
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now