Solved

Port forwarding not working on Sonic Wall NSA 240

Posted on 2010-11-08
29
4,346 Views
Last Modified: 2012-05-10
I am trying to port forward a custom port on my sonic wall NSA 240 to a system behind my firewall. I need to have HHTp and SSH forwarded to this system. SSh is working fine, but when I try to forward any other port to the same system it fails. If i disable SSH then I can port forward my custom port to the system. Is there something with SSH that blocks any other port from forwarding  to the same system? I confirmed that it is not my custom port as I could forward it to my exchange server with out any issue.

I used the the Sonic Wall How to open non-standard ports (custom service) to s server behind the sonic wall.

any guidance here would be appreciated.
0
Comment
Question by:tlu2929
  • 13
  • 11
  • 3
  • +2
29 Comments
 
LVL 15

Expert Comment

by:getzjd
ID: 34087046
Have you tried the "Wizard" button in the upper right?  This will step you right through it.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34087072
have you looked in the sonicwall logs to see when the attempt gets blocked?  Do you have a firewall enabled on the other PC?
0
 
LVL 16

Expert Comment

by:uescomp
ID: 34087134
try disabling the firewall on the pc, and disabling the antivirus (if any) to verify it is not the workstation or you might have to add an exception to them etc.
0
 

Author Comment

by:tlu2929
ID: 34087170
I tried the Wizard and it did not work. There is nothing in the logs that show why it is being blocked. The PC does not have a firewall enabled. I can SSH to the system.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34087237
Change the log settings in the firewall to show all traffic and you will see the request.  Go to Log, Categories and make sure you have the right categories set to see network access traffic  
0
 

Author Comment

by:tlu2929
ID: 34087391
The log settings are set to show all traffic and I have changed from "all" to "network Access" and nothing shows
0
 
LVL 33

Expert Comment

by:digitap
ID: 34087717
go back to your sonicwall then go to Firewall > Services.  Click Add Group and create a custom service group for your server and add HTTP and SSH.  Then, modify the firewall access rules and nat policies to use the new service group.  i assume you've got firewall access rules and nat policies for both services needed for the server.

also, make sure you don't have HTTP management enabled on the WAN interface.  if you do, you might disable HTTP and enable HTTPS then change the port for HTTPS under System > Administration.
0
 

Author Comment

by:tlu2929
ID: 34088006
It works okay for the SSh port 22, but the custom port that I created 8181 is still closed.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34088046
maybe we should start over.  i'll do this if things just aren't working right.  here's what i do:

- Delete the NAT policies associated with the public server.
- Delete the firewall access rules associated with the public server.
- Delete the address objects and address groups associated with the public server.

Then, create the service group as indicated above and add SSH and the custom service, 8181 to the service group.

Then, run your public server wizard.  when asked to choose the service, select your group.

when complete, you should be good to go.

if that doesn't work, then only thing i can think of is that you've created the service incorrectly.  can you post a screen shot of the details of the 8181 service?

For your information, here is a KB for creating custom ports/services:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7133
0
 
LVL 33

Expert Comment

by:digitap
ID: 34088051
what type of server are you trying to get to from the internet, Windows 2003, 2008, XP, etc.?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 34092396
are you adding the non-standard http port to your http request?

http://domain.tld:8181/ ?

also try telnet 8181 and see what happens in your logs
0
 

Author Comment

by:tlu2929
ID: 34094113
I did a digitap suggested and SSh works but not port 8181. Below is the custom Service that I had created.


# Name  Protocol  Port Start  Port End  Configure Comments
1 Custom Port 8181 TCP 8181 8181  
0
 

Author Comment

by:tlu2929
ID: 34094138
I am attempting to access a linux authentication server for our Library system. I am adding the non-standard Http port to my request.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34094332
are you forwarding port 8181 to any other server?  can you connect to your linux box internally on that port?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:tlu2929
ID: 34094424
No I am not forwarding 8181 to any other Server. No I cannot connect to your linux box internally on that port.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34094448
i think that's your problem.  if you can't connect to the box internally, then you won't be able to connect to it externally.  is my thinking wrong?
0
 

Author Comment

by:tlu2929
ID: 34094462
no it is not but I can connect to the box using SSH......
0
 
LVL 33

Expert Comment

by:digitap
ID: 34094497
that makes sense then.  a server isn't going to respond on a port if it's not configured to do so.  your linux box is configured to respond to SSH (port 22) so your external connections via this port work.  however, your Linux box doesn't respond to port 8181 so it drops connection attempts externally and internally.

my summation is, you'll have to configure your Linux box to respond to port 8181.
0
 

Author Comment

by:tlu2929
ID: 34094527
Okay, I am a windows guy not Linux, how can I open that port on the Linux box?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34094539
i don't know.  can you connect to the linux box via the standard HTTP port?  why are you wanting the non-standard HTTP?
0
 

Author Comment

by:tlu2929
ID: 34094564
Because the standard HTTP port is being used by our Library catalogue server and when I use that port the catalogue drops and the authentication provider requires access via ssh and HTTP and being that the HTTP port is already used, they accepted the use of any other port.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34094590
how many public IP addresses do you have?  you could use an additional public IP address.

or, crazy thought.  you could NAT the port to the server.  externally, you would use 8181, but the sonicwall could NAT to port 80 and back again.
0
 

Author Comment

by:tlu2929
ID: 34095269
I need to forward port 8181 to port 80 on the linux server
0
 

Author Comment

by:tlu2929
ID: 34095291
my linux server is 10.1.2.73 so would i just change my the forwarding to be something like
8181-->10.1.2.73:80 or 10.1.2.73/80?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34095382
it might be easier if you have a secondary public IP address.  you'd only need to change the address object representing the public IP for the linux server's NAT policies and firewall access rules.

for the other option, you'd want to change the NAT rules.  i don't think you'll need to change any of the firewall access rule WAN > LAN.  What I'm not sure of here is if the sonicwall will NAT BEFORE the traffic hits the LAN or after.  If BEFORE, then you may need to change the WAN > LAN rules to include a new service group for 22, 80 and 8181.  Otherwise, leaving it as is may be fine.

using the public server wizard, you'll have an ingress NAT policy, an egress NAT policy and a loop back NAT policy.  when you go to Network > NAT Policies, you'll see that you can click a Custom Policies radio button.  click that to just see ones you've created.  then, locate the policies associated with your linux server.  notice toward the end of each line you'll notice a comment bubble.  if you mouse over that, it should indicate whether it's a loop back policy.  i don't believe you need to change the loop back policy, so focus on the egress and ingress.

for the ingress (WAN > LAN), you want the original service to be 8181 and the translated to be 80.  for the egress, you want the original service to be 80 and the translated to be 8181.
0
 

Author Comment

by:tlu2929
ID: 34095874
I get an error when attempting to change the translated service in NAT: Unknown Service class
0
 
LVL 33

Expert Comment

by:digitap
ID: 34096414
sorry, just got back from lunch.  review this KB.  it explains what's going on with the error.  easy fix.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6638
0
 

Author Closing Comment

by:tlu2929
ID: 34096993
worked like a charm thanks very much.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34097129
you're welcome...glad i could help and thanks for the points!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now