Solved

Port 21 to Port 2121 NAT policy issue on Sonicwall Pro 3060, Sonic Enhanced OS

Posted on 2010-11-17
5
1,551 Views
Last Modified: 2012-05-10
Sonicwall 3060 Pro
SonicOS Enhanced 4.2.0.0-10e
Filezilla Server 0.9.34 beta

I have a Filezilla FTP server that is listening on port 2121.  I want to setup port forwarding as such that when someone hits this FTP server on port 21 it is translated to 2121, therefore the FTP server in question will service the request.  This way I don't need to tell our users to connect on port 2121 rather than 21.

Currently, if I hit the FTP server in question on port 2121 directly, it services the request just fine.  However, if I hit the FTP server on port 21 the firewall blocks the request.  In the firewall log I am able to see that the request gets translated to port 2121, but is blocked by the firewall "deny all" rule.  I have posted my NAT policies and Access Rules below.  I have also posted the log entry from the firewall that shows the blocked TCP traffic.

NAT policies:

NAT Policy #1
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: TCP port 21
Translated Service: TCP port 2121
Interface Inbound: Any
Interface Outbound: Any
Priority: 13

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: Any
Translated Service: Original
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

Firewall Access Rules:

Access Rule #1
WAN > LAN
Source: Any
Destination: <FTP site WAN IP>
Service: TCP Port 2121
Action: Allow
Users: All

Firewall Log Entry:
Priority: Notice
Category: Network Access
Message: TCP Connection dropped
Source: <WAN IP of person attempting to connect to ftp server>, 3555, X1
Destination: <FTP site LAN IP>, 2121, X0
Notes: TCP FTP 2121 (which is the name of the port 21 service on the firewall)


Any ideas would be much appreciated.  I'm stumped.  Thanks!
0
Comment
Question by:rotech_IT
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34159794
go to firewall > access rules.  then go to WAN > LAN.  change the priority of your firewall rule to be BEFORE the deny all.  you'll see a set of arrows up and down for each rule.  use those to move the rule up and down in the list.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34159845
Thanks.  I checked the priority of the rule and it is before the deny all rule.  Any other ideas?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34160072
Review the NAT policy below:

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: 2121
Translated Service: 21
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

You need to make sure that your policy NATs from port 2121 BACK to port 21.  also, you need to confirm that your firewall allows port 21 not port 21.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34169899
To clarify, along with all the other steps above......

I had to allow port 21 and port 2121 in the WAN>LAN zone.
I added a NAT policy from port 2121 back to port 21.

Thanks much digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 34170374
you're welcome.  thanks for the added steps and for the points!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Pfsense & Black list. 2 108
Sonicwall Wireless Subinterface not working 2 60
Cisco ASA 5506 4 50
ipsec tunnel comme not up 10 80
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now