Solved

Port 21 to Port 2121 NAT policy issue on Sonicwall Pro 3060, Sonic Enhanced OS

Posted on 2010-11-17
5
1,573 Views
Last Modified: 2012-05-10
Sonicwall 3060 Pro
SonicOS Enhanced 4.2.0.0-10e
Filezilla Server 0.9.34 beta

I have a Filezilla FTP server that is listening on port 2121.  I want to setup port forwarding as such that when someone hits this FTP server on port 21 it is translated to 2121, therefore the FTP server in question will service the request.  This way I don't need to tell our users to connect on port 2121 rather than 21.

Currently, if I hit the FTP server in question on port 2121 directly, it services the request just fine.  However, if I hit the FTP server on port 21 the firewall blocks the request.  In the firewall log I am able to see that the request gets translated to port 2121, but is blocked by the firewall "deny all" rule.  I have posted my NAT policies and Access Rules below.  I have also posted the log entry from the firewall that shows the blocked TCP traffic.

NAT policies:

NAT Policy #1
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: TCP port 21
Translated Service: TCP port 2121
Interface Inbound: Any
Interface Outbound: Any
Priority: 13

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: Any
Translated Service: Original
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

Firewall Access Rules:

Access Rule #1
WAN > LAN
Source: Any
Destination: <FTP site WAN IP>
Service: TCP Port 2121
Action: Allow
Users: All

Firewall Log Entry:
Priority: Notice
Category: Network Access
Message: TCP Connection dropped
Source: <WAN IP of person attempting to connect to ftp server>, 3555, X1
Destination: <FTP site LAN IP>, 2121, X0
Notes: TCP FTP 2121 (which is the name of the port 21 service on the firewall)


Any ideas would be much appreciated.  I'm stumped.  Thanks!
0
Comment
Question by:rotech_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34159794
go to firewall > access rules.  then go to WAN > LAN.  change the priority of your firewall rule to be BEFORE the deny all.  you'll see a set of arrows up and down for each rule.  use those to move the rule up and down in the list.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34159845
Thanks.  I checked the priority of the rule and it is before the deny all rule.  Any other ideas?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34160072
Review the NAT policy below:

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: 2121
Translated Service: 21
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

You need to make sure that your policy NATs from port 2121 BACK to port 21.  also, you need to confirm that your firewall allows port 21 not port 21.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34169899
To clarify, along with all the other steps above......

I had to allow port 21 and port 2121 in the WAN>LAN zone.
I added a NAT policy from port 2121 back to port 21.

Thanks much digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 34170374
you're welcome.  thanks for the added steps and for the points!
0

Featured Post

Prevent Ransomware with Total Security Suite

With recent ransomware attacks topping the headlines, it might seem like there'e no hope in the battle against these advanced threats. Learn more about how WatchGuard's Total Security Suite can effectively prevent ransomware attacks including Petya 2.0 and WannaCry!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question