Solved

Port 21 to Port 2121 NAT policy issue on Sonicwall Pro 3060, Sonic Enhanced OS

Posted on 2010-11-17
5
1,564 Views
Last Modified: 2012-05-10
Sonicwall 3060 Pro
SonicOS Enhanced 4.2.0.0-10e
Filezilla Server 0.9.34 beta

I have a Filezilla FTP server that is listening on port 2121.  I want to setup port forwarding as such that when someone hits this FTP server on port 21 it is translated to 2121, therefore the FTP server in question will service the request.  This way I don't need to tell our users to connect on port 2121 rather than 21.

Currently, if I hit the FTP server in question on port 2121 directly, it services the request just fine.  However, if I hit the FTP server on port 21 the firewall blocks the request.  In the firewall log I am able to see that the request gets translated to port 2121, but is blocked by the firewall "deny all" rule.  I have posted my NAT policies and Access Rules below.  I have also posted the log entry from the firewall that shows the blocked TCP traffic.

NAT policies:

NAT Policy #1
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: TCP port 21
Translated Service: TCP port 2121
Interface Inbound: Any
Interface Outbound: Any
Priority: 13

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: Any
Translated Service: Original
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

Firewall Access Rules:

Access Rule #1
WAN > LAN
Source: Any
Destination: <FTP site WAN IP>
Service: TCP Port 2121
Action: Allow
Users: All

Firewall Log Entry:
Priority: Notice
Category: Network Access
Message: TCP Connection dropped
Source: <WAN IP of person attempting to connect to ftp server>, 3555, X1
Destination: <FTP site LAN IP>, 2121, X0
Notes: TCP FTP 2121 (which is the name of the port 21 service on the firewall)


Any ideas would be much appreciated.  I'm stumped.  Thanks!
0
Comment
Question by:rotech_IT
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34159794
go to firewall > access rules.  then go to WAN > LAN.  change the priority of your firewall rule to be BEFORE the deny all.  you'll see a set of arrows up and down for each rule.  use those to move the rule up and down in the list.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34159845
Thanks.  I checked the priority of the rule and it is before the deny all rule.  Any other ideas?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34160072
Review the NAT policy below:

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: 2121
Translated Service: 21
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

You need to make sure that your policy NATs from port 2121 BACK to port 21.  also, you need to confirm that your firewall allows port 21 not port 21.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34169899
To clarify, along with all the other steps above......

I had to allow port 21 and port 2121 in the WAN>LAN zone.
I added a NAT policy from port 2121 back to port 21.

Thanks much digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 34170374
you're welcome.  thanks for the added steps and for the points!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question