[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Port 21 to Port 2121 NAT policy issue on Sonicwall Pro 3060, Sonic Enhanced OS

Posted on 2010-11-17
5
Medium Priority
?
1,588 Views
Last Modified: 2012-05-10
Sonicwall 3060 Pro
SonicOS Enhanced 4.2.0.0-10e
Filezilla Server 0.9.34 beta

I have a Filezilla FTP server that is listening on port 2121.  I want to setup port forwarding as such that when someone hits this FTP server on port 21 it is translated to 2121, therefore the FTP server in question will service the request.  This way I don't need to tell our users to connect on port 2121 rather than 21.

Currently, if I hit the FTP server in question on port 2121 directly, it services the request just fine.  However, if I hit the FTP server on port 21 the firewall blocks the request.  In the firewall log I am able to see that the request gets translated to port 2121, but is blocked by the firewall "deny all" rule.  I have posted my NAT policies and Access Rules below.  I have also posted the log entry from the firewall that shows the blocked TCP traffic.

NAT policies:

NAT Policy #1
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: TCP port 21
Translated Service: TCP port 2121
Interface Inbound: Any
Interface Outbound: Any
Priority: 13

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: Any
Translated Service: Original
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

Firewall Access Rules:

Access Rule #1
WAN > LAN
Source: Any
Destination: <FTP site WAN IP>
Service: TCP Port 2121
Action: Allow
Users: All

Firewall Log Entry:
Priority: Notice
Category: Network Access
Message: TCP Connection dropped
Source: <WAN IP of person attempting to connect to ftp server>, 3555, X1
Destination: <FTP site LAN IP>, 2121, X0
Notes: TCP FTP 2121 (which is the name of the port 21 service on the firewall)


Any ideas would be much appreciated.  I'm stumped.  Thanks!
0
Comment
Question by:rotech_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34159794
go to firewall > access rules.  then go to WAN > LAN.  change the priority of your firewall rule to be BEFORE the deny all.  you'll see a set of arrows up and down for each rule.  use those to move the rule up and down in the list.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34159845
Thanks.  I checked the priority of the rule and it is before the deny all rule.  Any other ideas?
0
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 34160072
Review the NAT policy below:

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: 2121
Translated Service: 21
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

You need to make sure that your policy NATs from port 2121 BACK to port 21.  also, you need to confirm that your firewall allows port 21 not port 21.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34169899
To clarify, along with all the other steps above......

I had to allow port 21 and port 2121 in the WAN>LAN zone.
I added a NAT policy from port 2121 back to port 21.

Thanks much digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 34170374
you're welcome.  thanks for the added steps and for the points!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question