Solved

Port 21 to Port 2121 NAT policy issue on Sonicwall Pro 3060, Sonic Enhanced OS

Posted on 2010-11-17
5
1,540 Views
Last Modified: 2012-05-10
Sonicwall 3060 Pro
SonicOS Enhanced 4.2.0.0-10e
Filezilla Server 0.9.34 beta

I have a Filezilla FTP server that is listening on port 2121.  I want to setup port forwarding as such that when someone hits this FTP server on port 21 it is translated to 2121, therefore the FTP server in question will service the request.  This way I don't need to tell our users to connect on port 2121 rather than 21.

Currently, if I hit the FTP server in question on port 2121 directly, it services the request just fine.  However, if I hit the FTP server on port 21 the firewall blocks the request.  In the firewall log I am able to see that the request gets translated to port 2121, but is blocked by the firewall "deny all" rule.  I have posted my NAT policies and Access Rules below.  I have also posted the log entry from the firewall that shows the blocked TCP traffic.

NAT policies:

NAT Policy #1
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: TCP port 21
Translated Service: TCP port 2121
Interface Inbound: Any
Interface Outbound: Any
Priority: 13

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: Any
Translated Service: Original
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

Firewall Access Rules:

Access Rule #1
WAN > LAN
Source: Any
Destination: <FTP site WAN IP>
Service: TCP Port 2121
Action: Allow
Users: All

Firewall Log Entry:
Priority: Notice
Category: Network Access
Message: TCP Connection dropped
Source: <WAN IP of person attempting to connect to ftp server>, 3555, X1
Destination: <FTP site LAN IP>, 2121, X0
Notes: TCP FTP 2121 (which is the name of the port 21 service on the firewall)


Any ideas would be much appreciated.  I'm stumped.  Thanks!
0
Comment
Question by:rotech_IT
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34159794
go to firewall > access rules.  then go to WAN > LAN.  change the priority of your firewall rule to be BEFORE the deny all.  you'll see a set of arrows up and down for each rule.  use those to move the rule up and down in the list.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34159845
Thanks.  I checked the priority of the rule and it is before the deny all rule.  Any other ideas?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34160072
Review the NAT policy below:

NAT policy #2
Source: Any
Translated Source: Original
Original Destination: <FTP site WAN IP>
Translated Destination: <FTP site LAN IP>
Original Service: 2121
Translated Service: 21
Interface Inbound: Any
Interface Outbound: Any
Priority: 93

You need to make sure that your policy NATs from port 2121 BACK to port 21.  also, you need to confirm that your firewall allows port 21 not port 21.
0
 
LVL 5

Author Comment

by:rotech_IT
ID: 34169899
To clarify, along with all the other steps above......

I had to allow port 21 and port 2121 in the WAN>LAN zone.
I added a NAT policy from port 2121 back to port 21.

Thanks much digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 34170374
you're welcome.  thanks for the added steps and for the points!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now