Setup NAT on Sonicwall TZ170

We have setup a device internally (192.168.4.191:5001) and I need to setup access to it from outside the office.

We have a Sonicwall TZ 170 with the Enhanced OS v3.2.3.

I know I have to setup the following:
*address object for the device (done by IP not MAC)
*service for the device for port 5001 on both UDP and TCP (done)
*NAT policy for routing (done but I may have done it wrong)
*WAN>LAN firewall rule for the service (done but I may have done it wrong)

We don't need a LAN>WAN rule for the firewall as we don't block anything outbound.

I am able to access it internally with no problems but I get Page Cannot Be Displayed when I try from outside.

How should the NAT policy and Firewall rule be setup?

Thanks in advance!
fuzzysneekersAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

digitapCommented:
what i'd recommend is to use the public server wizard.  however, seems you have most of it configured at this point.  what i may see you need is to have a reciprocal NAT policy.  you need two NAT policies: WAN > LAN and LAN > WAN.  additionally, you are correct regarding the firewall rule...you only need WAN > LAN.

The NAT should look like this.

WAN > LAN
Source Original: Any
Source Translated: Original
Destination Original: WAN Primary IP
Destination Translated: Address Object on LAN
Service Original: Original
Service Translated: Address object for port 5001

LAN > WAN
Source Original: Address Object on LAN
Source Translated: WAN Primary IP
Destination Original: Any
Destination Translated: Original
Service Original: Original
Service Translated: Address object for report 5001

The public server wizard will create these NAT policies in addition to a loop back.  in this case you don't need a loop back policy.  if, after you've added the reciprocal NAT policy, it still doesn't work, then i'd recommend deleting the address object for the LAN host, the firewall rules, NAT policies and running the public server wizard.  when you run the wizard, select the address object you created for port 5001.

Question: regarding the service port, since you've specified TCP and UDP, you must have more than one service object, right?  if so, did you create a service group representing both objects?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fuzzysneekersAuthor Commented:
Hi digitap,

Yes, we have a service group with both protocols in it.  That's what I used for the NAT policy.  We weren't sure if the DVR units (security cameras) used TCP or UDP so we wanted to cover both.

I looked at my NAT policies, I only have the first so I'll setup the second.  Mine looks a bit different though, for the Original Service I have the DVR service group and for the Translated Service I have Original.

I'll try setting up the second policy and post back.

Cheers

digitapCommented:
yes, i have referenced the service incorrectly.  you have it right.

Service Original: Service Group
Service Translated: Original.

Sorry about that.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

fuzzysneekersAuthor Commented:
Hi digitap,

I figured out where I made the mistakes.

When I setup the WAN>LAN policy, I had the wrong original destination set.

Also, when I setup the firewall rule, I set the destination as the DVR device rather than the WAN Primary IP so the NAT policy never took over.

I made these two corrections without setting up the second NAT policy and it's working like a charm.

Thank you!!!!!!!
digitapCommented:
great...glad i could help and thanks for the points!
fuzzysneekersAuthor Commented:
I made an error in the firewall rule setup, digitap helped me find the error on the NAT policy and I found the other mistake when I was double checking everything.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.