Avatar of yodasbrother
Flag for United States of America asked on

Nat Public IP to Private IP behind Sonicwall TZ210 and Cable Modem

I need to "map" a Public IP address to a phone system on the private network. The firewall is a Sonicwall TZ210 and the primary wan interface "X1" has a "many to one" nat policy applied to it for internet access of the lan computers. When I set up a standard "one to one" nat policy to nat the internal phone system to a second wan ip address the network traffic is not being forwarded correctly by the ISP's modem. The ISP technician says that their modem cannot distinguish between two ip addresses when they are coming from the same physical port. Somehow I need to map this second wan ip address to a second mac address coming out of this TZ210. Anybody ever do this before? When I try to apply the second wan ip to another port "x3" for example, I receive a "this subnet has already been used error" and it will not let me do that.
Hardware FirewallsTCP/IPNetworking

Avatar of undefined
Last Comment

8/22/2022 - Mon

Could you provide some more details on the exact configuration you have? Also are you using the Public Server Wizard or creating a manual NAT? I always suggest using the Wizard as it creates the appropriate firewall rules for you with the NAT.

I have done for example a NAT such as this when the X1 has an IP block passed to it through a modem in bridge mode. The sonicwall got assigned one of the IPs in the block, and all I had to do was use the Public Server Wizard to NAT an internal server to one of the other public IPs available in the block.

If you could provide the subnets used and what mode the modem is in, that would help with determining what we can configure.
Aaron Tomosky

Agreed, use one wire for the wan, use the server wizard, choose other an select the ports you need.

      Please tell me the subnet of the IP given bye your ISP.
   Also tell me when u do one to one satic nat, are you able to ping that ip from internet.

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Thanks for the quick responses. Here are more details -

They were using a Motorola DSL modem and I have not a clue what mode it is in. They have switched out the modem to see if it would fix the issue, but it has not. We do not have access to configuring this modem.

The public ip of the TZ210 is with subnet mask of and default gateway is The second wan ip address is Both ip addresses are pingable but the ISP says they do not always allow pings to go through so you cannot rely on it.

I did not use the wizard I just manually  just set up two nat policies. They are -  
Phone Private - Phone Public, any - original, any - original, x0 - x1  and then the reflective -
any-original, Phone Public -Phone Private, any-original, x1 - any. Also added the access rule to allow all to the Public Phone address from Wan to Lan. We did extensive testing with this setup and the ISP is dropping outbound packets from second wan ip address.  I sent the config to sonicwall support and they say the config for the nat policy is correct. We have upgraded to the current latest firmware which is 5.8.

We added a switch between the Sonicwall and the modem for this testing and placed a computer there with an ip address that the isp  provided for us. This computer could access the inside device perfectly with the nat policy and access rule used above so it really is not a case of a misconfigured nat policy. We did wireshark captures from the middle computer and it looks like about 30 % of the outbound packets from the second wan ip address make it to their destination.

The isp has recommended using a second physical interface with a unique mac address for the phone system or just connecting the phone system to the switch that is currently there. They say their modem just is not able to handle traffic from multiple ip addresses using the same mac address.

If we can get it to work by keeping the phone system on the private ip address then the phone people do not need to come back out to reconfigure it.


I found that I could go to Network - Arp in the TZ210 and attach a mac address to the public phone ip address. This seems to be working better. Is this correct?

Dear if you have Two WAN IP Address and need to assign 1 to your phone system you just need to do follwoings;

logon to SNA>Network >Zones>Add> Public Servers (you can name any in my example i named as "Server"Make sure you allow interface trust-refer to atarched, Zone-Creation-1 & 2)

Go to network>X2 (you can select any empty interface)and add into zone(refer to Zone-Creation-3) and use bridge and bridge with X1

now connect your host directly with X2.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Are you saying that the phone system itself will need to have the public ip address configured on it? Will the x1 port be the only port to be connected to the modem? There does not need to be any firewall access rules or nat policies? Thanks.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question