Nat Public IP to Private IP behind Sonicwall TZ210 and Cable Modem

yodasbrother
yodasbrother used Ask the Experts™
on
I need to "map" a Public IP address to a phone system on the private network. The firewall is a Sonicwall TZ210 and the primary wan interface "X1" has a "many to one" nat policy applied to it for internet access of the lan computers. When I set up a standard "one to one" nat policy to nat the internal phone system to a second wan ip address the network traffic is not being forwarded correctly by the ISP's modem. The ISP technician says that their modem cannot distinguish between two ip addresses when they are coming from the same physical port. Somehow I need to map this second wan ip address to a second mac address coming out of this TZ210. Anybody ever do this before? When I try to apply the second wan ip to another port "x3" for example, I receive a "this subnet has already been used error" and it will not let me do that.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Could you provide some more details on the exact configuration you have? Also are you using the Public Server Wizard or creating a manual NAT? I always suggest using the Wizard as it creates the appropriate firewall rules for you with the NAT.

I have done for example a NAT such as this when the X1 has an IP block passed to it through a modem in bridge mode. The sonicwall got assigned one of the IPs in the block, and all I had to do was use the Public Server Wizard to NAT an internal server to one of the other public IPs available in the block.

If you could provide the subnets used and what mode the modem is in, that would help with determining what we can configure.
Aaron TomoskyDirector of Solutions Consulting

Commented:
Agreed, use one wire for the wan, use the server wizard, choose other an select the ports you need.
Hi,
      Please tell me the subnet of the IP given bye your ISP.
   Also tell me when u do one to one satic nat, are you able to ping that ip from internet.

Regards
Pawan
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Author

Commented:
Thanks for the quick responses. Here are more details -

They were using a Motorola DSL modem and I have not a clue what mode it is in. They have switched out the modem to see if it would fix the issue, but it has not. We do not have access to configuring this modem.

The public ip of the TZ210 is 24.140.156.149 with subnet mask of 255.255.254.0 and default gateway is 24.140.156.1. The second wan ip address is 24.140.156.178. Both ip addresses are pingable but the ISP says they do not always allow pings to go through so you cannot rely on it.

I did not use the wizard I just manually  just set up two nat policies. They are -  
Phone Private - Phone Public, any - original, any - original, x0 - x1  and then the reflective -
any-original, Phone Public -Phone Private, any-original, x1 - any. Also added the access rule to allow all to the Public Phone address from Wan to Lan. We did extensive testing with this setup and the ISP is dropping outbound packets from second wan ip address.  I sent the config to sonicwall support and they say the config for the nat policy is correct. We have upgraded to the current latest firmware which is 5.8.

We added a switch between the Sonicwall and the modem for this testing and placed a computer there with an ip address that the isp  provided for us. This computer could access the inside device perfectly with the nat policy and access rule used above so it really is not a case of a misconfigured nat policy. We did wireshark captures from the middle computer and it looks like about 30 % of the outbound packets from the second wan ip address make it to their destination.

The isp has recommended using a second physical interface with a unique mac address for the phone system or just connecting the phone system to the switch that is currently there. They say their modem just is not able to handle traffic from multiple ip addresses using the same mac address.

If we can get it to work by keeping the phone system on the private ip address then the phone people do not need to come back out to reconfigure it.

Author

Commented:
I found that I could go to Network - Arp in the TZ210 and attach a mac address to the public phone ip address. This seems to be working better. Is this correct?
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
Dear if you have Two WAN IP Address and need to assign 1 to your phone system you just need to do follwoings;

logon to SNA>Network >Zones>Add> Public Servers (you can name any in my example i named as "Server"Make sure you allow interface trust-refer to atarched, Zone-Creation-1 & 2)

Go to network>X2 (you can select any empty interface)and add into zone(refer to Zone-Creation-3) and use bridge and bridge with X1

now connect your host directly with X2.



Zone-Creation-1.png
Zone-Creation-2.png
Zone-Creation-3.png

Author

Commented:
Are you saying that the phone system itself will need to have the public ip address configured on it? Will the x1 port be the only port to be connected to the modem? There does not need to be any firewall access rules or nat policies? Thanks.
System Administrator
Top Expert 2011
Commented:
Are you saying that the phone system itself will need to have the public ip address configured on it.... its possible to have if your phone system require any public IP, but its better to use privte for LAN

Will the x1 port be the only port to be connected to the modem.. YES (X1 is only WAN)

There does not need to be any firewall access rules or nat policies... in bridge mode you dont require but NAT mode you need to configure using public server wizard (refer to atatched). your issue was

"When I set up a standard "one to one" nat policy to nat the internal phone system to a second wan ip address the network traffic is not being forwarded correctly by the ISP's modem" in this situation the easiest solution is to have public ip on your phone WAN (if your system support or your phone sytem have two port WAN/LAN)..... BUT IF YOU DONT WANT TO HAVE WAN IP ON YOUR SYSTEM WAN then you need to NAT on your primary WAN IP. so dont do any configration with your secondary IP, you can simply NAT your primary wan ip

Conclustions
There are three different types of network modes that you can deploy on a SonicWALL running SonicOS Enhanced firmware.
The three network modes are:
• NAT Mode (refer to atatched wizard)
• Transparent Mode (Provided to you is my last post)
• Route Mode (try above otherwise pwill provide to you)

but if you want to use only secondary WAN IP, please refer to atatched PDF
WZ-1.png
WZ-2.png
WZ-3.png
WZ-4.png
SonicOS-Enhanced-using-a-Seconda.pdf

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial