Need to open port 6000 on our SonicWall Network Security Appliance

Hi,

We have a SonicWall Network Security Appliance. I have been attempting to get port 6000 opened for the past few days, but have had no luck. I have created the address objects, service and have add an access rule to the firewall. The port still is not opened when we run an external scan using MXToolbox.com. I have tried everything and have combed online documentation but still have the problem.

Is there a recommended resource that will explain how to get port 6000 opened with our SonicWall Network Security Appliance?

Any suggestions will be appreciated. Thanks.
Poly11Asked:
Who is Participating?
 
d0ughb0yConnect With a Mentor President / CEOCommented:
Oh, I didn't mention that it would seem like your firewall rule is fine as is. It's the NAT rule that needs to be changed, that's all. I just want that to be clear.
0
 
darketherealCommented:
If you're just trying to open port 6000 for your external public IP address for some sort of a scanning procedure, just create an access rule in the WAN > WAN zone intersection that looks like this:

Source: Any
Destination: WAN Primary IP (Whatever your WAN IP address is you're testing against)
Service: Port 6000 (create a service object for either TCP/UDP for port 6000)

This should work. However, keep in mind if the scanner is trying to initiate any sort of application level intelligence against that port when communicating to the firewall nothing will happen as the firewall has no application intelligence on port 6000.

Cheers,
Steve
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
d0ughb0yPresident / CEOCommented:
If you're looking at opening a port, ostensibly you're looking to allow inbound traffic on that port, in which case you are more-than-likely also going to need to NAT the traffic inbound, to get it where you're going. To do that on a SonicWALL router you can try to use a wizard, which will do it all for you. Or you can do it all manually.

You'll need:
An object definition for the device you're trying to reach.
A service definition for port 6000 (TCP? UDP?)

Then you'll create a NAT rule directing traffic to the appropriate device. It'll look something like:
Source: Any  Orig Dest: Primary WAN IP  ==> Source: Original  Dest: <object definition>. Oh, there's also going to be the PAT portion of this, in which you'll tell it that the original destination port is 6000, and the redirected port is... Original, if that's what you want.

Finally, you'll need a firewall rule allowing the traffic from the original source to the original destination.

That ought to do it.
0
 
Poly11Author Commented:
Ok, I've tried to work with this but am still having issues. The IP Address of the DVR is 192.168.0.3 and I have an Address Object created for it and assigned to the LAN zone.

I have a service object created for it using TCP protocol with port range 6000-6000.

I have a NAT policy created that has the following:
Original Source: Any
Translated Source: Original
Original Destination: WAN Primary IP
Translated Destination: <Address Object>
Original Service: <Service Object>
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Enable NAT Policy is Selected

The Firewall Rule I have in place is as follows:
Action: Allow
From Zone: WAN
To Zone: LAN
Service: <Service Object>
Source: Any
Destination: <Address Object>
Users Allowed: All
Schedule: Always On
Enable Logging
Allow Fragmented Packets

I'm still unable to access the port when I type in the IP WAN IP address with Port 6000 in a browser on a system outside of the network. It's supposed to resolve to a DVR which can be viewed internally on the networking using a web browser without specifying a port. The external port that has been defined is 6000.

Any help will be greatly appreciated.

Thanks.
0
 
Poly11Author Commented:
Also, when I try to use the wizard, it stalls when I hit the Next button after selecting the service, etc...
0
 
d0ughb0yPresident / CEOCommented:
I think the problem is in your firewall rule. Your destination should be the WAN primary IP. Right now, the rule is looking for packets going to 192.168.0.3, which it will never see.
0
 
Poly11Author Commented:
OK, in the firewall rule I have changed the destination from <Address Object> to WAN Primary IP, but we are still unable to connect. I have an Address Object that has the IP address of the DVR, now that it's not assigned to the firewall rule I am not sure how the request will find the IP.

Basically what we need is access to the DVR which is IP address 192.168.0.3 with an internal port of 85. The external port is 7000. When we enter the external IP address with :7000 we need it to go to the Address Object which is 192.168.0.3. Is there any way we can do this?

Thanks
0
 
d0ughb0yPresident / CEOCommented:
Ok - That's a lot of information you didn't give us before. Here's the deal: The Firewall Rule deals with permissions: What packets, directed to where, are permitted to come through? The NAT rule deals with redirection: Anything coming to this port, gets redirected to there.

So your firewall rule needs to allow the traffic for the WAN Primary IP in this case, because that's the address the users are trying to reach. So that's what the firewall needs to permit.

However, once that's through, you need to make sure that the NAT rule is directing it properly. You have your NAT rule sending the packet from the original sender, to the translated 192.168.0.3 address, and that's correct. But you have the translated service set to original. So when a user sends a packet to your public IP address, at port 7000, they are redirected to 192.168.0.3:7000. You need, now, to set up a service for port 85, and use that as the Translated Service.
0
 
Poly11Author Commented:
Thank you! It's all working perfectly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.