gateguard
asked on
SonicWall OS: Do I need "reflexive policy"?
On a SonicWall NSA220, I want all LAN users to have access to the internet.
I also want to publish several websites using 1-2-1 nat.
When I create a nat policy for a website, I can check the "reflexive" box, but do I need to?
If I don't check that box, and a web developer is remote desktop'd into the web server from the inside LAN, he or she can still do a google search (for example) from that web server and that access will go through the "all LAN users access to the internet" rule, correct?
I don't need the reflexive policy to give internet surfing capability to a web developer working directly on the web server, do I?
Thanks.
I also want to publish several websites using 1-2-1 nat.
When I create a nat policy for a website, I can check the "reflexive" box, but do I need to?
If I don't check that box, and a web developer is remote desktop'd into the web server from the inside LAN, he or she can still do a google search (for example) from that web server and that access will go through the "all LAN users access to the internet" rule, correct?
I don't need the reflexive policy to give internet surfing capability to a web developer working directly on the web server, do I?
Thanks.
ASKER
It seems like the answer to my question is "no, you don't need to create a reflexive policy when creating an inbound nat policy because outbound the servers can all use the site many-to-one nat policy?
Is that correct?
Is the reflexive only used when you want the server's OUTGOING traffic to initiate on the specific public address, instead of the general site many-to-one nat address?
Do I understand that correctly?
Is that correct?
Is the reflexive only used when you want the server's OUTGOING traffic to initiate on the specific public address, instead of the general site many-to-one nat address?
Do I understand that correctly?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, Syed, and I appreciate all your hard work on all these questions.
This is not critical. What I decided to do was leave the box checked but disable the reflexive rule.
I think we can both add notes to this question later, even though it's closed.
I will be doing some experimentation myself and if I can, I'll post results here.
This is not critical. What I decided to do was leave the box checked but disable the reflexive rule.
I think we can both add notes to this question later, even though it's closed.
I will be doing some experimentation myself and if I can, I'll post results here.
Thank you :)
1)"I want all LAN users to have access to the internet" make sure you have rule Allow rule from LAN to WAN
2) "I also want to publish several websites using 1-2-1 nat" easy.... you can use Wizard for the same or refer atatched
3) "I can check the "reflexive" box, but do I need to" for refelx policy please look @ https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4061&formaction=catalert
under section "Creating a One-to-One NAT Policy for Inbound Traffic (Reflective)"
SonicOS-Enhanced--Three-Types-of.pdf