Solved

Sonicwall inbound NAT rule

Posted on 2013-10-26
13
1,299 Views
Last Modified: 2014-01-03
Hello Experts,

I am trying to configure an inbound Terminal Services rule on a Sonicwall NSA250M - latest O/S etc.

Office Public IP on WAN interface = 6.6.6.6
Internal IP of server I need to RDP to = 10.0.0.1

I have successfully added Firewall and NAT rules that allow RDP from 'Source=Any' however I need to restrict access so that only one or two remote public IP ranges are allowed to connect by RDP, e.g. a third party vendor who need access to the server for remote support - their public IP range is, say  70.70.70.70 to 70.70.70.78

I have tried adding 70.70.70.70/29 as an address object named 'Support' and then switching just the Source within the Firewall and/or NAT rules from 'Any' to 'Support' however this does not work.  I have tried moving the 'Support' address object into the various default Zones to test, with same result.

I cannot find any documentation on the Sonicwall site for this scenario - am I missing something, can anyone help?
0
Comment
Question by:fourthgen
  • 6
  • 5
  • 2
13 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39602619
Can you post a sanitized copy of your current config?
0
 

Author Comment

by:fourthgen
ID: 39602692
Would these screenshots be sufficient?
Working.gif
Not-working.gif
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39602792
I will attempt to help with what you have shown me. Under the not working pic I see in the "Edit Rule" screenshot it states:

From zone: WAN
To Zone: LAN
Service: Terminal Services
Source: Support
Destination: WAN Interface Ip   <====== What other options do you have here?
Users Allowed: ALL
Schedule: Always On
Comment: Open RDP Port for Support
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 

Author Comment

by:fourthgen
ID: 39602834
Sorry if a bit awkward, but am working on the system remotely and am not sure of how I could produce a sanitized config file without potentially taking out their internet - a site visit to fix would take quite some time!

Screenshot of menu attached, blank lines are other server names and IPs.
menu.gif
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39602895
Ok, so instead of :
Destination: WAN Interface Ip

It should say:
Main Server 10.0.0.1

Or just:
10.0.0.1

Let us know how that works for you..
0
 

Author Comment

by:fourthgen
ID: 39602964
Appreciate the help, but sorry, no joy.

Is there a specific way the 'Support' Address Object should be configured?

At the moment I have

Name = Support
Zone Assignment = WAN
Type = Network
Network = 70.70.70.70
Subnet = 255.255.255.248

Though have tried with both Host and Range as Network Type.  I haven't looked at creating custom Zones yet.

Am slowly beginning to prefer Watchguards!!
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39602976
Can you show us a screen shot under the routing tab?
0
 

Author Comment

by:fourthgen
ID: 39602986
Is attached.  It is an inherited setup - I haven't modified this section myself at any point in the past.
0
 

Author Comment

by:fourthgen
ID: 39602990
Or so I thought...
Routing.gif
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39603242
Ok, that's your issue. Under the Routing Tab in the "Route Policies" section select "add" at the bottom and set it up this way:

Source: Support
Destination: Main Server 10.0.0.1
Service: RDP
Gateway: [Your default gateway]

Save that and try it. Let us know.
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39604959
Hi fourthgen,

First off, to allow access in this manner in a secure fashion it's a Security Best Practice to provide access via VPN rather than opening an RDP port (even with limiting access to a few IPs). This access method is still susceptible to man-in-the-middle attacks. The proper way would be to allow VPN access then the vendor can RDP into whatever resource, which is allowed/specified by the VPN User Policy. This gives you maximum control over the resources accessed and greater overall management (terminating user access is simpler & not having to manage vendor Public IPs (whether static or dynamic)).

Notwithstanding anything to the contrary, the best way to allow this type of access is through the Public Server Wizard. You can access the Wizard icon on the top right of the page once you login.

Under the Public Server Wizard select Terminal Server next to Server Type:. It will setup all the necessary routing, NAT Policies, Access Rules & Address/Service Objects.

Once you have set everything up with the Wizard and then test it. Once you test it successfully, then you can go into the Access Rules (WAN>LAN or DMZ (wherever the server is located)) and modify the Source to limit it to the Address Object Group containing the Vendor IPs.

Let me know if you have any questions!
0
 

Author Comment

by:fourthgen
ID: 39636088
Apologies for delay in responding.  Am having to abandon the idea for now as there just aren't any windows of opportunity for scrapping the config and starting again from scratch, as I suspect is needed.

The_Warlock - Route Policy duly added, however problem remained.

diverseit - Public Server Wizard does create all rules, routes etc and works well, however modifying the Source Address Object causes same problem, have tried with IP addresses and ranges from multiple remote sites in case the default gateway was being picked up by the firewall as the source, but without luck.

Thanks again for the input but looking at deleting the question since I won't be able to revisit the problem until beginning of next year.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39636226
I have duplicated this on my end and everything works perfectly. Furthermore, a VPN connection is the best way to go about this. Both are very straight forward configurations. There are solutions here which other EE users can benefit from but I understand if you don't have the time to attempt them and/or you cannot validate them.

Best of luck and post another question whenever you have more time...we'll be here for you!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Extra security implementation for 2017 9 52
Cisco Policy based routing 2 40
paypal ipn status 4 45
Which ports are used when using implicit TLS? 8 19
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question