Solved

Sonicwall TZ210 One To One NAT issue

Posted on 2014-02-10
17
1,512 Views
Last Modified: 2014-02-21
this used to be stupid simple but after a firmware update I cannot get this to work.

I have an internal server XYZ that needs to be tied to our X3 interface on the sonicwall. We have three WAN ports. XYZ needs to be using the X3 interface's IP such that any outbound traffic shows that it comes from the X3 interface's IP and of course any inbound needs to come to X3 and move on the the XYZ server.

I have never in my life had this issue. I know how to setup 1 to 1 nats and once setup the computer, when asking an internet site what its ip is should be correct. Sadly, the IP that shows up is the on on interface X1.

The Sonicwall is a TZ210, firmware is SonicOS Enhanced 5.9.0.2-107o.

Any guidance would be appreciated. I've followed all the how to guides and none make a difference. The IP that is reported is always the IP from the X1 interface, never the X3 interface.

Thanks.
0
Comment
Question by:digitalwav
  • 9
  • 8
17 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39848604
Can you share how you currently have it setup with screenshots or documenting your setup while sanitizing your IP addresses?

Also is this a new NAT policy or was this an existing one that was present BEFORE the firmware upgrade that is now broken?
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39850063
This is a new nat policy. Essentially I have three WAN and one LAN connections.

Primary WAN is on X1, secondary on X2 and third on X3.

No load balancing or failover. All internet traffic defaults to X1.

I want XYZ server to only use WAN X3.

Attached is the current set of NAT rules. One server is "NATed" to the main X1 interface and of course that works fine.

Current NAT Config
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39850280
I think you need to adjust your NAT policies to reflect the X3 interface.

For instance the Top NAT rule is as below:

Source Original: Firewalled Subnets
Source Translated: WAN Primary IP
Destination Original: WAN Primary IP
Destination Translated: ?? Private
Service Original: ?? Services
Service Translated: Original
Interface Inbound: ANY
Interface Outbound: ANY

I think you need to adjust it so that it would be:

Source Original: Firewalled Subnets
Source Translated: Original
Destination Original: x3 IP
Destination Translated: ?? Private
Service Original: ?? Services
Service Translated: Original
Interface Inbound: X3
Interface Outbound: ANY

This will need to be adjusted for the other nat rules so that the X3 interface is specific rather than WAN Primary IP. Since you are not using the WAN Primary IP, but instead the WAN X3 Primary IP or better known as "X3 IP"
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39850323
The rules you see are working and correct for the device on the primary interface. I'll add a new set for the new server specifically on X3 and see what happens.
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39850333
I see. So you don't already have NAT policies setup for the X3 interface/server?
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39850351
Not yet. I tried yesterday based on how the NAT is setup on X1 but it didn't work. The reported external IP was always from the X1 interface.
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39850444
Ok, once you try it out be sure to let me know how it goes. If you have any questions along the way feel free to post on here and I will help you out as quickly as possible. But adjusting from WAN Primary IP to reflect your X3 interface should do the trick.

Since you need to to be one-to-one, when you create the NAT policy you will see an option for "Create Reflexive rule" this will automagically create the reverse of the NAT rule so you do not have to create it manually.

Hope this Helps
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39856017
I think I'm losing my mind. Attached is the NAT rule I created. The server can get to the internet but all sites visited still report the primary WAN IP.

I've also attached the full list of NAT rules.

There is something missing and it's probably really obvious. I've done this hundreds of times and never had this issue.

new rule created
all rules
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39856126
In your first screenshot  regarding the NAT policy try changing to the below settings:

Translated Source: X3 IP
Inbound Interface: Any
Outbound Interface: Any

How do things work in the reverse? Meaning if someone on the internet or external to that network tries to connect to the IP address assigned to X3? Are they able to connect or does it not work properly?

We may need to create some address objects for external/internal and use the NAT policy to reflect them. Is X3 assigned a static  IP address or is it dynamic that is able to change?
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39856204
X3 is static on the interface. Externally you can ping X3 but no other traffic will pass. I'll make the changes suggested and try making an address object to see if that makes a difference.
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39856309
Ok, things are getting interesting. Inbound traffic is being translated correctly. Outbound is not.

I tested with the other server that is on the primary WAN and if I change it from primary wan to X2 for example its inbound traffic works correctly over X1 but no outbound traffic works (I realize there are separate NAT rules for in/out).

This is the same as the new server that I'm trying to use on X3. Inbound to X3 translates but outbound either goes out the primary WAN (X1) or not at all.
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39856366
Here's my thinking. This doesn't work.

I have 5 of these firewalls. Two have multiple WANs with multiple IPs on each interface.

The difference with the one I'm having issues with is that each of the three WAN interfaces only have one IP per interface.

I have the feeling that the TZ210 cannot outbound 1 to 1 NAT the same IP that's on the interface itself. Inbound I can route/NAT by the port/service all day long but outbound seems like it wants another IP.

Does that make sense? It would explain the behavior I'm seeing.
0
 
LVL 9

Accepted Solution

by:
BigPapaGotti earned 500 total points
ID: 39857370
I think this is possible. I wish I had a secondary external IP address on my SonicWALL so I could test this out.

Perhaps we are running into a routing issue that is causing the traffic to exit the primary WAN connection and as a result is reporting as such when visiting the site such as "www.whatismyip.com". What if you try creating a static route for this private host and specify X3 as the gateway. It would look like this.

Source: Address Object for your Private IP address of the device you are trying to setup
Destination: Any
Service: Any
Gateway: X3 IP Gateway or whatever the X3 next-hop IP address is
Interface: X3
Metric: 1

The reason I think this is possible is because when the traffic is translated from internal to external it still has to have an external IP address it is sourced from (when reaching the end host, in this case a website showing your external IP). Try out the above static route and see if that resolves the issue.
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39867134
I haven't forgotten this issue. I've got a ton of things ahead of it. I hope to have this tested again wednesday. Thanks for your patience.
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39867241
No problem at all and I know what you mean.  Just let me know when you get around to the testing and what you find.

Thanks
0
 
LVL 1

Author Comment

by:digitalwav
ID: 39877110
Eureka! It was routing. Ah, sweet success. You had it:

Source: Address Object for your Private IP address of the device you are trying to setup
Destination: Any
Service: Any
Gateway: X3 IP Gateway or whatever the X3 next-hop IP address is
Interface: X3
Metric: 1

The reciprocal NAT was correct and didn't appear to work until the route was added.

Oddly www.whatsmyip.org doesn't work from that address....but all other sites like www.ipchicken.com do.

But you solved it. Thank you!
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39877126
Glad to hear this resolved your issue and thanks for the feedback. Much appreciated!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now