• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1960
  • Last Modified:

Sonicwall TZ210 One To One NAT issue

this used to be stupid simple but after a firmware update I cannot get this to work.

I have an internal server XYZ that needs to be tied to our X3 interface on the sonicwall. We have three WAN ports. XYZ needs to be using the X3 interface's IP such that any outbound traffic shows that it comes from the X3 interface's IP and of course any inbound needs to come to X3 and move on the the XYZ server.

I have never in my life had this issue. I know how to setup 1 to 1 nats and once setup the computer, when asking an internet site what its ip is should be correct. Sadly, the IP that shows up is the on on interface X1.

The Sonicwall is a TZ210, firmware is SonicOS Enhanced 5.9.0.2-107o.

Any guidance would be appreciated. I've followed all the how to guides and none make a difference. The IP that is reported is always the IP from the X1 interface, never the X3 interface.

Thanks.
0
digitalwav
Asked:
digitalwav
  • 9
  • 8
1 Solution
 
BigPapaGottiCommented:
Can you share how you currently have it setup with screenshots or documenting your setup while sanitizing your IP addresses?

Also is this a new NAT policy or was this an existing one that was present BEFORE the firmware upgrade that is now broken?
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
This is a new nat policy. Essentially I have three WAN and one LAN connections.

Primary WAN is on X1, secondary on X2 and third on X3.

No load balancing or failover. All internet traffic defaults to X1.

I want XYZ server to only use WAN X3.

Attached is the current set of NAT rules. One server is "NATed" to the main X1 interface and of course that works fine.

Current NAT Config
0
 
BigPapaGottiCommented:
I think you need to adjust your NAT policies to reflect the X3 interface.

For instance the Top NAT rule is as below:

Source Original: Firewalled Subnets
Source Translated: WAN Primary IP
Destination Original: WAN Primary IP
Destination Translated: ?? Private
Service Original: ?? Services
Service Translated: Original
Interface Inbound: ANY
Interface Outbound: ANY

I think you need to adjust it so that it would be:

Source Original: Firewalled Subnets
Source Translated: Original
Destination Original: x3 IP
Destination Translated: ?? Private
Service Original: ?? Services
Service Translated: Original
Interface Inbound: X3
Interface Outbound: ANY

This will need to be adjusted for the other nat rules so that the X3 interface is specific rather than WAN Primary IP. Since you are not using the WAN Primary IP, but instead the WAN X3 Primary IP or better known as "X3 IP"
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
digitalwavIT Infrastructure ManagerAuthor Commented:
The rules you see are working and correct for the device on the primary interface. I'll add a new set for the new server specifically on X3 and see what happens.
0
 
BigPapaGottiCommented:
I see. So you don't already have NAT policies setup for the X3 interface/server?
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
Not yet. I tried yesterday based on how the NAT is setup on X1 but it didn't work. The reported external IP was always from the X1 interface.
0
 
BigPapaGottiCommented:
Ok, once you try it out be sure to let me know how it goes. If you have any questions along the way feel free to post on here and I will help you out as quickly as possible. But adjusting from WAN Primary IP to reflect your X3 interface should do the trick.

Since you need to to be one-to-one, when you create the NAT policy you will see an option for "Create Reflexive rule" this will automagically create the reverse of the NAT rule so you do not have to create it manually.

Hope this Helps
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
I think I'm losing my mind. Attached is the NAT rule I created. The server can get to the internet but all sites visited still report the primary WAN IP.

I've also attached the full list of NAT rules.

There is something missing and it's probably really obvious. I've done this hundreds of times and never had this issue.

new rule created
all rules
0
 
BigPapaGottiCommented:
In your first screenshot  regarding the NAT policy try changing to the below settings:

Translated Source: X3 IP
Inbound Interface: Any
Outbound Interface: Any

How do things work in the reverse? Meaning if someone on the internet or external to that network tries to connect to the IP address assigned to X3? Are they able to connect or does it not work properly?

We may need to create some address objects for external/internal and use the NAT policy to reflect them. Is X3 assigned a static  IP address or is it dynamic that is able to change?
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
X3 is static on the interface. Externally you can ping X3 but no other traffic will pass. I'll make the changes suggested and try making an address object to see if that makes a difference.
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
Ok, things are getting interesting. Inbound traffic is being translated correctly. Outbound is not.

I tested with the other server that is on the primary WAN and if I change it from primary wan to X2 for example its inbound traffic works correctly over X1 but no outbound traffic works (I realize there are separate NAT rules for in/out).

This is the same as the new server that I'm trying to use on X3. Inbound to X3 translates but outbound either goes out the primary WAN (X1) or not at all.
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
Here's my thinking. This doesn't work.

I have 5 of these firewalls. Two have multiple WANs with multiple IPs on each interface.

The difference with the one I'm having issues with is that each of the three WAN interfaces only have one IP per interface.

I have the feeling that the TZ210 cannot outbound 1 to 1 NAT the same IP that's on the interface itself. Inbound I can route/NAT by the port/service all day long but outbound seems like it wants another IP.

Does that make sense? It would explain the behavior I'm seeing.
0
 
BigPapaGottiCommented:
I think this is possible. I wish I had a secondary external IP address on my SonicWALL so I could test this out.

Perhaps we are running into a routing issue that is causing the traffic to exit the primary WAN connection and as a result is reporting as such when visiting the site such as "www.whatismyip.com". What if you try creating a static route for this private host and specify X3 as the gateway. It would look like this.

Source: Address Object for your Private IP address of the device you are trying to setup
Destination: Any
Service: Any
Gateway: X3 IP Gateway or whatever the X3 next-hop IP address is
Interface: X3
Metric: 1

The reason I think this is possible is because when the traffic is translated from internal to external it still has to have an external IP address it is sourced from (when reaching the end host, in this case a website showing your external IP). Try out the above static route and see if that resolves the issue.
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
I haven't forgotten this issue. I've got a ton of things ahead of it. I hope to have this tested again wednesday. Thanks for your patience.
0
 
BigPapaGottiCommented:
No problem at all and I know what you mean.  Just let me know when you get around to the testing and what you find.

Thanks
0
 
digitalwavIT Infrastructure ManagerAuthor Commented:
Eureka! It was routing. Ah, sweet success. You had it:

Source: Address Object for your Private IP address of the device you are trying to setup
Destination: Any
Service: Any
Gateway: X3 IP Gateway or whatever the X3 next-hop IP address is
Interface: X3
Metric: 1

The reciprocal NAT was correct and didn't appear to work until the route was added.

Oddly www.whatsmyip.org doesn't work from that address....but all other sites like www.ipchicken.com do.

But you solved it. Thank you!
0
 
BigPapaGottiCommented:
Glad to hear this resolved your issue and thanks for the feedback. Much appreciated!!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now