Avatar of azpete
azpete
 asked on

SonicWall - how to Setup Control Port 20021 Data port range 25000-25500

We have a SonicWall TZ 210 and are installing   FTP on a few of our Workstations for our Bank.

Our Bank tech support wants me to open the above Control port and data port range.

I normally run the Public Server Wizard for forwarding outside traffic like Security Cameras or HVAC controls but I think what they want is the Firewall to allow traffic WAN to LAN on the Control port and data port mentioned above.

Am I thinking about this in the right way ?
Hardware FirewallsNetworkingNetwork Security

Avatar of undefined
Last Comment
masnrock

8/22/2022 - Mon
Aaron Tomosky

Yes use the public server wizard and then just edit the created service groups to have those ports
azpete

ASKER
I should have added more in the question.

We want to open the above control port and data range for the entire LAN. (From Wan)

By default all LAN to WAN traffic and services are "ALLOW" and all WAN to LAN are "DENY"
Is it possible to modify the WAN to LAN to "ALLOW" that control Port and Data RANGE
Aaron Tomosky

That will only work if you have 1 to 1 wan to lan up mapping.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
azpete

ASKER
Aaron, I understand and have done the 1 to 1 mapping via the Wizard many times for many clients on all models of SonicWalls.
  If the bank  said ,
"hey firewall guy, set up a public SFTP  PC on your LAN"   the public server wiz does that in 20 seconds.  But thats not the case.  We want to setup 5 or so PCs with SFTP software applications, and the bank just repeats the mantra " open your firewalls control port and data range ( to the numbers above)  My assumption may be wrong but shouldnt it be that you can say " Sure..., DENY all WAN to LAN services ( that are not initiated by the LAN" BUT add a rule that says " EXCEPT services for this control port and data range ???
Aaron Tomosky

Yes you can put an allow rule above the deny rule. They get processed in order. However I would strongly suggest this is not a good idea
azpete

ASKER
I agree that the rule would be a big hole but ( besides the 1 to 1)  how would you answer the banks direction to "open the control port  and that data range on the firewall but not to a specific PC ?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Aaron Tomosky

You can't, you can open it on all pcs with 1 to 1 nat.
azpete

ASKER
i dont know what that means        " open it on all pcs with 1 to 1 nat"  can you explain ?
Aaron Tomosky

If you have 1 to 1 nat, then each wan ip maps to a lan ip. So you can add a firewall rule that states for those services from wan to lan, allow it. If that's not what they want then I really don't understand their request.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
azpete

ASKER
I agree, either the bank tech support statement is incomplete or misleading or my concept of opening wan to lan ports is too shallow.  I will be in contact with the bank and see if I can get more information. They may simply want a public server but are unwilling to say so directly.  Stand by and I will get more info
ASKER CERTIFIED SOLUTION
masnrock

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
azpete

ASKER
By default , SonicWall has a "ALLOW all services from LAN to WAN" rule .  I assume that means that a LAN PC can open communications on ANY port and ANY data range.  Since the bank appears to be saying we are not setting up a public server then I think we will be ok with no changes to the SonicWall.  

I I have sent such a statement to the Banks tech support folks and am looking forward to their reply.

  I suspect that a CISCO PIX or other brands of firewalls default to DENY all services from LAN to WAN and the admin must specifically open the ones they want.
masnrock

Exactly. Some companies also prefer to block everything and only allow what should be necessary for work. You are in the clear.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.