Sonicwall NSA 3600 transparent DMZ to LAN/WAN NAT and rules

Hello- We are migrating from a Sonicwall 3060 to an NSA 3600. We have 3 interfaces set up- X0 LAN, X1 WAN and X3 transparent DMZ. We have used the Server wizard to automatically create address objects, service objects and access rules, as well as NAT policies, for each server. All our servers are on the same subnet as the WAN interface. We have two questions:
1) The server wizard requires a public and private IP address. But since our servers are on the transparent DMZ, not on the LAN, we have entered the same public address for both fields in the wizard. The wizard completed successfully and gave no errors. Will this work when we bring the system online?
2) Some of the DMZ servers require a few services to be blocked from WAN access, but allowed from LAN access. We are not sure how to do this. If we use the wizard to create new access rules, NAT policies, etc it binds the access rules to the WAN/DMZ, so we cannot modify the Source field in the access rules, since it doesn't apply to the LAN. We are trying to avoid creating this manually since frankly we are not sure how the NAT policies work, and would rather let the wizard create them automatically.

Any help would be appreciated. This is for an educational organization with about 200 users.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you are trying to duplicate the settings of the 3060 in the new 3600, why not simply export them and import on the new device?
engineer2050Author Commented:
Good advice- but will that work? The Sonic O/S version and whole setup are so different on the 2 units.
Yes it should. Take a look at:

This talks about from 5.9 to 6.1, but the procedure is the same for older versions.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

engineer2050Author Commented:
Our older Sonic is a PRO3060 with SonicOS Standard, quite old. And Standard is quite different from Sonic Enhanced.
You can export the configuration and try to import on the new device before you do any other configuration on it. Most of the time it will work. If it does not like it, it will give you an error. If it accepts it, it may not do all configurations, as some may no longer be supported. Check carefully.

Worst case, if you try and have a problem, you can always reset to factory defaults and start over.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
engineer2050Author Commented:
Actually both my questions are now answered. Question 1, using the wizard to create a NAT policy from the WAN to the transparent DMZ, where the source and destination addresses are the same, is actually supported by Sonic. The Sonic manual says NAT policies can actually be used when the addresses are the same, just to effect packet transversal between the interfaces. When I tested the 3600, it worked. Question 2 was solved when I made a loopback NAT policy for the LAN to DMZ, like this: Source original <firewalled subnets>, Source translated <original>, Destination original <server address object public>, Destination translated <server address object private>, Service original <services allowed from LAN to DMZ object>,  Service translated <original>, Inbound interface <any>, Outbound interface <any>. I tested it and it works. I also had to make a Firewall access rule from the LAN to DMZ with the server address object and allowed services object, but that was easy and straightforward compared to the NAT policy.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.