Sonicwall NSA 3600 transparent DMZ to LAN/WAN NAT and rules

Hello- We are migrating from a Sonicwall 3060 to an NSA 3600. We have 3 interfaces set up- X0 LAN, X1 WAN and X3 transparent DMZ. We have used the Server wizard to automatically create address objects, service objects and access rules, as well as NAT policies, for each server. All our servers are on the same subnet as the WAN interface. We have two questions:
1) The server wizard requires a public and private IP address. But since our servers are on the transparent DMZ, not on the LAN, we have entered the same public address for both fields in the wizard. The wizard completed successfully and gave no errors. Will this work when we bring the system online?
2) Some of the DMZ servers require a few services to be blocked from WAN access, but allowed from LAN access. We are not sure how to do this. If we use the wizard to create new access rules, NAT policies, etc it binds the access rules to the WAN/DMZ, so we cannot modify the Source field in the access rules, since it doesn't apply to the LAN. We are trying to avoid creating this manually since frankly we are not sure how the NAT policies work, and would rather let the wizard create them automatically.

Any help would be appreciated. This is for an educational organization with about 200 users.
engineer2050Asked:
Who is Participating?
 
carlmdCommented:
You can export the configuration and try to import on the new device before you do any other configuration on it. Most of the time it will work. If it does not like it, it will give you an error. If it accepts it, it may not do all configurations, as some may no longer be supported. Check carefully.

Worst case, if you try and have a problem, you can always reset to factory defaults and start over.
0
 
carlmdCommented:
If you are trying to duplicate the settings of the 3060 in the new 3600, why not simply export them and import on the new device?
0
 
engineer2050Author Commented:
Good advice- but will that work? The Sonic O/S version and whole setup are so different on the 2 units.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
carlmdCommented:
Yes it should. Take a look at:

https://support.software.dell.com/download/downloads?id=5473488

This talks about from 5.9 to 6.1, but the procedure is the same for older versions.
0
 
engineer2050Author Commented:
Our older Sonic is a PRO3060 with SonicOS Standard 3.1.6.3-4s, quite old. And Standard is quite different from Sonic Enhanced.
0
 
engineer2050Author Commented:
Actually both my questions are now answered. Question 1, using the wizard to create a NAT policy from the WAN to the transparent DMZ, where the source and destination addresses are the same, is actually supported by Sonic. The Sonic manual says NAT policies can actually be used when the addresses are the same, just to effect packet transversal between the interfaces. When I tested the 3600, it worked. Question 2 was solved when I made a loopback NAT policy for the LAN to DMZ, like this: Source original <firewalled subnets>, Source translated <original>, Destination original <server address object public>, Destination translated <server address object private>, Service original <services allowed from LAN to DMZ object>,  Service translated <original>, Inbound interface <any>, Outbound interface <any>. I tested it and it works. I also had to make a Firewall access rule from the LAN to DMZ with the server address object and allowed services object, but that was easy and straightforward compared to the NAT policy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.