NAT Polices on Sonicwall

Is there any example for configuring the Sonicwall for remote connection to a internal computer ?

Do I need to create two policies : one for the source NAT and the other for destination NAT ? As the client will only access his computer from outside, do I only need policies 2 ?

Beside, what access rules should I need to configure on Firewall ? Tks

policies 1 (source NAT) : Internal PC -> WAN IP
policies 2 (destination NAT) : WAN IP -> Internal PC
Tks
AXISHKAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kanti PrasadCommented:
hi

I am sure if the below link will be of help but have a look at the setup example which might give you an idea

https://support.software.dell.com/kb/sw7507
0
AXISHKAuthor Commented:
Due to license issue and keep thing easy, the client prefers to use remote desktop to connect to a office PC. Still need to NAT & Firewall setting for Sonicwall.

Tks
0
Dan BullCommented:
Is there a reason you don't use the Wizard?  No matter how you configure the Sonicwall the PC will have to have a static IP.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

tsaicoCommented:
It sounds like you want to do a RDP session to you work station.  I would also recommend using the wizard, but before you do,
1. Create either a DHCP reservation or give the workstation a static IP out of your DHCP pool.
2. Create a custom RDP port.  http://tweaks.com/windows/50743/change-remote-desktop-rdp-port/  My tip is to right click and "export" the "RDP-TCP" folder key, then open the backup in notepad, change the "RDP-TCP" part in the brackets "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]". and re-import the key.  Registry will now show two different entries and then follow the steps on the one you just imported.
3. Enable remote desktop, turn off power features, enable RDP in windows firewall (and custom one if you made it) then reboot computer.
4. I then test it in LAN from another local workstation,
5. Assuming it works, then just create a new custom service (assuming I made a custom port, if not then i just use the one built in), then point it to the internal LAN IP of the workstation in question.
6. Test it using online port scanner.  If responds, then move on.

I use the custom RDP so if I ever need more than 1 workstation then I can have multiple RDP sessions going.  I also use the second listening port so internally if I need to get to the workstation locally, I don't have to have my list of ports on hand and can just use the default settings.
0
FlippCommented:
Instead of messing with client RDP listening ports and services we use port redirection from for example 5909 from external to 3389 internal. You just need firewall and nat rule and set client to static IP.
0
AXISHKAuthor Commented:
Tks, so what access rules should I need to configure on Firewall ?

 policies 1 (source NAT) : Internal PC -> WAN IP
 policies 2 (destination NAT) : WAN IP -> Internal PC
0
FlippCommented:
Firewall rule for All to WAN on external port then nat policy to route from WAN IP and external port to client ip and internal port.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AXISHKAuthor Commented:
For firewall rule, is it correct ?

For NAT, do I only need #20 - destination NAT ? Do I need to consider source NAT (#17) from internal PC to public (return path) ?

Tks
Firewall-Rule.png
NAT-Policy.png
0
tsaicoCommented:
Actually that port redirect is a better solution....  one less step
0
cef_soothsayerCommented:
OK, why has no-one pointed out that this is not best practices?  RDP is not a secure communications method.  RDP is intended for use over the LAN, not the WAN, and should *NEVER* be used over the internet without a VPN in place.  

If you have a Sonicwall, it comes with 5 licences for PC-to-LAN VPN connections.  Simply set up the VPN configuration in the Sonicwall and install the free Global VPN client on the remote machine.  Then you wont need to worry about any rules or NATs or PATs or ports to open.

Make life simple.  And more secure.  For free!

Thanks.
0
tsaicoCommented:
Already closed, but this is one of those myths that always seems to be persistent, similar to the SBS networks only allowing one DC (the SBS server)

RDP has always been encrypted.  Eventually it did move to industry standard SSL in W2k3. Since way back when and now, when you use RDP, it generally warns you of a selfsigned SSL error unless you install one.  It has baked in levels of Encryption, FIPS, High (128 bit), Client compatible (backwards with older than Win vista/2k3 clients), and low which is just 56 bit encrypted.

So while you may have the argument that 3389 is commonly known port so having it opened increases your attack footprint and there are plenty of reasons to not use that port, but to say it should never be used in a WAN type connection with or without VPN isn't accurate.

http://blogs.msdn.com/b/rds/archive/2009/03/12/top-10-rdp-protocol-misconceptions-part-2.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.