Port 3000 forwarding to different two different IP addresses internally - Sonicwall NSA 3500

kirk_shaw
kirk_shaw used Ask the Experts™
on
We currently have a Sonicwall NSA 3500 and up until recently everything was fine. Anything coming in on port 3000 is currently forwarded to our CCTV system. However, we now have some other critical software that needs to use port 3000 as well. None of these can be changed from port 3000 unfortunately.

Is it possible on the Sonicwall box to be able to have incoming traffic pointing to two different servers and if so how would I be able to accomplish this using the Sonicwall NSA 3500?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Hi Kirk,

If traffic for the CCTV system and this other software are both ingressing the same interface, the only way to accomplish this would be to assign multiple IPs to that ingress interface and to point the CCTV traffic to one IP, and the other traffic to the other iP.

So that I can give you a more detailed answer, would you please share a few more details?

1. Which interface is the traffic for the CCTV system ingressing?
2. Which interface is the traffic for the CCTV sytem egressing?
3. Which interface will the traffic for the other software ingress?
4. Which interface will the traffic for the other software egress?
5. If the ingress interface for both is the same, do you have two IPs in that subnet that can be assigned to the interface?
I can think of three ways to do this, each with different pros and cons:


1) Port address translation

Incoming connections from the Internet on port 3001 go to the CCTV on port 3000, and incoming connections on port 3002 go to the other software on port 3000.

This way each of your internal devices operates on port 3000, but accessing them from the Internet requires you to connect on port 3001 or 3002 depending on which devices you want. The router handles translating port 3001 or 3002 into port 3000 on the desired device.  The client side software needs to support having it's port number changed, though.



2) Multiple public IP addresses

If your ISP provides you with a block of addresses, you can configure it so that port 3000 on IP address #1 goes to the CCTV, and port 3000 on IP Address #2 goes to the other software. Your ISP must provide you with multiple public IP addresses. If they can't give you that then it isn't possible to do this.


3)  VPN

Port forwarding is not used and neither CCTV nor the other software are directly exposed to the Internet. Instead, you connect to the VPN server running on your SonicWall. Once connected to the VPN server, the remote device will have access to the local network where they can connect to either the CCTV device or the other software product via their internal IP address, just like they would if you were on the LAN
Commented:
Just try more static routing...

Source IP should be specified and traffic from there should be routed to destination IP on port 3000 and then do the same for the other device.

You want the main routing to be looking at where the request is coming from then pipe it to a particular destination on a particular port.  You are routing to the ports on the individual devices and not the port of the firewall.

Hope that helps/
The simplest way is with port address translation.  You need to create a new service (under network) for the new public port number then edit the NAT rules to change the service tied to the public IP to the new one and edit the firewall rule to use the new service as well.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial