• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 132
  • Last Modified:

SonicWALL TZ400: NAT Policy Question (Virtual Interface)

Hi Guys,

We have an IP block from the ISP
Thus a couple of public IP's assigned, example:
196.31.231.80
196.31.231.81
196.31.231.82

Our NAT policies on 196.31.231.80 over X1 interface is working well.

I've been trying to setup additional NAT policies on 196.31.231.81, but experiencing a connection issue.
Which brings me to the following questions:

1.  Is it necessary to setup a Virtual Interface for 196.31.231.82 on X1?
(255.255.255.0)
Or could the NAT rules simply refer to X1?

2.  I tried setting up a Virtual Interface on X1 for 196.31.231.82, but it complains about the same subnet used,
What should the subnet for the Virtual Interface be?
0
Rupert Eghardt
Asked:
Rupert Eghardt
  • 4
  • 2
  • 2
6 Solutions
 
Blue Street TechLast KnightCommented:
Hi Rupert,

1.  Is it necessary to setup a Virtual Interface for 196.31.231.82 on X1?
(255.255.255.0)
Or could the NAT rules simply refer to X1?
All IPs can go through X1... you don't need sub interfaces/ virtual interface for each IP.

2.  I tried setting up a Virtual Interface on X1 for 196.31.231.82, but it complains about the same subnet used,
What should the subnet for the Virtual Interface be?
You don't need this! Create separate NAT Policies and Access Rules if you want to control traffic. The error you are recording is because your Subnet Mask is overlapping or in other words including all five IPs so you'd have to change it to include only the IP address you want to add... but again you don't need to setup virtual interfaces... all IP addresses will flow through the WAN on X1.

Let me know if you have any other questions!
1
 
Rupert EghardtProgrammerAuthor Commented:
I've setup the NAT rules for .82 identical to .81 but can't get external access?
Should I not configure X1 to allow .81?  Or does it automatically allow the full block of IP's?
0
 
Blue Street TechLast KnightCommented:
If your ISP's modem/router provides the ability to bring all your IPs in the connection then configure the main IP in the SonicWALL's X1 and use the Wizard (in the top right corner) to configure all the other IPs, which will automatically configure all the necessary Address Objects, Services, NAT Policies and Access Rules for you. It is the recommended method to do this by SonicWALL and it is the most comprehensive way to execute this.
1
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
J SpoorTMECommented:
besides the NAT rules, did you create WAN to LAN allow rules?
Destiantion would be the public IP address .81 & .82, not the private IP address of the server
0
 
Rupert EghardtProgrammerAuthor Commented:
Thanks J Spoor,

I've had the SSH and SSH (management protocol) in the service group of the NAT policy.
Only upon editing the access rule, did the appliance prompt the issues
"Error: Policy Action: Can't mix management / non-management services"

I removed the management protocol and all seems fine now.

A last question,
I would like the source IP to be passed onto the published server.
My translated source in the NAT rules is the public IP.  
Can I simply change the translated source to "Original"?
0
 
J SpoorTMECommented:
Providing access usually involves a few steps
NAT policies:
inbound NAT policy:  source = any, translated source = original, destination = Public IP (.81 or .82), translated destination = Private IP
  you can either chose service as ANY (one to one NAT) or limit it to a service object / group. Normally you leave translates service as original
  set inbound interface to the WAN interface, in your case X1 and leave outbound interface to ANY
outbound NAT policy: source = Private IP, translated source = Public IP, destination = any, translated destination = original
  again you can limit service if desired, or leave it yo any
  set outbound itnerface to X1

Firewall Access Rules:
from zone WAN to zone LAN (or DMZ dependent where the server is), source = any, destination = Public IP (.81 or .82), service is desired service. Strongly advice against using ANY!
0
 
J SpoorTMECommented:
SSH management is a service object tied to the SonicWall's SSH management port, and can indeed only be used in management rules :) whereby the destination is an interface IP.
0
 
J SpoorTMECommented:
as Blue street Tech mentioned, no IP assignment is needed for these extra IPs, the SonicWall will defend the public IP address automatically if used properly in NAT rules.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now