SonicWALL TZ400: NAT Policy Question (Virtual Interface)

Hi Guys,

We have an IP block from the ISP
Thus a couple of public IP's assigned, example:
196.31.231.80
196.31.231.81
196.31.231.82

Our NAT policies on 196.31.231.80 over X1 interface is working well.

I've been trying to setup additional NAT policies on 196.31.231.81, but experiencing a connection issue.
Which brings me to the following questions:

1.  Is it necessary to setup a Virtual Interface for 196.31.231.82 on X1?
(255.255.255.0)
Or could the NAT rules simply refer to X1?

2.  I tried setting up a Virtual Interface on X1 for 196.31.231.82, but it complains about the same subnet used,
What should the subnet for the Virtual Interface be?
Rupert EghardtProgrammerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi Rupert,

1.  Is it necessary to setup a Virtual Interface for 196.31.231.82 on X1?
(255.255.255.0)
Or could the NAT rules simply refer to X1?
All IPs can go through X1... you don't need sub interfaces/ virtual interface for each IP.

2.  I tried setting up a Virtual Interface on X1 for 196.31.231.82, but it complains about the same subnet used,
What should the subnet for the Virtual Interface be?
You don't need this! Create separate NAT Policies and Access Rules if you want to control traffic. The error you are recording is because your Subnet Mask is overlapping or in other words including all five IPs so you'd have to change it to include only the IP address you want to add... but again you don't need to setup virtual interfaces... all IP addresses will flow through the WAN on X1.

Let me know if you have any other questions!
1
Rupert EghardtProgrammerAuthor Commented:
I've setup the NAT rules for .82 identical to .81 but can't get external access?
Should I not configure X1 to allow .81?  Or does it automatically allow the full block of IP's?
0
Blue Street TechLast KnightCommented:
If your ISP's modem/router provides the ability to bring all your IPs in the connection then configure the main IP in the SonicWALL's X1 and use the Wizard (in the top right corner) to configure all the other IPs, which will automatically configure all the necessary Address Objects, Services, NAT Policies and Access Rules for you. It is the recommended method to do this by SonicWALL and it is the most comprehensive way to execute this.
1
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

J SpoorTMECommented:
besides the NAT rules, did you create WAN to LAN allow rules?
Destiantion would be the public IP address .81 & .82, not the private IP address of the server
0
Rupert EghardtProgrammerAuthor Commented:
Thanks J Spoor,

I've had the SSH and SSH (management protocol) in the service group of the NAT policy.
Only upon editing the access rule, did the appliance prompt the issues
"Error: Policy Action: Can't mix management / non-management services"

I removed the management protocol and all seems fine now.

A last question,
I would like the source IP to be passed onto the published server.
My translated source in the NAT rules is the public IP.  
Can I simply change the translated source to "Original"?
0
J SpoorTMECommented:
Providing access usually involves a few steps
NAT policies:
inbound NAT policy:  source = any, translated source = original, destination = Public IP (.81 or .82), translated destination = Private IP
  you can either chose service as ANY (one to one NAT) or limit it to a service object / group. Normally you leave translates service as original
  set inbound interface to the WAN interface, in your case X1 and leave outbound interface to ANY
outbound NAT policy: source = Private IP, translated source = Public IP, destination = any, translated destination = original
  again you can limit service if desired, or leave it yo any
  set outbound itnerface to X1

Firewall Access Rules:
from zone WAN to zone LAN (or DMZ dependent where the server is), source = any, destination = Public IP (.81 or .82), service is desired service. Strongly advice against using ANY!
0
J SpoorTMECommented:
SSH management is a service object tied to the SonicWall's SSH management port, and can indeed only be used in management rules :) whereby the destination is an interface IP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J SpoorTMECommented:
as Blue street Tech mentioned, no IP assignment is needed for these extra IPs, the SonicWall will defend the public IP address automatically if used properly in NAT rules.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.