• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 70
  • Last Modified:

SonicWALL NSA 3500 Port Forwarding Issue

Hello Everyone,

I have a SoniWALL NSA 3500 that I am trying to configure to open port 8000 for a Network Video Recorder (Hikvision). I want to port forward.  I created an object for port 8000 and then for the internal IP address that the recorder is going to use. I then went through the Public Server Wizard and and entered the internal IP and then the wizard went ahead and added our WAN address and then created the inside, outside and loopback parameters.  For all intents and purposes this should have opened port 8000 once I went through the wizard.  

Issue is when I try accessing from outside (or even inside my LAN network) using our WAN IP and then adding the 8000 suffix (x.x.x.x:8000) it's not reachable.  I believe I should receive at least a SonicWALL test page, correct?  Even if the device is not plugged into the switch yet I should still get something from the SonicWALL I believe.

Can anyone tell me if there is anything else I can do to make sure that port is open?  Web tests still say the port is closed.

Any help would be most appreciated!

Thanks!
0
Michael Lainez
Asked:
Michael Lainez
  • 15
  • 11
  • 6
2 Solutions
 
Blue Street TechLast KnightCommented:
Hi Michael,

Make sure nothing is conflicting with that port.

For all intents and purposes this should have opened port 8000 once I went through the wizard.
Yes, the wizard is the most comprehensive and complete way to open ports hands down provided that you setup the parameters correctly - added the correct internal IPs and services/ports.

I believe I should receive at least a SonicWALL test page, correct?
No, you will not "see" anything from SonicWALL if the port is open or closed.

Run a packet capture (System > Packet Monitor) to see what is going on. You can also run a port scan externally but the packet capture is going to provide the most info.

Let me know if you have any questions!
0
 
Michael LainezAuthor Commented:
Hey thanks for responding!

How can I check if port 8000 is already in use?

Hmm, I've watched a lot of SonicWALL videos and a lot of them show that they are getting a SonicWALL test web page to prove that the port forwarding is set up correctly.  I do not have the device setup or connected to our LAN switch yet, though.  We have a vendor coming in next week to do so but they want everything set up beforehand.  Hard to tell then if it is working OK or not.

External port scan says 8000 is closed and unreachable.

I will try and see if I can set up a packet capture.
0
 
Blue Street TechLast KnightCommented:
How can I check if port 8000 is already in use?
Look at your Access Rules for the applicable Zones, assuming your internal device is in the LAN...you lookup the WAN>LAN zone. Also, check your NAT Policies for shared Public IPs and port 8000.

Hmm, I've watched a lot of SonicWALL videos and a lot of them show that they are getting a SonicWALL test web page to prove that the port forwarding is set up correctly.  I do not have the device setup or connected to our LAN switch yet, though.  We have a vendor coming in next week to do so but they want everything set up beforehand.  Hard to tell then if it is working OK or not.
Please send a link over I'd love to see this. If you are talking about remote management for the SonicWALL it will display a page but if you think about it that makes sense since the destination is the SonicWALL, otherwise, how would the SonicWALL place a test page be injected midway through the established connection? You can test this, for example if you were to open up RPD (which I wouldn't recommend leaving up past testing) to a PC or server and lets say you test it and everything works great. Then unplug the server/PC and retest...you will NOT receive a SonicWALL test page, why, because the SonicWALL is not the destination. The destination is what dictates the response - always!

How are you interacting with this device and why did you pick 8000? What is the protocol used, e.g. UDP, TCP, etc.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
CompProbSolvCommented:
Have you confirmed that you can get to the device from inside the LAN using the LAN IP address of the device?
0
 
Blue Street TechLast KnightCommented:
I do not have the device setup or connected to our LAN switch yet, though. We have a vendor coming in next week to do so but they want everything set up beforehand.
This is your problem. Nothing is testable until you have your device set up. Let me clarify, you can test the port being open by placing a server or computer in its spot (as the destination) temporarily, open up ping on the machine's firewall, and set the ports for this Access Rule & NAT policies on the SonicWALL. Then ping from outside to validate the path. Once validated change back the existing ports and remove the testing machine. You have done all that is needed in prep for your vendor's arrival provided that the port #, protocols, Private IP address are all correct.
0
 
Michael LainezAuthor Commented:
Blue,

Thanks maybe I was mistaken about the videos then, Maybe it was them just opening the management portal.  If I can find the video again I will send over the link.  Also, the vendor of the NVR device is requesting port 8000 to be port forwarded so they can view from outside our LAN.

Comp,
 
Device is not hooked up yet but I am trying to verify if the port forwarding is OK. Not sure how to test.  I can't tell if it is ready or not.
0
 
Michael LainezAuthor Commented:
Blue,

OK what if I simply get a laptop and give it the internal static IP that was reserved for the NVR.  That should pull of the same thing in testing, no?  The laptop then should be reachable I would assume.  Does that sound reasonable?
0
 
Blue Street TechLast KnightCommented:
Gotcha, yes I'm positive the videos you watched were for management of the SonicWALL it is the only destination that would make sense - SonicWALL does not inject test pages midstream.

The issue is you need to generate traffic to test with a packet capture.

The laptop then should be reachable I would assume.
How, by ping, cause that is ICMP not TCP or UDP. If you want to change the service, to RDP or Ping and open the corresponding ports on the laptop that would work. But that is only testing that the firewall, on a different port, is open and the NAT Polices, for different services, are functioning.

Again, the Wizard is the most comprehensive way to set up port forwarding. I'm most positive it doesn't fail to configure everything provided you are keying in the correct data.
0
 
CompProbSolvCommented:
I missed the fact that the device was not yet connected.

My test for this sort of thing is to set up VNC (remote control software) on a workstation using the IP address for the non-connected device.  I use VNC as it is free (from tightvnc.com), you can set whatever port you want, and it only uses TCP.  I'd set up VNC on a workstation, set the workstation's IP address to that of the new device, change VNC's port to 8000, and test it locally.

The test is simple: download the VNC client on another workstation, run it, use the target IP address followed by :8000 as the Host, and see if it asks for a password.  If it does, then you are good so far.  Repeat the test with a device no on the LAN using your external IP address followed by :8000.
0
 
Blue Street TechLast KnightCommented:
I updated my last post. refresh to view.
0
 
CompProbSolvCommented:
The laptop won't respond to packets sent to port 8000 unless there is something configured on it to do so.  My comments about VNC refer to an easy (to me, at least) way of setting up such a configuration.
1
 
Blue Street TechLast KnightCommented:
@CompProbSolv - I'm not sure if that was directed at my comment but that is what I said, "If you want to change the service, to RDP or Ping and open the corresponding ports on the laptop that would work. But that is only testing that the firewall, on a different port, is open and the NAT Polices, for different services, are functioning."
0
 
Michael LainezAuthor Commented:
OK guys, thanks to both of you!  I will try the VNC test and see what happens.  I will get back to you all as soon as I can!
0
 
Michael LainezAuthor Commented:
So you set the Main server setting in VNC to 8000?
0
 
Michael LainezAuthor Commented:
So I set up a laptop to use the internal static IP address and the SM and Gateway and our DNS servers.  Set VNC's Main server port to 8000.  No joy.
0
 
Blue Street TechLast KnightCommented:
Remember to turn off Windows Firewall (for testing only).
0
 
Michael LainezAuthor Commented:
Unfortunately it was already off.  I double-checked anyway, yes it is off.

I do get a reply if I ping the internal IP from my workstation.
0
 
Michael LainezAuthor Commented:
Hmm, I changed the web access port to 8000 and now when I log in from the internal and external IPs I get a screen that shows www.tightvnc.com

It doesn't prompt me for a login or password, does that sound right?
0
 
Michael LainezAuthor Commented:
Yeah I guess that part doesn't matter as I can set the web access server to whatever port I want and I'll get the same thing.
0
 
Blue Street TechLast KnightCommented:
Your config may be off in the VNC but the fact that from the outside you are able to see tightvnc means Access Rules, NAT Policies, Address & Service Objects in the firewall are all correct. Otherwise you'd see nothing!
0
 
CompProbSolvCommented:
Not sure why the VNC client wasn't getting to the computer (you did use the format IP Address:8000 ?).  In any case, BST is correct that you've successfully tested port 8000 through the firewall.
0
 
Michael LainezAuthor Commented:
Yes I did use that (ip address:8000).  But here's the thing, when I changed the web access port on the VNC laptop to any port (I just changed it to 3250) and then I do ip address:3250 I get the exact same thing...I see www.tightvnc.com.  So unfortunately I am not so sure that test of 8000 actually meant anything.  Looks like I can change the port to whatever I want internally and I will still get to it.  

Externally it never got anywhere.

Anyway, I guess that's that.  Not sure what else I can try to see if the port forwarding is OK.
0
 
Blue Street TechLast KnightCommented:
Hmm, I changed the web access port to 8000 and now when I log in from the internal and external IPs I get a screen that shows www.tightvnc.com

Externally it never got anywhere.

Your statements are conflicting. Were you able to test externally and get a tightvnc page or not?
0
 
CompProbSolvCommented:
You are using the VNC client to connect?

"Looks like I can change the port to whatever I want internally and I will still get to it.  "
If you are accessing it from a computer on the LAN and using the LAN IP address of the device, that's what you'd expect.  The exception is if the two devices are on different LAN ports on your SonicWall.  In that case you COULD have rules preventing (or not allowing) traffic between LAN ports, but I'd expect that you don't.

"Externally it never got anywhere."
Not sure what that means.  Were you able to get to the www.tightvnc.com address when you tried to access it from a device not on the LAN using the external IP:8000?  Keep in mind that it takes an additional configuration to allow LAN devices to use the external IP to get to other LAN devices.
0
 
Michael LainezAuthor Commented:
Did a telnet to my domain and then port 8000.  I should have gotten a blank screen with a cursor blinking in the left hand corner if it was open.  It wasn't, said it could not connect.  If I do domain and 443 or 80, etc., I get the blinking cursor meaning it is open.

Looks like port 8000 isn't open after all.
0
 
Michael LainezAuthor Commented:
Comp,

" Keep in mind that it takes an additional configuration to allow LAN devices to use the external IP to get to other LAN devices."

Yes I think you are referring to the loopback.  That was done as well.  But as said, it definitely looks like port 8000 is not open after all
0
 
Blue Street TechLast KnightCommented:
In your SonicWALL go to Access Rules WAN>LAN and located the rule created for 8000. Does the rules state Allow or Discard/Deny and is the rule at the highest priority above all other deny/discard rules?

Also, if you hover over the stats icon for the rule do you see any traffic?
0
 
Michael LainezAuthor Commented:
It says "Allow" and is above the Deny entry at the bottom.  There is some traffic showing if I hover over the stats icon.
0
 
Blue Street TechLast KnightCommented:
Now that you have verified it is Allow (open) with some traffic passing through, that means two things:
a) that port is definitively open, and
b) you can test via Packet Capture.
0
 
Michael LainezAuthor Commented:
OK let me try that tomorrow and I'll get back to you.  I am leaving for the day now.  I really do appreciate the advice each of you have given me!
0
 
CompProbSolvCommented:
Keep in mind that if you can't get to the computer through the VNC client from another computer on the LAN then the remote testing with VNC is irrelevant.  It's usually pretty simple.  Install VNC, change the (non-java) port to 8000, run the VNC client on another computer, point to the local IP address of the VNC server followed by ":8000" , and get a login screen.
0
 
Michael LainezAuthor Commented:
I guess I am not following what you're saying to do.

I have the VNC client on my workstation now.  I also have it on the laptop with the non-java port set to 8000 and the static IP set with all the other parameters.

What do I need to do to the VNC app on my workstation to connect?  Change the port to 8000 as well?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 15
  • 11
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now