Friday, 29 June 2012

Home » » Nating in Sonicwall

Nating in Sonicwall

Posted by Jagdish Goswami at 14:03






   
Feature/Application:
The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granular NAT polices for their incoming and outgoing traffic. This article illustrates the different types of NAT policies which can be configured in the SonicWALL for various purposes.
        

Procedure:
For the purpose of this article, we’ll be using the following IP addresses as examples to demonstrate the NAT policy creation and activation. You can use these examples to create NAT policies for your network, substituting your IP addresses for the examples shown here:
  • 192.168.1.0/24 IP subnet on interface X0
  • 1.1.1.0/24 IP subnet on interface X1
  • 192.168.30.0/24 IP subnet on interface X3
  • X0 LAN IP address is 192.168.1.1
  • X1 WAN IP address is 1.1.1.1
  • X3 IP address is 192.168.30.1
  • Webserver’s “private” address at 192.168.1.100
  • Webserver’s “public” address at 1.1.1.1
Many to One NAT

This is the most common NAT policy on a SonicWALL, and allows you to translate a group of addresses into a single address. Most of the time, this means that you’re taking an internal “private” IP subnet and translating all outgoing requests into the IP address of the SonicWALL’s WAN port, such that the destination sees the request as coming from the IP address of the SonicWALL’s WAN port, and not from the internal private IP address.

SonicWALL has a default outgoing NAT policy preconfigured for each interface configured under the Network > Interfaces, translating all outgoing requests into the IP address of the SonicWALL’s primary WAN port (WAN Primary IP). To view the default NAT Policies preconfigured in the SonicWALL, navigate to the Network > NAT Policies page. Select the radio button Custom Policies. Scroll down the page and you should be able to see policies similar to the screenshot below.



However, in certain scenarios it may be necessary to translate a particular subnet to an IP Address other than the WAN Primary IP. Such a NAT policy is simple to create and activate. To create a NAT policy to allow all systems on the X3 interface to initiate traffic using a public IP address other than SonicWALL’s WAN primary IP address, follow these  steps:
  • Login to the SonicWALL Management Interface
  • Select Network > Address Objects.
  • Click the Add button to add a new address object as per the screenshot. Note: For complete information on creating Address Objects refer: KBID 7486
  • Navigate to the Network > NAT Policies page.
  • Click on Add to create a new NAT policy as per the screenshot.
  • Original Source: X3 Subnet
  • Translated Source: X3 Public IP
  • Original Destination: Any
  • Translated Destination: Original
  • Original Service: Any
  • Translated Service: Original
  • Source Interface: X3
  • Destination Interface: X1
  • Check box next to ‘Enable’
  • Comment: (enter a short description)
Your screen should match the screenshot shown below. When done, click on the ‘OK’ button to add and activate the NAT Policy. This policy can be duplicated for subnets behind other interfaces of the SonicWALL – just replace the “Original Source” with the subnet behind that interface, adjust the source interface, and add another NAT policy.
One to One NAT
This is another common NAT policy on a SonicWALL, and allows you to translate an internal IP address into a unique IP address. This is useful when you want specific systems, such as servers, to use a specific IP address when they initiate traffic to other destinations. Most of the time, a NAT policy such as this is used to map a server’s private IP address to a public IP address, and it’s paired with a mirror policy that allows any system from the public Internet to access the server, along with a matching firewall access rule that permits this.
In this example we have chosen to demonstrate a webserver using HTTP service, however the following steps apply to any service you wish to use (like HTTPS, SMTP, FTP, Terminal Services, SSH, etc).
Creating the necessary Address Objects 
  • Go to Network > Address Objects.
  • Click the Add button and create two address objects one for Server IP on LAN and another for Public IP of the server: 
  • Click the OK button to complete creation of the new address objects.

Address Object for Server on LAN
Name: Mywebserver Private 
Zone Assignment: LAN  
Type: Host  
IP Address: 192.168.1.100
 







 


Address Object for Server's Public IP

Name: Mywebserver Public
Zone Assignment: WAN  
Type: Host   
IP Address: 1.1.1.1
Creating an Inbound NAT Policy
This policy allows you to translate an external public IP address into an internal private IP address. This NAT policy, when paired with a Allow access rule, allows any source to connect to the internal server using the public IP address; the SonicWALL will handle the translation between the private and public address. Below, we will be creating the NAT Policy as well as the rule to allow HTTP access to the server.
  • From the SonicWALL’s management GUI, go to the ‘Network > NAT Policies page.
  • Click the Add button and chose the following settings from the drop-down menu:


Inbound NAT Policy
Original Source: Any
Translated Source: Original
Original Destination: Mywebserver Public
Translated Destination: Mywebserver Private
Original Service: HTTP
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Comment: Webserver behind SonicWALL.
Enable NAT Policy: Checked
Create a reflexive policyChecked
Creating a reflexive policy
When you check this box, a mirror (outbound or inbound) NAT policy is automatically created as per the settings configured in the Add NAT Policy window. In the above NAT Policy, when the box Create a reflexive policy is checked, it will create an outbound NAT Policy as per the screenshot below:

Creating a Firewall Access Rule
  • Go to Firewall > Access Rules page.
  • Select the type of view in the View Style section and go to From WAN To LAN.
  • Click Add and create the following rule:
Action: Allow 
From Zone: WAN
To Zone: LAN
Service: HTTP 
Source: Any 
Destination: My webserver Public 
Users Allowed: All
Schedule: Always on
Enable Logging: checked
Allow Fragmented Packets: checked
Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.
Creating a DNS Loopback NAT Policy
The purpose of a DNS Loopback NAT Policy is for a host on the LAN or DMZ to be able to access the Webserver on the LAN (192.168.1.100) using the server's public IP address (1.1.1.1) or by its Fully Qualified Domain Name (FQDN).
  • Go to Network > NAT Policies
  • Click the Add button and create a NAT Policy with the following settings from the drop-down menu:


  • Original Source: Firewalled Subnets 
  • Translated Source: Mywebserver Public
  • Original Destination: Mywebserver Public
  • Translated Destination: Mywebserver Private
  • Original Service: HTTP
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Any
  • Comment: Loopback policy
  • Enable NAT Policy: Checked
  • Create a reflexive policy: unchecked

Inbound Port Address Translation via WAN (X1) IP Address
This is one of the more complex NAT policies you can create on a SonicWALL UTM Appliance with SonicOS Enhanced firmware.   It allows you to use the WAN IP address of the SonicWALL device to provide access to multiple internal servers. This is most useful in situations where your ISP has only provided a single public IP address, and that IP address had to be used by the SonicWALL’s WAN interface.

Below, we’ll be creating the programming to provide public access to two internal webservers via the SonicWALL’s WAN IP address; each will be tied to a unique custom port. In the examples, we’ll only be setting up two, but it’s possible to create more than this as long as the ports are all unique.

In this section, we have five tasks to complete:
  • Create two custom service objects for the unique public ports the servers will respond on
  • Create two address objects for the servers’ private IP addresses
  • Create two NAT entries to allow the two servers to initiate traffic to the public Internet
  • Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the SonicWALL’s WAN IP address
  • Create two access rule entries to allow any public user to connect to both servers via the SonicWALL’s WAN IP address and the servers’ respective unique custom ports
Creating two custom ports:
  • Login to the SonicWALL management interface.
  • Go to the Firewall > Services page.
  • Click on the Add button
  • Create two services objects as per the screenshot.

Creating two address objects:
  • In the SonicWALL management interface, go to the Network > Address Objects.
  • Create two address objects as per the screenshot.

Creating inbound NAT Policies:
To create the NAT policies to map the custom ports to the servers’ real listening ports and to map the SonicWALL’s WAN IP address to the servers’ private addresses, create the following NAT Policies

Original Source: Any
Translated Source: Original
Original Destination: Mywebserver Public
Translated Destination: Mywebserver Private-1
Original Service: Server Public Port-1
Translated Service: HTTPS
Source Interface: X1
Destination Interface: Any
Check box next to ‘Enable
Comment: (enter a short description)
And:

Original Source: Any
Translated Source: Original
Original Destination: Mywebserver Public
Translated Destination: Mywebserver Private-2
Original Service: Server Public Port-2
Translated Service: HTTPS
Source Interface: X1
Destination Interface: Any
Check box next to ‘Enable
Comment: (enter a short description)
Your screen should match the ones shown above. When done, click on the ‘OK’ button to add and activate the NAT policies. With these policies in place, the SonicWALL will translate the server’s public IP address to the private IP address when connection requests arrive from the WAN (X1) interface. To access the web server 192.168.1.100, users on the internet have to enter 1.1.1.1:4433 in their web browser. Likewise, to access the web server 192.168.1.101, enter 1.1.1.1:4434.
Creating outbound NAT Policies:
To create a NAT policy to allow the two servers to initiate traffic to the public internet using the public IP address of the servers,choose the following from the drop-down boxes: 

Original Source: Mywebserver Private-1
Translated Source: Mywebserver Public
Original Destination: Any
Translated Destination: Original
Original Service: Any
Translated Service: Original
Source Interface: X4
Destination Interface: X1
Check box next to ‘Enable
Comment: (enter a short description)
And:

Original Source: Mywebserver Private-2
Translated Source:  Mywebserver Public
Original Destination: Any
Translated Destination: Original
Original Service: Any
Translated Service: Original
Source Interface: X4
Destination Interface: X1
Check box next to ‘Enable
Comment: (enter a short description)


KBID
7979
Date Modified
 3/29/2012
Date Created


Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)