IP6 and IP4 object access group
mrshahin
Newbie ✭
Hi,
Can I group IP6 and IP4 object address in the same object address group?
We have already allowed access to an IP4 customer to one of our webservers and now the same customer has also IP6 address and they want to have access to the same webserver also with thier IP6.
Can we create a new IP6 object access and put it in the same object access group?
Thanks
Can I group IP6 and IP4 object address in the same object address group?
We have already allowed access to an IP4 customer to one of our webservers and now the same customer has also IP6 address and they want to have access to the same webserver also with thier IP6.
Can we create a new IP6 object access and put it in the same object access group?
Thanks
Category: Mid Range Firewalls
0
Best Answers
-
shiprasahu93 Moderator
1) Since the access rule is restricted to the address group, changing the source to Any on the NAT will not allow all IP addresses. If allowed on the access rule, only then the NAT would be triggered.
2) I could not tell from the screenshot whether it is an address object or a group. If it is a group, then you can just create a new IPv6 address object and add it to the existing group.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
5 -
shiprasahu93 ModeratorYes, it should.
Shipra Sahu
Technical Support Advisor, Premier Services
5
Answers
Hi @mrshahin
I believe in Sonicwall, you can mix IPv4 and IPv6 entries in a network object group, but you cannot use a mixed object group for NAT.
Hi @mrshahin
Moreover you can follow the below article for the IPv6 detail in SonicWALL.
Thanks for your reply,
If I understood you correctly we can add an IPv6 object address to an existing IPv4 object access group that we already using to allow access to one of our servers on LAN and than that IPv6 will also have access to the server on LAN, am I right?
Thanks
Yes, @mrshahin. If the address group is used in the access rule then it can contain both IPv4 and IPv6 address objects. The NAT rules are different for IPv4 and IPv6 and such groups cannot be used in those rules.
So, in your case, in should work fine.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93 Thanks as always for your reply,
Then we should not group the IP4 and IP6 objects because the current NAT rule says IPv4 and we have to create a new NAT rule for the IP6 version. When I want to create a service object I can see TCP(6) is this working for both IP4 and IP6
Thanks
@mrshahin,
6 in TCP(6) stands for protocol number and is not dependent on whether it is being used in IPv4 or IPv6 packet. So, please do not confuse that with the IP version.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
am I right that we have to create a new Nat policy for the IP6? I said this because the current nat policy that allow access to a server on LAN says Only IP4!
@mrshahin,
If it is an inbound NAT policy, you would only mention the original and translated destination addresses. As per your requirement, you would like to have this allowed for certain IPv4 and IPv6 addresses. I would suggest having one NAT policy, with the original and translated source as Any and original respectively.
On the access rule you can put both the IPv4 and IPv6 addresses together and use in the source field. First the access rule is checked, so the NAT would only take place if the source is coming from the allowed IPs.
I hope this answers your question.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Sorry for going on about this,
This is inbound rule that must allow access to a port on a webserver on the lan, Currently we have only a group of IP4 that have access, now we want an IP6 have access to the same port on the same server, if I understand you correctly now I can create an object address for IP6 and added to the same object address group as for IP4 object address group, correct?
This is the nat policy and the access rule:
@mrshahin,
Thank you for sharing the screenshots, that makes it simpler for me to explain.
1) Please change the original source field on the NAT policy to Any
2) Create an address group that contains both IPv4 and IPv6 allowed IP addresses
3) Use that newly created address group in the access rule's source field.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
changing the source to any wouldnt allow access from any IP address instead of only from certine IPs?
Also why should create a new address object instead of just adding the IP6 to the existing group?
I ask this coz love to know eveything ;)