Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

IP6 and IP4 object access group

mrshahinmrshahin Newbie ✭
edited October 2020 in Mid Range Firewalls
Hi,
Can I group IP6 and IP4 object address in the same object address group?
We have already allowed access to an IP4 customer to one of our webservers and now the same customer has also IP6 address and they want to have access to the same webserver also with thier IP6.
Can we create a new IP6 object access and put it in the same object access group?
Thanks
Category: Mid Range Firewalls
Reply

Best Answers

Answers

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @mrshahin

    I believe in Sonicwall, you can mix IPv4 and IPv6 entries in a network object group, but you cannot use a mixed object group for NAT.

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @mrshahin

    Moreover you can follow the below article for the IPv6 detail in SonicWALL.



  • mrshahinmrshahin Newbie ✭

    Thanks for your reply,

    If I understood you correctly we can add an IPv6 object address to an existing IPv4 object access group that we already using to allow access to one of our servers on LAN and than that IPv6 will also have access to the server on LAN, am I right?

    Thanks

  • Yes, @mrshahin. If the address group is used in the access rule then it can contain both IPv4 and IPv6 address objects. The NAT rules are different for IPv4 and IPv6 and such groups cannot be used in those rules.

    So, in your case, in should work fine.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • mrshahinmrshahin Newbie ✭

    @shiprasahu93 Thanks as always for your reply,

    Then we should not group the IP4 and IP6 objects because the current NAT rule says IPv4 and we have to create a new NAT rule for the IP6 version. When I want to create a service object I can see TCP(6) is this working for both IP4 and IP6

    Thanks

  • @mrshahin,

    6 in TCP(6) stands for protocol number and is not dependent on whether it is being used in IPv4 or IPv6 packet. So, please do not confuse that with the IP version.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • mrshahinmrshahin Newbie ✭

    am I right that we have to create a new Nat policy for the IP6? I said this because the current nat policy that allow access to a server on LAN says Only IP4!

  • @mrshahin,

    If it is an inbound NAT policy, you would only mention the original and translated destination addresses. As per your requirement, you would like to have this allowed for certain IPv4 and IPv6 addresses. I would suggest having one NAT policy, with the original and translated source as Any and original respectively.

    On the access rule you can put both the IPv4 and IPv6 addresses together and use in the source field. First the access rule is checked, so the NAT would only take place if the source is coming from the allowed IPs.

    I hope this answers your question.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • mrshahinmrshahin Newbie ✭

    Sorry for going on about this,

    This is inbound rule that must allow access to a port on a webserver on the lan, Currently we have only a group of IP4 that have access, now we want an IP6 have access to the same port on the same server, if I understand you correctly now I can create an object address for IP6 and added to the same object address group as for IP4 object address group, correct?

    This is the nat policy and the access rule:


  • @mrshahin,

    Thank you for sharing the screenshots, that makes it simpler for me to explain.

    1) Please change the original source field on the NAT policy to Any

    2) Create an address group that contains both IPv4 and IPv6 allowed IP addresses

    3) Use that newly created address group in the access rule's source field.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • mrshahinmrshahin Newbie ✭
    Thank you again,
    changing the source to any wouldnt allow access from any IP address instead of only from certine IPs?
    Also why should create a new address object instead of just adding the IP6 to the existing group?
    I ask this coz love to know eveything ;)
  • mrshahinmrshahin Newbie ✭
    @shiprasahu93 Thank u for reply I just have one more question, would this works even the nat policy says IP4 only?
Sign In or Register to comment.