Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NAT Issues?

Hello guys.

I hope that someone can help me with this one.

We've Drayteks and we're in the process of changing to SONICWALLs TZ 670.

So, we've a fixed IP that should be configured on the WAN port and a block of IPs that should be routing to this fixed IP, at least I think they're being routed.

The Drayteks, have this option that lets us add "Alias" to the WAN port, so I can configure all of the IPs on the WAN port.

We've internal servers that use those ALIAS IPs.

I've read that for this the SONICWALLs only need NAT. So I've configured all the NATs and Access Rules for those IP ALIASEs, but it didn't work, not even a hit on the NAT nor the ACL. Funny thing, if i change the NAT rule and the Access rule to match the fixed IP configured on the WAN port, it works, I can access the servers from the outside...it just doesn't work with the other IP ALIASEs...

Any suggestions on this one?

Category: Mid Range Firewalls
Reply
Tagged:

Answers

  • Hello,

    Along with the NAT and access rules, could you please add a static ARP and route for those additional IP addresses as per this KB below and then test it out?

    https://www.sonicwall.com/support/knowledge-base/configuring-multiple-wan-subnets-using-static-arp-with-sonicos-enhanced/170503911164326/

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭


    I saw that KB before, but It says that I should add an IP that belongs to the other IPs subnets and not the IP that I want to NAT to the internal server.

    It will be hard for me to test this out, as this will cause some services to stop.

  • The IP address that needs to be added as alias, are they on the same subnet of your existing WAN IP or belong to a totally different subnet?

    If they are from the same subnet, then you can do a packet capture and see if the traffic is even reaching the SonicWall. The KB is useful when a different subnet is used.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭

    Yes, they are in a different subnet from my WAN IP.

    But should I add to the ARP the IPs or should I add an IP that belongs to the same subnet as those ALIASES IPs?

  • For example if WAN IP is 1.1.1.1 and the secondary subnet is 2.2.2.1-2.2.2.6, you can use one of the IPs e.g. 2.2.2.1 from the secondary subnet for static ARP and use that entire secondary subnet in the route.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭

    Ok, so I need to configure the ARP with one of the IPs that the ISP gave me and create the route, after that the NATs that I have should work fine?

    Does the subnet mask matters? Because the ISP didn't gave me any, they only sent me the IPs.

  • No, it does not. You can add it as a type range too. It should work with that.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • César_SCésar_S Newbie ✭

    Hello, today I tried it, didn't work.


    As example:

    I have a range of IPs from (IPs are not the real ones)

    10.0.0.5 to 10.0.0.10

    So what I did was, create a range with those IPs and add the route as explained in the KB.

    Created both Access rule and NAT police as the KB.

    And added the IP 10.0.0.5 to the Static arp and published it, like the KB said.


    But didn't work...

  • César_SCésar_S Newbie ✭

    Shiprasahu93, do you have any other idea on how I can do it?


    Thank you! :)

  • MasterRoshiMasterRoshi Moderator

    @César_S, it would help if you posted screenshots of your address objects, static arp entries and NAT/Access rules. You can blur out the actual IP addresses but keep everything else. This config is not uncommon and I have seen it many times.

  • César_SCésar_S Newbie ✭

    Hello Master, I hope that you're doing well.

    Ok so here is the static arp, the IP address is the IP from the range of IPs that the ISP gave me.

    Grabbing the example that I gave, I have a range from 10.0.0.5 to 10.0.0.10, and lets say that this IP is 10.0.0.8


    This is the access rule:

    The IP is 10.0.0.8 and I added the port that I need people to access it.



    This is the NAT rule

    Also the same IP 10.0.0.8 and the ports



    The route

    The "X1_ALIASES" is the IP range 10.0.0.5-10.0.0.10


    Thank you for your help.

  • MasterRoshiMasterRoshi Moderator

    Try removing the route and test again.

  • César_SCésar_S Newbie ✭

    Hello MasterRoshi,


    Just did it, no luck. :(

  • MasterRoshiMasterRoshi Moderator

    @César_S, can you confirm you used the configuration wizard to create the NAT/Access rule? If not, please delete your access rule and NAT and use the public server guide wizard to do it.

  • César_SCésar_S Newbie ✭

    I did it manually. Ok, I'll try it.

  • César_SCésar_S Newbie ✭

    No luck, but the rules were working, if I change the rules to match the IP that I've configured on the x1 interface it works.

  • César_SCésar_S Newbie ✭

    Is it possible for the ISP to be forwarding those IPs to the MAC of my old firwalls? And that's why this one isn't working? 🤔

  • MasterRoshiMasterRoshi Moderator

    It is definitely possible, you can see in a packet capture if the traffic destined for those additional addresses is arriving at the firewall or not.

  • César_SCésar_S Newbie ✭

    I started a packet capture, but I'm not seeing any IP from the secondary subnet that the ISP provided.

Sign In or Register to comment.