Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

access webserver

Hi,

We have Site A With a Sonicwall and site B in aws, we have a site to site VPN between site A and Site B and all connections are allowed between the 2 sites.

Now I want to allow access to a web server in aws from external IP of Sonicwall in AWS, is this possible? I can access the website in aws from LAN behind the sonicwall.

I have create a Access rule that looks like this

But have no idea how my NAT policy should look like.

Any suggestion?

Thanks

Category: Web Application Firewall
Reply

Answers

  • The NAT policy should look like the same as on-prem.

    https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-nat-policies-on-a-sonicwall-firewall/170505782921100/

    Are you sure the X0 IP being the destination is correct in your access rule? Usually X1 is the WAN side.

  • mrshahinmrshahin Newbie ✭

    @MasterRoshi Thank you for the reply,

    I did correct my access rule and setup the NAT policy as you suggested, as if web server is on LAN, but still I can not open the website from WAN and get the error that This Site cannot be reached.

    I also correct the destination as you suggested but still the same issue.

    This is my access rule and nat policy:

    here the EC-TestPublic is the public IP that we want to access the website and EC2-Test is the webserver on the VPN site


  • mrshahinmrshahin Newbie ✭

    UPDATE,

    We did create the rule from the wizard and when put the web server on LAN, we can access the website, but when put the same webserver in the VPN zone cannot access the website from internet and get message that connection refused. we can access the website on the aws from the LAN

    What do we need to access the web server that is in the aws that has full site to site with our on-prem network with one of the public IPs of our on-prem Sonicwall?

  • If you are sending traffic down a tunnel you may need to source NAT the traffic too since the server on AWS will just route the public IP reply out its default gateway.

  • mrshahinmrshahin Newbie ✭

    @MasterRoshi Thank you for the update,

    you are right, the traffic is sending down the tunnel, the site 2 site from our Sonicwall to Aws is created from our public ip 194.XX.XX.5 ( WAN ip) and the A record of the Website is 194.XX.XX.66

    Can you tel me how to source NAT the traffic ?

    Thank you

  • Change the translated source in your NAT rule.

  • mrshahinmrshahin Newbie ✭

    @MasterRoshi sorry change it to what? :)


  • To something the AWS side will send back down the VPN to the SonicWall side (probably the X0 IP). Why is the original source the private IP? I thought you were NAT'ing all internet traffic inbound and it should be 'any'.

  • mrshahinmrshahin Newbie ✭

    I think you mean this, I will change the oraginal service also to https


  • mrshahinmrshahin Newbie ✭
    edited September 1

    @MasterRoshi Just wonder if my last NAT policy would cause any problem!! I ask this because of the translated Source and Original destination is set to X0 and X1

  • mrshahinmrshahin Newbie ✭

    Should we use X1 IP for the Original Destenation or use the object access that we have created for our second public IP of WAN interface?


  • The Remote server Public IP. Just make sure you have the correct routes in place on both sides to send traffic down the VPN tunnel (tunnel interface VPN is ideal here).

  • mrshahinmrshahin Newbie ✭
    edited September 1

    Thank you for your reply,

    When use the Remote server public IP, I can see that data is going through the AWS tunnel interface but my browser dont show the website and see the error Error Code: INET_E_RESOURCE_NOT_FOUND

    this is what I see when running a packet capture:

    *Packet number: 2*

    Header Values:

     Bytes captured: 66, Actual Bytes on the wire: 66

    Packet Info(Time:09/01/2021 15:11:34.192):

     in:X1*(interface), out:--, Consumed, Module Id:20, 2:2) VPN policy: AWS Tunnel New#1

    Ethernet Header

     Ether Type: IP(0x800), Src=[00:08:e3:ff:fc:14], Dst=[2e:b8:ed:2f:0c:01]

    IP Packet Header

     IP Type: TCP(0x6), Src=[217.XX.XX.30], Dst=[194.XX.XX.66]

    TCP Packet Header

     TCP Flags = [SYN,], Src=[61069], Dst=[443], Checksum=0x404b

    Application Header

     HTTPS

    Value:[0]

  • mrshahinmrshahin Newbie ✭

    @MasterRoshi Hi, I was wonder if you have any suggestion regarding why connection dwont get back to the on-prem Sonicwall!

  • Either your packet capture isn't filtered correctly or your source nat is not applying.

  • mrshahinmrshahin Newbie ✭

    This is my packet capture filter:

    And this portion of captured packages:

    How can I know if the source nat is not applying?


    Thanks

  • You should see the source address change. In this case, your filter is not going to show the source changing because you put a filter for the public IP. Can you packet capture on the AWS side?

Sign In or Register to comment.