NAT multiple ports to a single port

Cranium

I need to forward a port range to a single port.

This is what I have configured and have working now:

Access Rule from WAN to LAN to allow an address group (several IPs) with a service group (range of TCP ports). NAT policy from WAN IP mapped to internal IP with the same service group in the access rule

The above works fine but I need a rule to forward the range of TCP ports to a single TCP port. When I add a named TCP port in the Translated Service, I receive "Error: Unknown service class" which doesn't make sense to me.

Any suggestions?

Nevyaditha

Hi @Cranium ,

I found a KB link that explains the error. Please check the link below and let us know if you have any queries or concerns:

https://www.sonicwall.com/support/knowledge-base/error-original-source-unknown-service-class-is-displayed-while-creating-a-nat-policy/170503609340809/

Regards,

Nevyaditha

shiprasahu93

Hi @Cranium ,

Please verify if the translated service object in the NAT policy is a service group and not an individual TCP port as you want. That might give rise to that error.

Thanks!

Saravanan

Hi @Cranium,

In simple words, technically it is not possible to translate traffics sent on multiple ports to a single port on a NAT policy. Firewall is going to throw an error message "Error: Original Source:Unknown service class". 

This is by design and applies to all SonicWall Firewall models.

The best method of accomplishing your requirement is to configure multiple NAT policies mapping single original and translated ports. The WAN to LAN access rule can be of single that contains all ports using a service group.

I hope this clarifies.

Cranium

https://community.sonicwall.com/technology-and-support/discussion/comment/858#Comment_858

If what you are saying is indeed true, Sonicwall will not work for ANY customer doing B-B with Walmart. They have a requirement of all ports, 1024 and above, being open for their servers to transfer electronic orders. There is a single listener port open on my side. It would not be possible to set up this many individual port forwards.

I found a couple issues with port forwarding in Sonicwall which appear to be inconsistencies.

1. I have two Access and NAT policies set up exactly the same with the only difference being the source IP address. Both have a service groups containing a single port; which, is the same as the listener port on the internal server. ISSUE: I am only able to port forward with one of the NAT rules. The other returns: "Error: Original Source:Unknown service class". Again, this is for a single port.
2. I found a way around the multiple ports forwarding. If I forward the port in the only NAT rule that will allow me (out of 3), I can then add a service object that includes a range of ports (1024 and above) to the service group the NAT is referencing. Port forwarding from multiple ports to a single port now works; however, I am now unable to make any changes to the NAT rule without triggering the "Error: Original Source:Unknown service class" error.

shiprasahu93

Hey @Cranium,

You can try this. Please create two separate service objects with the same TCP port and directly use those service objects in the translated service field on the NAT policies.

That might help!

Thanks

Saravanan

Hi @CRANIUM,

I completely understand your client's requirement of all ports starting from 1024 should be translated to a single port.

In this case as per my previous suggestion, its not productive and feasible to configure 1000+ NAT policies. I totally agree with this point and its a valid one.

w.r.t your questions,

1. Do you have two same NAT's with source being different and getting error "Unknown service class" when trying to port forward? If so, could you please provide a screenshot of both the NAT policies? Let me check and find out the error reason.
2. Thanks a lot for your efforts in testing it out. I did confirm when adding additional service objects to a service group that is already used in a NAT policy, the addition is successful. This should be the indirect way of mapping many to one ports only at service group / object level. But wanting to perform any changes to the NAT policy is not allowed and firewall throws same error as explained on previous comments. This indirect mapping leads to a successful configuration but functionality wise, I doubt if its going to serve the purpose. I think the only way is to pass sample traffics on couple of ports and check if the end server responds.

Please post in here for any clarifications.