Why does setting up a Many-to-Many Nat require a license?
Zyxian
Newbie ✭
Hello all.
I just got a TZ470. I have a block of 16 IPs. To NAT them the documentation says to go to Object -> Match Object. When I do it says "Upgrade Required.... Contact SonicWall, Inc. for details on upgrading."
Isn't basic NAT'ing part of the TZ470?
Category: Entry Level Firewalls
Tagged:
0
Answers
@Zyxian Match Objects are used for App Rules, which are part of the Application Control license.
But I can't see the relation between NAT and App Rule at this point. NAT is handled with Network Objects, not Match Objects.
Maybe you might explain your demand in more detail and we can put you in the right direction.
--Michael@BWC
Michael@BWC
According to this documentation, SonicOSX 7 Rules and Policies - Creating a Many-to-Many NAT Policy - SonicWall that is what is supposed to be done. Are you saying the documentation is wrong?
I don't see anywhere in my questions where it could be taken as a demand. Sorry you saw it that way.
This is moot anyways. After I posted this, I started to open a ticket to sales but the chat option came up. I chatted with two different people and neither said it could be done differently as you implied. Instead they pushed buying a license to be able to do Many-to-Many NAT. Since the lowest priced license was almost the same as I paid for the TZ 470, I returned it.
I bought the TZ 470 to replace an older firewall from a different company. I was able to do a Many-to-Many NAT without buying anything extra. I guess I made a bad assumption that NAT'ing was a basic function of all firewalls. As I search other companies for a replacement I will enquire about basic NAT.
I did come back here and tried to delete and/or close this but I had no option to.
Zyxian
@Zyxian I guess we got a bit confused about the term "Match Objects", which is the section header in the Gen7 Navigation, nevertheless, it's handled through Address Objects (which @Nat verified, and who should have better knowledge on that topic 🤣).
There is a Match Objects -> Match Objects in the UI, which would require a license. So a typical Usability glitch.
Long story short, no license needed.
--Michael@BWC
@Nat - I wasn't mentioning Match Object. The documentation was mentioning it. I was only repeating what I saw in the documentation. Please see: SonicOSX 7 Rules and Policies - Creating a Many-to-Many NAT Policy - SonicWall
Thank you for letting me know that Many-to-Many NAT doesn't need a license/use Match Object unlike what the documentation says.
I am a retired Geek who has a Windows Server 2019 Datacenter in my den (my "keep-myself-busy" hobby) to host my different websites. I'm finding Sonicwall is better suited for businesses. My current older firewall from another company, I was able to buy just Geo-IP filtering for a reasonable price. In order to be able to do that at Sonicwall I would have to buy a whole package which for me is not a reasonable price.
Thank you both for your time and effort.
O.k. so after researching I came back to Sonicwall. Got a TZ 370. I'm in the process of setting it up. Still trying to do a Many 1:1.
The current firewall has this after creating the objects My_Statics and My_Internals_IPs:
Since the documentation is incorrect, and you say it can be done, how do I do this with the TZ 370? I am still clicking through all the options but not finding a simple match up as above.
And yes I'm eating crow...
Actually, we dont know that you are trying to achieve.
the document, expect the wording " OBJECT | Match Objects " (should be address objects). Others should be correct and it has screenshot.
Thank you @Nat.
I've followed the steps in the documentation you linked. The issue is that it doesn't match an internal IP with it's matching external IP. It is a dynamic matching and not a static one.
I have multiple VMs hosting websites, e-mail, etc., each with their own external IP associated with their internal IP. The current firewall made it easy to do a Many 1:1 static mappings. (see above).
Looking at both sections of "Creating a One-to-One NAT Policy for Inbound Traffic" and "Creating a One-to-One NAT Policy for Outbound Traffic" it shows to create both the inbound and outbound NAT Policy for each of my external IPs.
If I've overlooked how to map a range of external IPs to a range of internal IPs to communicate in both directions, I would really appreciate being pointed in the right direction.
Not sure about your case but it seems working on test.
192.168.50.40-42 to 10.10.99.40-42.
As it has identical range, it should map 1 by 1.