NAT Rule stops working
I'm trying to get my Nsa 5700 to handle a one-to-one NAT in and out. This rule worked tirelessly on my previous Sonicwall. I have six other similar rules, exact same parameters just different addresses that work just fine.
I have an access rule that allows traffic from the outside IP address, to web services TCP80, TCP443. I have an inbound NAT rule from X1 for any service, from any source, to my outside IP address, in turn translated to original source and service to my inside IP address. The outbound rule accepts the inside IP address as its source, for any destination and service to the X1 interface, and translates it to the outside IP address for original service, and any destination. It works for several hours. Then, here is the strange part, to me at least, it stops working. I can disable and then enable the outbound rule and everything is fine for several more hours. Then it dies again. Disable and enable. Repeat.
Here are the caveats: I did migrate from an older system NSA 4600. These rules worked without issues. I have deleted and replaced the rules. Rebooted the firewall. Rebooted the host server.
Anyone got some suggestions on how to troubleshoot this?
Answers
Hi,
Did you check shadowed nat ?
Until you asked I had zero knowledge of Shadowing. If I'm reading correctly that ought to be POLICY | Rules and Policies > Shadow. But I do not have Shadow on my menu. Is it an addon feature?
I guess I can say I looked, but found nothing. But thanks nonetheless!
@mynameisnobody, did you use the Migration Tool when you transitioned from NSA4600 to NSa5700? What firmware are you utilizing on the NSa5700?
Current firmware is SonicOS 7.0.1-5111. Yes I used the online migration tool. I had a hard time with the tool at the time due to versioning differences in firmware... ended up editing/deleting a few of the rules to make it work. It was 6 months ago or so when I migrated. I've been switching it out with the old one when new firmware becomes available. This is only remaining issue. I'm likely to return to the old firewall until another new firmware is released, been a tough upgrade for me. I had figured to replace several other devices with these new generation devices, but I think I'm not cut-out for bleeding edge troubleshooting!
This menu "Shadowing" only includes Sonicwall OSX 7 version vm and appliances. you don't see on Sonic OS7. This is a terminology. Means that 2 rules override each other or that the rules conflict. Please check all nat rules for conflict by manuel. You sad that you used migration tool for transition. Somtimes migration tool is not work properly. can you try packet capture process for this session?
In the ensuing weeks since the OP, I have reset the SonicWall device to factory settings, then proceeded to make all entries by hand. No migration tool was used. Still not functioning. I have reviewed each NAT entry for duplication, inconsistencies, or overlapping and everything appears to be in order. I think I have bad hardware or this device is a lemon.
I have one more theory left. I'm going to factory reset once again. But I'm only going to add the entries required to NAT one device on my network. If that works I'll add things a few at a time and see if that fixes my issue or which of the new entries break the operation.
I will capture packets and review after my next reset. Once I have setup a testing platform. My current situation is either production or offline.
Thanks for the feedback!