Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

TZ270 NAT for X1 Server, allowing X0 hosts to it via X0 subnet IP Nat'd to the X1 external IP

ITManagerBSPITManagerBSP Newbie ✭
in Entry Level Firewalls

I've been searching via different phrases and words but have not been successful for NAT setups of this precise layout.

I to add a NAT that sets a static IP on my X0 internal subnet IP (192.168.X.X/24) that translates to a server on the external X1 subnet (that is behind the ISP's modem, ie. 10.1.10.0/24).

I have a web service on that ISP modem's internal LAN and my firewall's X1 port, and need to allow access from my company private LANs to it, so the security devices can talk to each other through my LAN.

Thanks in advance, please ask if I haven't been clear enough of the layout.

Category: Entry Level Firewalls
Reply

Answers

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    I always find diagrams can be more descriptive

  • ITManagerBSPITManagerBSP Newbie ✭

    Internet/ISP External NIC

    |

    ISP MODEM

    |

    ISP Internal NIC / Subnet 10.1.10.0/24

    Web Server IP 10.1.10.100 (HTTP&HTTPS)

    Firewall TZ270 X1 IP 10.1.10.200

    |

    Firewall TZ270 X0 LAN IP 192.168.1.1

    DHCP 192.168.1.21-255 hosts

    Static 192.168.1.14 (set this IP address to connect to X1 LAN's Web Server IP 10.1.10.100 HTTP&HTTPS)

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    The device should be accessible on the external IP address 10.1.10.100 from internal devices 192.168.1.0/24 for outbound traffic.

    The web servers MAC address should also be visible in the ARP table on the X1 interface.

    what is this?

    Static 192.168.1.14 (set this IP address to connect to X1 LAN's Web Server IP 10.1.10.100 HTTP&HTTPS)

  • ITManagerBSPITManagerBSP Newbie ✭

    The device on the X1 LAN needs to have an X0 IP Number so that hosts on my internal LAN, or any office I choose on my corporate network, can access that device's HTTP and HTTPS services. I wish to assign it a local/internal IP of 192.168.1.14, and the NAT of the Sonicwall takes that traffic and connects it to the X1 device IP 10.1.10.100. Easy peasy. Nevermind, I'll work with the vendor to get that device fitted up with two NICs, one for my LAN on 192.168.x.x and one for the X1/ISP LAN on 10.1.10.x. Thanks for trying.

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    I wouldn't suggest bridging the WAN to LAN through this device, you will compromise the security.

    is there a reason for it to be seen as a LAN address and not its external?

    you could try create the address objects 192.168.1.14 Zone LAN, object 10.1.10.100 WAN

    add a NAT policy original source 192.168.1.0/24 original destination LAN object 192.168.1.14 - translated source X1 IP translated destination 10.1.10.100 WAN object.

    you may also need to change the NAT policy priority.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Is hairpin/loopback NAT what you're after?

    https://www.sonicwall.com/support/knowledge-base/access-a-server-behind-the-sonicwall-from-internal-networks-using-public-ips-loopback-nat/170505780814635

Sign In or Register to comment.