access webserver
mrshahin
Newbie ✭
Hi,
We have Site A With a Sonicwall and site B in aws, we have a site to site VPN between site A and Site B and all connections are allowed between the 2 sites.
Now I want to allow access to a web server in aws from external IP of Sonicwall in AWS, is this possible? I can access the website in aws from LAN behind the sonicwall.
I have create a Access rule that looks like this
But have no idea how my NAT policy should look like.
Any suggestion?
Thanks
Category: Web Application Firewall
0
Answers
The NAT policy should look like the same as on-prem.
https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-nat-policies-on-a-sonicwall-firewall/170505782921100/
Are you sure the X0 IP being the destination is correct in your access rule? Usually X1 is the WAN side.
@MasterRoshi Thank you for the reply,
I did correct my access rule and setup the NAT policy as you suggested, as if web server is on LAN, but still I can not open the website from WAN and get the error that This Site cannot be reached.
I also correct the destination as you suggested but still the same issue.
This is my access rule and nat policy:
here the EC-TestPublic is the public IP that we want to access the website and EC2-Test is the webserver on the VPN site
UPDATE,
We did create the rule from the wizard and when put the web server on LAN, we can access the website, but when put the same webserver in the VPN zone cannot access the website from internet and get message that connection refused. we can access the website on the aws from the LAN
What do we need to access the web server that is in the aws that has full site to site with our on-prem network with one of the public IPs of our on-prem Sonicwall?
If you are sending traffic down a tunnel you may need to source NAT the traffic too since the server on AWS will just route the public IP reply out its default gateway.
@MasterRoshi Thank you for the update,
you are right, the traffic is sending down the tunnel, the site 2 site from our Sonicwall to Aws is created from our public ip 194.XX.XX.5 ( WAN ip) and the A record of the Website is 194.XX.XX.66
Can you tel me how to source NAT the traffic ?
Thank you
Change the translated source in your NAT rule.
@MasterRoshi sorry change it to what? :)
To something the AWS side will send back down the VPN to the SonicWall side (probably the X0 IP). Why is the original source the private IP? I thought you were NAT'ing all internet traffic inbound and it should be 'any'.
I think you mean this, I will change the oraginal service also to https
@MasterRoshi Just wonder if my last NAT policy would cause any problem!! I ask this because of the translated Source and Original destination is set to X0 and X1
Should we use X1 IP for the Original Destenation or use the object access that we have created for our second public IP of WAN interface?
The Remote server Public IP. Just make sure you have the correct routes in place on both sides to send traffic down the VPN tunnel (tunnel interface VPN is ideal here).
Thank you for your reply,
When use the Remote server public IP, I can see that data is going through the AWS tunnel interface but my browser dont show the website and see the error Error Code: INET_E_RESOURCE_NOT_FOUND
this is what I see when running a packet capture:
*Packet number: 2*
Header Values:
Bytes captured: 66, Actual Bytes on the wire: 66
Packet Info(Time:09/01/2021 15:11:34.192):
in:X1*(interface), out:--, Consumed, Module Id:20, 2:2) VPN policy: AWS Tunnel New#1
Ethernet Header
Ether Type: IP(0x800), Src=[00:08:e3:ff:fc:14], Dst=[2e:b8:ed:2f:0c:01]
IP Packet Header
IP Type: TCP(0x6), Src=[217.XX.XX.30], Dst=[194.XX.XX.66]
TCP Packet Header
TCP Flags = [SYN,], Src=[61069], Dst=[443], Checksum=0x404b
Application Header
HTTPS
Value:[0]
@MasterRoshi Hi, I was wonder if you have any suggestion regarding why connection dwont get back to the on-prem Sonicwall!
Either your packet capture isn't filtered correctly or your source nat is not applying.
This is my packet capture filter:
And this portion of captured packages:
How can I know if the source nat is not applying?
Thanks
You should see the source address change. In this case, your filter is not going to show the source changing because you put a filter for the public IP. Can you packet capture on the AWS side?