1:1 NAT to Azure VM
dani_n
Newbie ✭
hi everybody,
I've successfully setup a VPN tunnel between my TZ600 and azure. There is 2 VM running on azure . How can I setup 1:1 NAT from lan subnets to these VMs?
Imagine there is web server running on the LAN and it failed, then it is restored as VM on azure. Is there a way to redirect all request from lan computers to local web server e.g. 192.168.1.20 to 10.0.0.5 so there will be no need to type a different address in the browser?
Category: Mid Range Firewalls
0
Answers
@dani_n What you are looking for is redirection of LAN Hosts to a Web Server over an established VPN Tunnel to Azure if the locally hosted Webserver fails. This is not a topology that a NAT can directly address unless we add a bit of a complexity to the setup. Let me explain.
-The hosts accessing the web server is on the LAN as well as the Web Server itself which is the destination/target. It is local LAN traffic that will not traverse the Firewall since the latter is a Default Gateway and the sending LAN Host from 192.168.1.0/24 will always reach the Webserver locally in the LAN at 192.168.1.20
To circumvent the above behavior we have to add a Load Balancer between the LAN Webserver and LAN Hosts. This can be done by using Hardware or Software Load Balancers (LB) which give a Virtual IP which the LAN Hosts type in their browser which points the Web request to the LB which then splits the traffic between Local Webserver and Azure Webserver. This is an external solution and will work well with Webservers as these are known topologies for a Webadmins using Nginx/Citrix/Kemp etc
On the SonicWall Gen6/Gen6.5/Gen7 where Tz600 is a Gen6 we have a feature called NAT load balancing. Here is how it could help in principle if an external LB is not an option for you.
-We can create what is called a Loopback NAT for Http/Https. A loopback NAT is used for Internal LAN Hosts to reach an Internal LAN Server using an 'External/Public IP' and for our purpose we will use a dummy/pseudo IP that is not part of Firewall's directly connected network and we will call this as Loopback (LBIP) IP (172.16.1.25)
-On the Loopback policy, we will use Original Source: 192.168.1.0/24, Original Destination: 172.16.1.25, Translated Destination as both 192.168.1.20 & 10.0.0.5 and then configure NAT Load balancing with method 'Symmetric Remap' and enable Probing over TCP 80/443
-With the above configuration done, LAN hosts will access 172.16.1.25 as Webserver, and since this is an external IP for the host, it will be send to the Default Gateway (Firewall) and the firewall will translate this to 192.168.1.20 and if the Probe fails on it, then the traffic would be forwarded to 10.0.0.5
I have not done this setup myself before thus I have no confidence that it will work in one go. Its a bit complicated and there could be challenges in the way the feature would work versus how I would like to see it work. If this is not urgent I can try building this setup myself and let you know how feasible this setup is to accomplish what you are wanting to do. Let me know if there is any misunderstanding on my part about your issue