Port forwarding and access control
chibbits
Newbie ✭
Morning!
I have unfortunately run into an issue with a client of ours who utilizes a TZ370, here's the tale:
The customer has an application server sitting at 192.168.16.3 on his network and a static WAN IP. On this server is steel design software that he needs to be able to access from a "remote" version of the application. This is accomplished by running the application's remote server software, then ensuring requests coming in through TCP 9154 can make it through the firewall and are then forwarded to the server IP listed above. In order to facilitate this, I followed the SonicOS 7.X instructions found at https://www.sonicwall.com/support/knowledge-base/how-can-i-enable-port-forwarding-and-allow-access-to-a-server-through-the-sonicwall/170503477349850/ since I am still relatively new working with Sonicwall devices. I created the necessary address objects for the server's public and private IP addresses, the service object to specify which port and protocol, then setup NAT rules and Access rules to allow traffic in through the firewall across TCP 9154 and translate the request over to the application server. Unfortunately, this does not appear to be working after ensuring that I followed the aforementioned guide strictly.
I have included the inbound Firewall and NAT diagrams in case they may be of assistance. I can provide any further information I may have forgotten. But, any advice or direction is greatly appreciated.
Best Answer
-
CORRECT ANSWER
TKWITS
Community Legend ✭✭✭✭✭
The diagrams never quite show enough information, but it looks like you have specified a source port in your access rule. Generally source ports are ephemeral so you shouldn't have to specify them. The destination port is more important 99% of the time.
Try setting your source port to any in the access rule. Also, learn how to use the packet capture feature to see whats happening with traffic in real time.
1
Answers
@TKWITS - Thank you! After changing the source port to "Any" in the Access rule, the vendor was able to successfully connect the database. I have been fighting with this off and on for the better part of a month. You are a life, and sanity, saver :)
Since access is for a vendor, the vendor should be able to supply you with a list of IP addresses to allow connections from. These would then be specified as the Source Address in the Access Rule. Otherwise your database is open to the world, and that's not good security.
I have their list of IP addresses and will be narrowing that down - they requested for the initial test not to restrict until successful. I'm actively working on setting that up now :)