Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

nat policy with different services (ports)

louyolouyo Newbie ✭
in Entry Level Firewalls

Just got a 270, a little disappointing but seems OK for SOHO.

IIRC, with other SW's I could create a nat policy where the source and translated services had different ports. That is, from the internet, I connect to the SW with port 2525 and it connects to a system on port 2535. So far, the only way I have been able to get this unit to forward is 2525 to 2525. FW: 7.01-5151

any tips appreciated.

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    Lou, you should not give up, if your server is listening to port 2525 the Rules are straight forward.

    NAT:
Original
Source: Any (or the allowed IP from the Internet)
Destination: X1 IP (your WAN Interface of choice)
Service: 2535
Interfaces: leave them to ANY

Translated:
Source: Original
Destination: Server IP in the LAN
Service: 2525


Access Rule:
Source
Zone: WAN
Address: Any (or the allowed IP from the Internet)
Services: Any

Destination:
Zone: LAN
Address: X1 IP
Services: 2535

    There is really no magic about it.

    —Michael@BWC

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @louyo the terms "Original" and "Translated" should give it away, this is NAT 101 and of course possible. Original Service is 2525 and Translated should be 2535.

    The only pitfall that comes to my mind could be the Access Rule. You have to make sure that WAN to LAN (or DMZ) Access Rule is allowing 2525 not 2535! Access Rules need to control the traffic BEFORE NAT.

    https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-nat-policies-on-a-sonicwall-firewall/170505782921100

    —Michael@BWC

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Coming from other platforms it can be a bit confusing.

    Would be great if the access rule could be "linked" to a NAT policy or at least give a hint in the UI as to what it's doing. Using the comment field on the ACL is helpful here.

  • louyolouyo Newbie ✭

    Thanks for help. I had followed another KB and it had suggested an access rule calling for service to be Any and that is the only way I have been able to make it work even with port to port being same. I did delete the Nat policies and re-add using your link. Same result, if I try to map port 2535 to access port 2525 on the LAN system, it is rejected. I have thrown in the towel. I think it is sad what Sonicwall has done to the device's interface. The 270 is kind of mediocre, I am checking on the return policy for the vendor where I purchased.

    FWIIW: I am a firm believer in VPN's instead of port forwarding. In this instance, the forwarding is only accepted from a designated static public IP address and not always enabled. I use it to transfer files via curl.

    Thanks again,

    Lou

  • louyolouyo Newbie ✭

    Thank you:

    1: I already did all that.

    2. I followed other KB's

    3. I have been using Sonicwalls since original company ca 2000

    4. I deleted everything and started over.

    5. Now it works.

    Thank you very much.

    Lou

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    it had suggested an access rule calling for service to be Any and that is the only way I have been able to make it work even with port to port being same

    Yes - if you set the source port, you are "doing it wrong" in 99.99% of cases, because source ports are usually random. Sonicwall can take some blame here - specifying a source port is so rarely required that I believe the source port option should be hidden behind an Advanced button, or some other way of indicating to the operator that they are probably making a mistake.

  • louyolouyo Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/23332#Comment_23332

    Thank you. BWC straightened me out.

Sign In or Register to comment.