Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Inbound NAT

djhurt1djhurt1 Enthusiast ✭✭
in High End Firewalls

We're setting up another server to be accessed publicly. Looking at the documentation, it says to create an address object. This is confusing to me. Is it not required to assign the address to an interface? Will the sonicwall respond to a packet sent to the address in the address object without it being assigned to an interface?

Category: High End Firewalls
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @DJHURT1,

    Thank you for contacting SonicWall Community.

    I think you are talking about the address object for either a usable public IP dedicated to the server or private IP address of the server.

    If yes, then the IP address specified in the address object is not necessarily to be used on the SonicWall interface(s). When you define or configure an interface in SonicWall, you define the subnet mask which tells the number of IP addresses that are part of the subnet or the interface assigned with the IP. Subnet mask is the key in here.

    Hope this clarifies.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • djhurt1djhurt1 Enthusiast ✭✭

    Thank you for your reply, I think this is starting to make sense. To be sure I understand, whatever address/subnet mask you assign to an interface, we're defining that subnet to that interface. SonicOS will then accept any Ip address, in said subnet via that interface. If I have an inbound NAT rule with the public Ip in that interfaces subnet, Sonic OS will accept the packet, translate and forward to the internal Ip address specified in the NAT rule. Does that sound accurate?


    The issue I'm currently facing is our new server cannot be reached from the Internet. We have a public Ip assigned to our WAN interface. Our mail server NAT rule specifies the Ip given to our WAN interface and is working as intended. The new server has been setup with an address object in the same WAN subnet, a NAT rule from the public Ip to an internal Ip. However we cannot ping the new server from WAN side. Attached is the NAT rule setup for the new server.

    lis_nat_rule.PNG


  • shultisshultis Newbie ✭

    If you didn't use the wizard to create the NAT policy, you'll also need to add a WAN to LAN (or whatever zone your server is in) rule.

  • SaravananSaravanan Moderator

    @DJHURT1 - You absolutely sound right. The possible reasons for your new server inaccessible is,

    • Make sure the service object/group used in the NAT policy contain PING service object.
    • There must be an access rule added from WAN to Server Zone (May be LAN) as Source: Any, Destination: Public IP, Service: Desired service object/group, Action: Allow.

    Please try these suggestion and keep us posted how it goes and we can help you accordingly if required.

    Have a good day!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • djhurt1djhurt1 Enthusiast ✭✭
    edited October 2021
    https://community.sonicwall.com/technology-and-support/discussion/comment/2854#Comment_2854

    @Saravanan

    This is old I realize but I'm working on a similar project that relates to this question. Fictional scenario is WAN interface of firewall assigned 192.168.0.1. Host network object created that is not assigned to interface 192.168.0.2. ISP gateway ARPs who has 192.168.0.2. The firewall will in fact respond that it has 192.168.0.2 with it's MAC?

Sign In or Register to comment.