Setting up Rule from LAN to WAN
Phil
Newbie ✭
Hello,
I set up a rule for a device in the LAN to access a device in the WAN. This is directly from one IP to another. However, when we test it doesn't seem to be working. I think it should have worked with the default Any Any LAN to WAN rule but it doesn't work with that rule enabled either.
I'm able to ping both devices so I think the issue is with my settings.
My LAN is a Trusted Zone on X0 and the WAN is Untrusted on X1.
Are there other settings I need to look at and check?
Regards, Phil
Category: Entry Level Firewalls
0
Comments
Can you provide a screenshot or better description of your access rule? Do you have any deny rules? Have you run a packet capture to watch the traffic?
Here's an image of the Rule. We don't have any deny rules from LAN to WAN but there are others in place. There is a Deny Any rule from the WAN to LAN. No, I have not run a packet capture.
Are the source and destination address objects in the correct Zone? 'MF1 Pro3 Device' in LAN, 'MF1 Monarch' in WAN?
If you mouse over the statistics icon (3 vertical bars next to edit) do you see any hits / packets?
Next step is the packet capture.
Hi @PHIL,
Could you please let me know if you are trying to access those WAN devices from LAN resource via any specific services like SSH or HTTP or Ping?
If the access issue is specific only to those WAN devices, there is a possibility to check the outbound NAT policy if its configured right.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @TKWITS, yes, the address objects are in the correct zone. No, I do not see any packets in the statistics. I tried the packet capture to no avail. Nothing showed up in the capture on either the source or destination IPs.
@Saravanan , I tried to ping and run a tracert to the destination IPs but all my requests fail. I'm curious what the outbound NAT policy would need to be configured as. I did not configure anything with that yet. I wouldn't think NAT would come in to play with this.
Thank you both for your thoughts on this.
Anything going LAN to WAN by default will have NAT policies applied. That is the way the IPv4 internet works 99% of the time.
Either way are you sure your internal routing is correct? If no traffic is hitting the access rule or packet capture than something else is going on...
What did you mean you could ping both devices? From each other? From other devices?
We need more details.
I think the internal routing is correct. The original purpose of the firewall was to allow someone to VPN in to the devices on the LAN and that goal has been accomplished. I agree, something else may be going on, although this was working with the previous Cisco firewall so that is the reason we think it is a firewall issue.
We are NOT able to ping the devices. I tried pinging the three devices on the WAN from a PC set up in the LAN and the request times out.
I found this issue from a couple years ago that seems similar to mine. I also can't ping the firewall from a machine in the LAN even though I have Ping enabled in both the LAN and WAN.
It got me to wonder if there is a setting somewhere I need to enable/disable. We don't have IPS licensed with our device but perhaps there is some other setting to prevent Low Priority Attacks as was with this one. We are using firmware version 6.5.
We still need more information. Give us some IPs or something to work with.
Hi @Phil,
If all the required settings are there in the SonicWall, then we may need to perform packet capture to conclude further.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @Phil ,
If you are enabled the IPS with Low priority Attacks, Ping service will get block so disable the IPS low priority Attacks for enable the ping service.
As well as check below rule is enabled;
Thanks, @Ajishlal. We do not have IP enabled. The rule you reference is indeed enabled.
Thanks, @Saravanan. @TKWITS mentioned the packet capture as well, which I tried but did not help me identify the issue. I might have done something incorrectly when performing it so I can revisit that too.
I did find in the ARP Cache that our gateway is listing Cisco Systems as the Vendor. Cisco was the vendor of the previous firewall we had installed. I flushed the one item listing the gateway IP but it still came up as Cisco. I would think this should now list Sonicwall as the vendor on the Gateway IP address.
I found that the MAC address listed in the ARP cache doesn't match the MAC on the old Cisco firewall. So I may not be thinking that through correctly.
It sounds like you have more routers / firewalls involved than just the sonicwall, thus my inquiries about internal routing and more information...
Yes, I think you're right, @TKWITS. I'm going to involve some other internal folks to look at this with me. Thanks.
SOLVED
This issue is now resolved. The problem was I had the LAN IP assigned the same as the default gateway. Both were set to 10.x.x.1. So we changed the IP to 10.x.x.2 and now it all works. Thanks all for thinking this through with me.
Hi @Phil,
Glad to hear that. Thanks for sharing the results.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services