Wednesday, October 5, 2016

How to configure NAT Policies on Soniwall devices

This is the dell’s document for configuring Nat policies on Sonicwall devices: https://support.software.dell.com/kb/sw7979

  • Title

    UTM: SonicOS Enhanced how to configure NAT Policies

  • Description

    UTM: SonicOS Enhanced how to configure NAT Policies


  • Resolution

    Article Applies To:

    Gen6 SM E10000 series: NSA E10800, NSA E10400, NSA E10200, NSA E10100
    Gen6 SM 9000 series: NSA 9600, NSA 9400, NSA 9200
    Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600
    Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
    Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.
    Gen4 PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
    Gen4 TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.
    Firmware/Software Version: All SonicOS Enhanced firmware versions.
    Services: NAT Policy, Firewall Access Rules, Firewall Services


    Feature/Application:

    The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granular NAT polices for their incoming and outgoing traffic. This article illustrates the different types of NAT policies which can be configured in the SonicWALL for various purposes.

    Procedure:

    For the purpose of this article, we’ll be using the following IP addresses as examples to demonstrate the NAT policy creation and activation. You can use these examples to create NAT policies for your network, substituting your IP addresses for the examples shown here:

    • 192.168.1.0/24 IP subnet on interface X0
    • 1.1.1.0/24 IP subnet on interface X1
    • 192.168.30.0/24 IP subnet on interface X3
    • X0 LAN IP address is 192.168.1.1
    • X1 WAN IP address is 1.1.1.1
    • X3 IP address is 192.168.30.1
    • Webserver’s “private” address at 192.168.1.100
    • Webserver’s “public” address at 1.1.1.1

    Many to One NAT
    This is the most common NAT policy on a SonicWALL, and allows you to translate a group of addresses into a single address. Most of the time, this means that you’re taking an internal “private” IP subnet and translating all outgoing requests into the IP address of the SonicWALL’s WAN port, such that the destination sees the request as coming from the IP address of the SonicWALL’s WAN port, and not from the internal private IP address.
    SonicWALL has a default outgoing NAT policy preconfigured for each interface configured under the Network > Interfaces, translating all outgoing requests into the IP address of the SonicWALL’s primary WAN port (WAN Primary IP). To view the default NAT Policies preconfigured in the SonicWALL, navigate to the Network > NAT Policies page. Select the radio button Custom Policies. Scroll down the page and you should be able to see policies similar to the screenshot below.

    Click To See Full Image.

    Click To See Full Image.

    However, in certain scenarios it may be necessary to translate a particular subnet to an IP Address other than the WAN Primary IP. Such a NAT policy is simple to create and activate. To create a NAT policy to allow all systems on the X3 interface to initiate traffic using a public IP address other than SonicWALL’s WAN primary IP address, follow these  steps:

    • Login to the SonicWALL Management Interface
    • Select Network > Address Objects.
    • Click the Add button to add a new address object as per the screenshot. Note: For complete information on creating Address Objects refer: KBID 7486

    Click To See Full Image.

    • Navigate to the Network > NAT Policies page.
    • Click on Add to create a new NAT policy as per the screenshot.
    • Original Source: X3 Subnet
    • Translated Source: X3 Public IP
    • Original Destination: Any
    • Translated Destination: Original
    • Original Service: Any
    • Translated Service: Original
    • Source Interface: X3
    • Destination Interface: X1
    • Check box next to ‘Enable’
    • Comment: (enter a short description)

    Your screen should match the screenshot shown below. When done, click on the ‘OK’ button to add and activate the NAT Policy. This policy can be duplicated for subnets behind other interfaces of the SonicWALL – just replace the “Original Source” with the subnet behind that interface, adjust the source interface, and add another NAT policy.

    Click To See Full Image.

    One to One NAT

    This is another common NAT policy on a SonicWALL, and allows you to translate an internal IP address into a unique IP address. This is useful when you want specific systems, such as servers, to use a specific IP address when they initiate traffic to other destinations. Most of the time, a NAT policy such as this is used to map a server’s private IP address to a public IP address, and it’s paired with a mirror policy that allows any system from the public Internet to access the server, along with a matching firewall access rule that permits this.

    In this example we have chosen to demonstrate a webserver using HTTP service, however the following steps apply to any service you wish to use (like HTTPS, SMTP, FTP, Terminal Services, SSH, etc).

    Creating the necessary Address Objects

    • Go to Network > Address Objects.
    • Click the Add button and create two address objects one for Server IP on LAN and another for Public IP of the server: 
    • Click the OK button to complete creation of the new address objects.

    Address Object for Server on LAN

    Name: Mywebserver Private
    Zone Assignment: LAN
    Type: Host
    IP Address: 192.168.1.100

    Click To See Full Image.

    Address Object for Server's Public IP
    Name: Mywebserver Public
    Zone Assignment: WAN
    Type: Host
    IP Address: 1.1.1.1

    Click To See Full Image.

    Creating an Inbound NAT Policy

    This policy allows you to translate an external public IP address into an internal private IP address. This NAT policy, when paired with a Allow access rule, allows any source to connect to the internal server using the public IP address; the SonicWALL will handle the translation between the private and public address. Below, we will be creating the NAT Policy as well as the rule to allow HTTP access to the server.

    • From the SonicWALL’s management GUI, go to the ‘Network > NAT Policies page.
    • Click the Add button and chose the following settings from the drop-down menu:

    Inbound NAT Policy

    Original Source: Any
    Translated Source: Original
    Original Destination: Mywebserver Public
    Translated Destination: Mywebserver Private
    Original Service: HTTP
    Translated Service: Original
    Inbound Interface: Any
    Outbound Interface: Any
    Comment: Webserver behind SonicWALL.
    Enable NAT Policy: Checked
    Create a reflexive policy: Checked

    Click To See Full Image.

    Creating a reflexive policy

    When you check this box, a mirror (outbound or inbound) NAT policy is automatically created as per the settings configured in the Add NAT Policy window. In the above NAT Policy, when the box Create a reflexive policy is checked, it will create an outbound NAT Policy as per the screenshot below:

    Click To See Full Image.

    Creating a Firewall Access Rule

    • Go to Firewall > Access Rules page.
    • Select the type of view in the View Style section and go to From WAN To LAN.
    • Click Add and create the following rule:

    Action: Allow

    From Zone: WAN
    To Zone: LAN
    Service: HTTP
    Source: Any
    Destination: My webserver Public
    Users Allowed: All
    Schedule: Always on
    Enable Logging: checked
    Allow Fragmented Packets: checked

    Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.

    Creating a DNS Loopback NAT Policy

    The purpose of a DNS Loopback NAT Policy is for a host on the LAN or DMZ to be able to access the Webserver on the LAN (192.168.1.100) using the server's public IP address (1.1.1.1) or by its Fully Qualified Domain Name (FQDN).

    • Go to Network > NAT Policies
    • Click the Add button and create a NAT Policy with the following settings from the drop-down menu:
    • Original Source: Firewalled Subnets 
    • Translated Source: Mywebserver Public
    • Original Destination: Mywebserver Public
    • Translated Destination: Mywebserver Private
    • Original Service: HTTP
    • Translated Service: Original
    • Inbound Interface: Any
    • Outbound Interface: Any
    • Comment: Loopback policy
    • Enable NAT Policy: Checked
    • Create a reflexive policy: unchecked

    Click To See Full Image.

    Inbound Port Address Translation via WAN (X1) IP Address

    This is one of the more complex NAT policies you can create on a SonicWALL UTM Appliance with SonicOS Enhanced firmware.   It allows you to use the WAN IP address of the SonicWALL device to provide access to multiple internal servers. This is most useful in situations where your ISP has only provided a single public IP address, and that IP address had to be used by the SonicWALL’s WAN interface.
    Below, we’ll be creating the programming to provide public access to two internal webservers via the SonicWALL’s WAN IP address; each will be tied to a unique custom port. In the examples, we’ll only be setting up two, but it’s possible to create more than this as long as the ports are all unique.
    In this section, we have five tasks to complete:

    • Create two custom service objects for the unique public ports the servers will respond on
    • Create two address objects for the servers’ private IP addresses
    • Create two NAT entries to allow the two servers to initiate traffic to the public Internet
    • Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the SonicWALL’s WAN IP address
    • Create two access rule entries to allow any public user to connect to both servers via the SonicWALL’s WAN IP address and the servers’ respective unique custom ports

    Creating two custom ports:

    • Login to the SonicWALL management interface.
    • Go to the Firewall > Services page.
    • Click on the Add button
    • Create two services objects as per the screenshot.

    Click To See Full Image.

    Click To See Full Image.

    Creating two address objects:

    • In the SonicWALL management interface, go to the Network > Address Objects.
    • Create two address objects as per the screenshot.

    Click To See Full Image.

    Click To See Full Image.

    Creating inbound NAT Policies:

    To create the NAT policies to map the custom ports to the servers’ real listening ports and to map the SonicWALL’s WAN IP address to the servers’ private addresses, create the following NAT Policies

    Original Source: Any
    Translated Source: Original
    Original Destination: Mywebserver Public
    Translated Destination: Mywebserver Private-1
    Original Service: Server Public Port-1
    Translated Service: HTTPS
    Source Interface: X1
    Destination Interface: Any
    Check box next to ‘Enable
    Comment: (enter a short description)

    Click To See Full Image.

    And:

    Original Source: Any
    Translated Source: Original
    Original Destination: Mywebserver Public
    Translated Destination: Mywebserver Private-2
    Original Service: Server Public Port-2
    Translated Service: HTTPS
    Source Interface: X1
    Destination Interface: Any
    Check box next to ‘Enable
    Comment: (enter a short description)

    Click To See Full Image.

    Your screen should match the ones shown above. When done, click on the ‘OK’ button to add and activate the NAT policies. With these policies in place, the SonicWALL will translate the server’s public IP address to the private IP address when connection requests arrive from the WAN (X1) interface. To access the web server 192.168.1.100, users on the internet have to enter 1.1.1.1:4433 in their web browser. Likewise, to access the web server 192.168.1.101, enter 1.1.1.1:4434.

    Creating outbound NAT Policies:

    To create a NAT policy to allow the two servers to initiate traffic to the public internet using the public IP address of the servers,choose the following from the drop-down boxes: 

    Original Source: Mywebserver Private-1
    Translated Source: Mywebserver Public
    Original Destination: Any
    Translated Destination: Original
    Original Service: Any
    Translated Service: Original
    Source Interface: X4
    Destination Interface: X1
    Check box next to ‘Enable
    Comment: (enter a short description)

    Click To See Full Image.

    And:

    Original Source: Mywebserver Private-2
    Translated Source:  Mywebserver Public
    Original Destination: Any
    Translated Destination: Original
    Original Service: Any
    Translated Service: Original
    Source Interface: X4
    Destination Interface: X1
    Check box next to ‘Enable
    Comment: (enter a short description)

  • No comments:

    Post a Comment