Inbound Port Address Translation via One-to-One NAT Policy

This type of NAT policy is useful when you want to conceal an internal server’s real listening port, but provide public access to the server on a different port. In the example below, you modify the NAT policy and rule created in the previous section to allow public users to connect to the private webserver on its public IP address, but via a different port (TCP 9000), instead of the standard HTTP port (TCP 80).

First, your need to create a custom service for the different port. Go to the Firewall > Custom Services page and select the Add button. When the pop-up screen appears, give your custom service a name such as “webserver_public_port”, enter in “9000″ as the starting and ending port, and choose “TCP(6)” as the protocol. When done, click on the OK button to save the custom service.

Next, you modify the NAT policy created in the previous section that allowed any public user to connect to the webserver on its public IP address. Go to the Network > NAT Policies menu and click on the Edit button next to this NAT policy. The Edit NAT Policy window is displayed for editing the policy. Edit the NAT policy so that it includes the following from the drop-down menus:

  • Original Source: Any
  • Translated Source: Original
  • Original Destination: webserver_public_ip
  • Translated Destination: webserver_private_ip
  • Original Service: webserver_public_port (or whatever you named it above)
  • Translated Service: HTTP
  • Inbound Interface: WAN
  • Outbound Interface: Any
  • Comment: Enter a short description
  • Enable NAT Policy: Checked
  • Create a reflective policy: Unchecked

Note: Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it’s actually the correct thing to do (if you try to specify the interface, you get an error).

When done, click on the OK button to add and activate the NAT Policy. With this policy in place, the SonicWALL security appliance translates the server’s public IP address to the private IP address when connection requests arrive from the WAN interface, and translates the requested protocol (TCP 9000) to the server’s actual listening port (TCP 80).

Finally, you’re going to modify the firewall access rule created in the previous section to allow any public user to connect to the webserver on the new port (TCP 9000) instead of the server’s actual listening port (TCP 80).

Note: With previous versions of firmware, it was necessary to write rules to the private IP address. This has been changed as of SonicOS Enhanced. If you write a rule to the private IP address, the rule does not work.

Go to the Firewall > Access Rules section and choose the policy for the WAN to Sales zone intersection (or, whatever zone you put your server in). Click on the Configure button to bring up the previously created policy. When the pop-up appears, edit in the following values:

  • Action: Allow
  • Service: webserver_public_port (or whatever you named it above)
  • Source: Any
  • Destination: webserver_public_ip
  • Users Allowed: All
  • Schedule: Always on
  • Logging: checked
  • Comment: (enter a short description)

When you’re done, attempt to access the webserver’s public IP address using a system located on the public Internet on the new custom port (example: http://67.115.118.70:9000). You should be able to successfully connect. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s