SonicWall add NAT

From Help
Jump to: navigation, search

NAT stands for network address translation. It is a way to take an external IP and route it to an internal IP. It has eight required components:

  • Original Source: Where is the request coming from pre-NAT? (incoming)
  • Translated Source: Where is the request coming from post-NAT? (incoming)
  • Original Destination: Where is the request needing to go pre-NAT? (outgoing)
  • Translated Destination: Where is the request needing to go post-NAT? (outgoing)
  • Original Service: What service is the request coming in on pre-NAT?
  • Translated Service: What service is the request coming in on post-NAT?
  • Inbound Interface: Which physical network interface is the request coming in on?
  • Outbound Interface: What physical network interface is the request going out on?

To make the complete loop in and out, you need at least two NAT rules; one for incoming requests and one for outgoing replies. You can have the device do this automatically for you by check boxing the "Create a reflexive policy" box when you first create a rule.

Depending on your organization's policy, you may also need an additional rule called a "loopback" so internal users can access the Address Object using the external IP. Setting Inbound to "ANY" on the below steps will enable you to skip this, however.

Return to Main Page

Prerequisites

  • Two address objects:
    • Internal server with IP
    • External IP to NAT from
  • Service Object for service
    • Service Objects are friendly names for protocols such as HTTP, HTTPS, FTP, TFTP, ICMP, etc
    • Most standard Service Objects are already built in
    • For web servers, it is useful to create a Service Object Group that has both HTTP and HTTPS in it

Return to Top

Steps

Creating the Inbound/Outbound policy

  • Log into SonicWall Admin GUI
  • Network
  • NAT Policies
  • Add. A new window will pop-up
    • Origin Source: Any
    • Translated Source: Original
    • Original Destination: AO of internal server
    • Translated Destination: AO of external server/IP
    • Original Service: The Service Object
      • You can specify one such as HTTP, a group, or "any" to allow all protocols through
    • Translated Service: Original
    • Inbound Interface: Your LAN interface.
      • You can set this to Any to avoid having to make a LoopBack NAT rule
    • Outbound Interface: Any
    • Comment: You can add a comment here to help with device-level documentation
    • Create a Reflexive Policy: Checkbox this to also have it automatically create the mirror Outbound NAT rule
    • Click OK

Return to Top

Examples

  • Original Source: Any
  • Translated Source: Original
  • Original Destination: HPV1_Apache
  • Translated Destination: EXT 106
  • Original Service: Any
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Any
  • Comment: NAT for Apache web on HPV1
  • Create Reflexive Policy: Checked yes

This will also create the following policy automatically (the "reflexive policy"):

  • Original Source: HPV1_Apache
  • Translated Source: EXT 106
  • Original Destination: Any
  • Translated Destination: Original
  • Original Service: Any
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Any
  • Comment: NAT for Apache web on HPV1


Return to Top

References