Inbound Port Address Translation via One-to-One NAT Policy

This type of NAT policy is useful when you want to conceal an internal server’s real listening port, but provide public access to the server on a different port. In the example below, you modify the NAT policy and rule created in the previous section to allow public users to connect to the private Web server on its public IP address, but via a different port (TCP 9000), instead of the standard HTTP port (TCP 80).

Create a custom service for the different port:

Go to the Network > Services page.

Click on Go to Services Objects

to scroll to the Services table.

Click the Add… button. The Add Service dialog displays.

Give your custom service a friendly name such as webserver_public_port.

Select TCP(6) from the Protocol drop-down menu. The Sub Type drop-down menu is dimmed.

For the Port Range fields, enter in 9000 as the starting port number for the service and as its ending port number.

When done, click on the Add button to save the custom service. The message Done adding Service object entry displays.

Click Close to close the Add Service window.

Modify the NAT policy created previously that allowed any public user to connect to the Web server on its public IP address:

Go to the Network > NAT Policies page.

Click on the Edit button next to this NAT policy. The Edit NAT Policy dialog displays for editing the policy.

Edit the NAT policy so that it includes the following from the drop-down menus:

•

Original Source: Any

•

Translated Source: Original

•

Original Destination: webserver_public_ip

•

Translated Destination: webserver_private_ip

•

Original Service: webserver_public_port (or whatever you named it above)

•

Translated Service: HTTP

•

Inbound Interface: X1

•

Outbound Interface: Any

•

Comment: Enter a short description

•

Enable NAT Policy: Checked

NOTE: Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it is actually the correct thing to do (if you try to specify the interface, you get an error).

When finished, click the OK button to add and activate the NAT Policy.

With this policy in place, the SonicWall security appliance translates the server’s public IP address to the private IP address when connection requests arrive from the WAN interface (by default, the X1 interface), and translates the requested protocol (TCP 9000) to the server’s actual listening port (TCP 80).

Finally, modify the firewall access rule created in the previous section to allow any public user to connect to the Web server on the new port (TCP 9000) instead of the server’s actual listening port (TCP 80).

NOTE: With previous versions of the SonicOS firmware, it was necessary to write rules to the private IP address. This has been changed as of SonicOS Enhanced. If you write a rule to the private IP address, the rule does not work.

Go to the Firewall > Access Rules section and choose the policy for whatever zone you put your server in.

Click on the Edit button to bring up the previously created policy in the Edit Rule window.

Edit the following values:

•

Action: Allow

•

Service: server_public_port (or whatever you named it above)

•

Source: Any

•

Destination: webserver_public_ip

•

Users Allowed: All

•

Schedule: Always on

•

Logging: checked

•

Comment: (enter a short description)

Click the OK button.

When you’re done, attempt to access the Web server’s public IP address using a system located on the public Internet on the new custom port (example: http://67.115.118.70:9000). You should be able to successfully connect. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.