Inbound Port Address Translation via WAN IP Address

This is one of the more complex NAT policies you can create on a SonicWall security appliance running SonicOS Enhanced — it allows you to use the WAN IP address of the SonicWall security appliance to provide access to multiple internal servers. This is most useful in situations where your ISP has only provided a single public IP address, and that IP address has to be used by the SonicWall security appliance’s WAN interface (by default, the X1 interface).

Below, you create the programming to provide public access to two internal Web servers via the SonicWall security appliances WAN IP address; each is tied to a unique custom port. In the following examples, you set up two, but it is possible to create more than these as long as the ports are all unique.

In this section, there are five tasks to complete:

1
Create two custom service objects for the unique public ports the servers respond on.
2
Create two address objects for the servers’ private IP addresses.
3
Create two NAT entries to allow the two servers to initiate traffic to the public Internet.
4
Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the SonicWall’s WAN IP address.
5
Create two access rule entries to allow any public user to connect to both servers via the SonicWall’s WAN IP address and the servers’ respective unique custom ports.
To complete this configuration:
1
Create a custom service for the different port:
a
Go to the Firewall > Custom Services page and click on the Add button.
b
When the pop-up window appears, give your custom services names such as servone_public_port and servtwo_public_port.
c
Enter in 9100 and 9200 as the starting and ending port.
d
Choose TCP(6) as the protocol.
e
When done, click on the OK button to save the custom services.
2
Go to the Network > Address Objects page:
a
Click on the Add button at the bottom of the page:
b
In the Add Address Objects window, enter in a description for server’s private IP addresses.
c
Choose Host from the drop-down menu.
d
Enter the server’s private IP addresses.
e
Select the zone that the servers are in.
f
When done, click on the OK button to create the range object.
3
Go to the Network > NAT Policies page:
a
Click on the Add button. The Add NAT Policy dialog displays.
b
To create a NAT policy to allow the two servers to initiate traffic to the public Internet using the SonicWall security appliance’s WAN IP address, choose the following from the drop-down menus:
Original Source: servone_private_ip
Translated Source: WAN Primary IP
Original Destination: Any
Translated Destination: Original
Original Service: Any
Translated Service: Original
Inbound Interface: X2
Outbound Interface: X1
Comment: Enter a short description
Enable NAT Policy: Checked
Create a reflective policy: Unchecked

And:
Original Source: servtwo_private_ip
Translated Source: WAN Primary IP
Original Destination: Any
Translated Destination: Original
Original Service: Any
Translated Service: Original
Inbound Interface: X2
Outbound Interface: X1
Comment: Enter a short description
Enable NAT Policy: Checked
Create a reflective policy: Unchecked
c
When finished, click on the OK button to add and activate the NAT policies.

With these policies in place, the SonicWall security appliance translates the servers’ private IP addresses to the public IP address when it initiates traffic out the WAN interface (by default, the X1 interface).

4
Go to the Network > NAT Policies page:
a
Click on the Add button. The Add NAT Policy dialog displays.
b
To create the NAT policies to map the custom ports to the servers’ real listening ports and to map the SonicWall’s WAN IP address to the servers’ private addresses, choose the following from the drop-down menus:
Original Source: Any
Translated Source: Original
Original Destination: WAN Primary IP
Translated Destination: servone_private_ip
Original Service: servone_public_port
Translated Service: HTTP
Inbound Interface: X1
Outbound Interface: Any
Comment: Enter a short description
Enable NAT Policy: Checked
Create a reflective policy: Unchecked

And:
Original Source: Any
Translated Source: Original
Original Destination: WAN Primary IP
Translated Destination: servtwo_private_ip
Original Service: servtwo_public_port
Translated Service: HTTP
Source Interface: X1
Destination Interface: Any
Comment: Enter a short description
Enable NAT Policy: Checked
Create a reflective policy: Unchecked
* 
NOTE: Make sure you choose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it is actually the correct thing to do (if you try to specify the interface, you get an error).
c
When finished, click on the OK button to add and activate the NAT policies.

With these policies in place, the SonicWall security appliance translates the server’s public IP address to the private IP address when connection requests arrive from the WAN interface (by default, the X1 interface).

5
Create the access rules that allows anyone from the public Internet to access the two Web servers using the custom ports and the SonicWall security appliance’s WAN IP address:
* 
NOTE: With previous versions of firmware, it was necessary to write rules to the private IP address. This has been changed as of SonicOS 2.0 Enhanced. If you write a rule to the private IP address, the rule does not work.
a
Go to the Firewall > Access Rules page.
b
Choose the policy for the ‘WAN’ to ‘Sales’ zone intersection (or, whatever zone you put your serves in).
c
Click on the Add… button to bring up the pop-up window to create the policies.
d
When the pop-up appears, enter the following values:
Action: Allow
Service: servone_public_port (or whatever you named it above)
Source: Any
Destination: WAN IP address
Users Allowed: All
Schedule: Always on
Logging: checked
Comment: (enter a short description)

And:
Action: Allow
Service: servtwo_public_port (or whatever you named it above)
Source: Any
Destination: WAN IP address
Users Allowed: All
Schedule: Always on
Logging: checked
Comment: (enter a short description)

When you’re finished, attempt to access the Web servers via the SonicWall’s WAN IP address using a system located on the public Internet on the new custom port (example: http://67.115.118.70:9100 and http://67.115.118.70:9200). You should be able to successfully connect. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.