In the example below we’ll outline the steps required to expose a resource (web server) to the Internet so that it can be access via http (TCP port 80) and https (TCP port 443).

It’ll work like this – external users will attempt to access the web page running on a web server via their web browsers by navigating to either http://63.xxx.xxx.225 or https://63.xxx.xxx.225. The request will reach your firewall which will then perform Network Address Translation and pass the request to the Web server on your LAN using the private IP of 10.xxx.xxx.25.

image

Fist off, log into the Sonicwall firewall via the web interface. Navigate to Network then Address Objects.

image

Click on the Add button. A new window will pop up. In the Add Address Object window specify the name of the object, select the Zone Assignment and the IP address for the object. Make sure you select Host as the Type.

image

First we’ll create an object that will represent our server’s public IP address. We’ll use a descriptive name for the object (Server – PUBLIC), WAN as the Zone Assignment, Host as the Type and lastly we’ll enter 63.xxx.xxx.225 in the IP address field. Click on the Add button to commit changes.

Next, we will repeat the process to create another address object that will represent the web server’s private IP address.

image

This time around, we’ll select LAN as the Zone Assignment and type in our server’s private IP address (10.xxx.xxx.25) in the IP address box. Click Add once finished.

We’re now ready for the next part of the process. On the left hand side menu, click on Network, then Services  and Add Group to define the ‘Service Group’ you’ll use in your translation.

image

Give the group a name – in our example we’re using ‘WebAccess’ and then use the arrow buttons in the bottom to add the appropriate ‘services’ to the group. In our case we’ll select HTTP and HTTPS in the left window pane then click the arrow button below ( –> ) to move them to the right window pane. Click on the OK button once done.

If you now select the Custom Services radio button you should see the newly created group (WebAccess) listed there.

image

If you click the triangle icon to the left of WebAccess to expand it, you’ll notice that this group contains two services (HTTP and HTTPS) as we specified above.

image

Next, navigate to the Firewall section in the menu on the left, then select Access Rules menu option.

image

We’re creating a NAT translation from our WAN to the LAN so click on the appropriate icon as shown above.

In the Access Rules (WAN > LAN) window click the Add button.

image

A new window will pop up.

image

In the Add Rule window click on the Service drop down and select the ‘WebAccess’ service group we’ve created earlier. Select Any as the Source and the ‘Server – PUBLIC’ address object as the Destination. Once done click on the Add button.

Go back to NAT Policies menu option under Network and click on the Add button. In the Add NAT Policy window choose Any as the Original Source and Original as the Translated Source. From the dropdown box for Original Destination select the address object ‘Server – PUBLIC’ and choose ‘Server – Private’ as the Translated Destination. Use ‘WebAccess’ as the Original Service and Original as the Translated Service.

image

Click on the Add button to finish creating the NAT policy.

To confirm that the NAT translation works simply point your web browser to the public IP address of your web server. Alternatively you can use Sonicwall’s built-in Packet Monitor to do a packet capture for a more thorough traffic analysis.

%d bloggers like this: