Sonicwall newbie question... - Firewalls

This is a discussion on Sonicwall newbie question... - Firewalls ; I have a Sonicwall 2040 appliance... its configured with a WAN LAN and DMZ (all done prior to my arrival with the company). The WAN is our public IP addresses, such as E-Mail and Web Servers, LAN is all internal ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Sonicwall newbie question...

  1. Sonicwall newbie question...

    I have a Sonicwall 2040 appliance... its configured with a WAN LAN and
    DMZ (all done prior to my arrival with the company). The WAN is our
    public IP addresses, such as E-Mail and Web Servers, LAN is all
    internal addresses, and i'm not quite sure what the DMZ is.

    What I'm wanting to do is enable traffic from my WAN (specifically 1 IP
    address) to my LAN (again, specifically 1 IP address) for remote access
    purposes. I have a service setup on my firewall for Terminal Services
    (port 3389), and a rule setup to all traffic from WAN to LAN for that
    service. When I access my local server from the LAN, RDP works fine.
    When I try from my public server, it says the service is not running or
    it cannot find it.

    Any ideas as to what I am doing wrong? Or what configuration option I
    am missing?

    Any thoughts are greatly appreciated and welcome.

    Thanks,


  2. Re: Sonicwall newbie question...

    What you have todo is following stepsin sonicwall
    1). Create a setvice for RDP=3389
    2). Create a local user ie internal ip address of server
    3). Create a local user for pubklic ip address of machine what to
    access local mahine.
    4). Cretae a rule which allows public ip access to local ip on rdp=3389
    5). Apply rule to external interface for filtering traffic.
    6). Try doing RDP from public machine




    CK

    woody wrote:
    > I have a Sonicwall 2040 appliance... its configured with a WAN LAN and
    > DMZ (all done prior to my arrival with the company). The WAN is our
    > public IP addresses, such as E-Mail and Web Servers, LAN is all
    > internal addresses, and i'm not quite sure what the DMZ is.
    >
    > What I'm wanting to do is enable traffic from my WAN (specifically 1 IP
    > address) to my LAN (again, specifically 1 IP address) for remote access
    > purposes. I have a service setup on my firewall for Terminal Services
    > (port 3389), and a rule setup to all traffic from WAN to LAN for that
    > service. When I access my local server from the LAN, RDP works fine.
    > When I try from my public server, it says the service is not running or
    > it cannot find it.
    >
    > Any ideas as to what I am doing wrong? Or what configuration option I
    > am missing?
    >
    > Any thoughts are greatly appreciated and welcome.
    >
    > Thanks,



  3. Re: Sonicwall newbie question...

    CK wrote:
    > What you have todo is following stepsin sonicwall
    > 1). Create a setvice for RDP=3389

    not necessary - it's called "terminal service" and predefined
    > 2). Create a local user ie internal ip address of server

    i would call it object ,(network-address objects-custom objects)
    you need three:
    2a) the internal host
    2b) the external ip address of this host to be reached,
    2c)also the admin host in the internet,

    that is supposed to access your internal host

    > 3). Create a local user for pubklic ip address of machine what to
    > access local mahine.

    i would call it NAT (network-nat policies), where you define which service is nated to where (external object to
    internal host)
    > 4). Cretae a rule which allows public ip access to local ip on rdp=3389

    create a rule WAN ->LAN which allows terminal service access- from your admin host (2c) to
    EXTERNAL address defined in 2b
    > 5). Apply rule to external interface for filtering traffic.
    > 6). Try doing RDP from public machine
    >

    this aplllies to enhanced OS, if you have standard OS, you have less options,
    (no fancy objects, no PAT...)
    but basically same concept.

    M

  4. Re: Sonicwall newbie question...



    mak wrote:
    > CK wrote:
    > > What you have todo is following stepsin sonicwall
    > > 1). Create a setvice for RDP=3389

    > not necessary - it's called "terminal service" and predefined


    Id not then you have to create thsi service.

    > > 2). Create a local user ie internal ip address of server

    > i would call it object ,(network-address objects-custom objects)
    > you need three:
    > 2a) the internal host
    > 2b) the external ip address of this host to be reached,
    > 2c)also the admin host in the internet,
    > that is supposed to access your internal host



    One way or the other you have to definr the ip addess or groups



    > > 3). Create a local user for pubklic ip address of machine what to
    > > access local mahine.

    > i would call it NAT (network-nat policies), where you define which service is nated to where (external object to
    > internal host)


    Same as above

    > > 4). Cretae a rule which allows public ip access to local ip on rdp=3389

    > create a rule WAN ->LAN which allows terminal service access- from your admin host (2c) to
    > EXTERNAL address defined in 2b

    Both are the same i.e. NAT

    > > 5). Apply rule to external interface for filtering traffic.
    > > 6). Try doing RDP from public machine
    > >

    > this aplllies to enhanced OS, if you have standard OS, you have less options,
    > (no fancy objects, no PAT...)
    > but basically same concept.


    OS has not been discussed yet...




    > M



  5. Re: Sonicwall newbie question...

    > not necessary - it's called "terminal service" and predefined

    Yes, mine is predefined...

    > i would call it object ,(network-address objects-custom objects)
    > you need three:
    > 2a) the internal host
    > 2b) the external ip address of this host to be reached,
    > 2c)also the admin host in the internet,
    > that is supposed to access your internal host


    I don't have these options... under Network I have the following:

    Settings
    One-to-One NAT
    Web Proxy
    Intranet
    Routing
    ARP
    DHCP Server

    I don't see anywhere in these options where I can add a custom object.
    Suggestions?

    > i would call it NAT (network-nat policies), where you define which service is nated to where (external object to
    > internal host)


    Again, i don't have nat policies.

    > > 4). Cretae a rule which allows public ip access to local ip on rdp=3389

    > create a rule WAN ->LAN which allows terminal service access- from your admin host (2c) to
    > EXTERNAL address defined in 2b
    > > 5). Apply rule to external interface for filtering traffic.
    > > 6). Try doing RDP from public machine
    > >

    > this aplllies to enhanced OS, if you have standard OS, you have less options,
    > (no fancy objects, no PAT...)
    > but basically same concept.
    >
    > M



  6. Re: Sonicwall newbie question...

    woody wrote:
    >> not necessary - it's called "terminal service" and predefined

    >
    > Yes, mine is predefined...
    >
    >> i would call it object ,(network-address objects-custom objects)
    >> you need three:
    >> 2a) the internal host
    >> 2b) the external ip address of this host to be reached,
    >> 2c)also the admin host in the internet,
    >> that is supposed to access your internal host

    >
    > I don't have these options... under Network I have the following:
    >
    > Settings
    > One-to-One NAT
    > Web Proxy
    > Intranet
    > Routing
    > ARP
    > DHCP Server
    >
    >

    allright,
    looks like you have standard OS:

    if your WAN Interface is NAT enabled:
    go to network- one-to one nat-add: private and public adress and range lenght 1
    (you need a separate public IP from your providers pool)

    go to firewall-access-rule-add:

    action: allow
    service:term serv
    source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
    dest:LAN ip_of_internalhost_

    that's it,
    if it doesn't work, check your logs

    M

  7. Re: Sonicwall newbie question...

    Well, I followed per your instructions... but it seems that every time
    I try to access my Internal address from my Public address, I get the
    following responses in the logs:

    12/18/2006 14:12:59.544 Web management request allowed 69.15.x.x,
    37713, LAN 10.0.x.x, 80, LAN Web (HTTP)
    12/18/2006 14:12:53.320 UDP packet from LAN dropped 10.0.x.x, 16924,
    LAN 10.0.x.x, 1900, LAN Port: 1900
    mak wrote:

    *scratches head* What am I doing wrong?

    > woody wrote:
    > >> not necessary - it's called "terminal service" and predefined

    > >
    > > Yes, mine is predefined...
    > >
    > >> i would call it object ,(network-address objects-custom objects)
    > >> you need three:
    > >> 2a) the internal host
    > >> 2b) the external ip address of this host to be reached,
    > >> 2c)also the admin host in the internet,
    > >> that is supposed to access your internal host

    > >
    > > I don't have these options... under Network I have the following:
    > >
    > > Settings
    > > One-to-One NAT
    > > Web Proxy
    > > Intranet
    > > Routing
    > > ARP
    > > DHCP Server
    > >
    > >

    > allright,
    > looks like you have standard OS:
    >
    > if your WAN Interface is NAT enabled:
    > go to network- one-to one nat-add: private and public adress and range lenght 1
    > (you need a separate public IP from your providers pool)
    >
    > go to firewall-access-rule-add:
    >
    > action: allow
    > service:term serv
    > source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
    > dest:LAN ip_of_internalhost_
    >
    > that's it,
    > if it doesn't work, check your logs
    >
    > M



  8. Re: Sonicwall newbie question...

    When you say...

    ip_of_adminhost_in_the_internet, this is my public IP of the server I
    want to access from? Or my public IP that I added in the one-to-one
    NAT?

    and...

    ip_of_internalhost_, this is the normal LAN address of the server I
    want to access, correct?

    Just making sure...

    Thanks again for all the information... I greatly appreciate it!

    Ray



    mak wrote:
    > woody wrote:
    > >> not necessary - it's called "terminal service" and predefined

    > >
    > > Yes, mine is predefined...
    > >
    > >> i would call it object ,(network-address objects-custom objects)
    > >> you need three:
    > >> 2a) the internal host
    > >> 2b) the external ip address of this host to be reached,
    > >> 2c)also the admin host in the internet,
    > >> that is supposed to access your internal host

    > >
    > > I don't have these options... under Network I have the following:
    > >
    > > Settings
    > > One-to-One NAT
    > > Web Proxy
    > > Intranet
    > > Routing
    > > ARP
    > > DHCP Server
    > >
    > >

    > allright,
    > looks like you have standard OS:
    >
    > if your WAN Interface is NAT enabled:
    > go to network- one-to one nat-add: private and public adress and range lenght 1
    > (you need a separate public IP from your providers pool)
    >
    > go to firewall-access-rule-add:
    >
    > action: allow
    > service:term serv
    > source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
    > dest:LAN ip_of_internalhost_
    >
    > that's it,
    > if it doesn't work, check your logs
    >
    > M



  9. Re: Sonicwall newbie question...

    Could this have something to do with my internal address not showing up
    in my firewall ARP table? And why wouldnt it? I can access from
    anywhere on the LAN.

    mak wrote:
    > woody wrote:
    > >> not necessary - it's called "terminal service" and predefined

    > >
    > > Yes, mine is predefined...
    > >
    > >> i would call it object ,(network-address objects-custom objects)
    > >> you need three:
    > >> 2a) the internal host
    > >> 2b) the external ip address of this host to be reached,
    > >> 2c)also the admin host in the internet,
    > >> that is supposed to access your internal host

    > >
    > > I don't have these options... under Network I have the following:
    > >
    > > Settings
    > > One-to-One NAT
    > > Web Proxy
    > > Intranet
    > > Routing
    > > ARP
    > > DHCP Server
    > >
    > >

    > allright,
    > looks like you have standard OS:
    >
    > if your WAN Interface is NAT enabled:
    > go to network- one-to one nat-add: private and public adress and range lenght 1
    > (you need a separate public IP from your providers pool)
    >
    > go to firewall-access-rule-add:
    >
    > action: allow
    > service:term serv
    > source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
    > dest:LAN ip_of_internalhost_
    >
    > that's it,
    > if it doesn't work, check your logs
    >
    > M



  10. Re: Sonicwall newbie question...

    woody wrote:
    > When you say...
    >
    > ip_of_adminhost_in_the_internet, this is my public IP of the server I
    > want to access from?


    correct
    Or my public IP that I added in the one-to-one
    > NAT?
    >
    > and...
    >
    > ip_of_internalhost_, this is the normal LAN address of the server I
    > want to access, correct?


    correct

    > Just making sure...
    >
    > Thanks again for all the information... I greatly appreciate it!
    >
    > Ray
    >

    <

  11. Re: Sonicwall newbie question...

    woody wrote:
    > Could this have something to do with my internal address not showing up
    > in my firewall ARP table? And why wouldnt it? I can access from
    > anywhere on the LAN.
    >


    can you ping the host from the sonicwall (settings-diagnostics)
    M

  12. Re: Sonicwall newbie question...


    I got it all working last night. I really appreciate all the great
    feedback and help from you. This was all a bit new to me. I knew the
    terminology, but putting it all to use was a new experience.

    Thanks, again!

    mak wrote:
    > woody wrote:
    > > Could this have something to do with my internal address not showing up
    > > in my firewall ARP table? And why wouldnt it? I can access from
    > > anywhere on the LAN.
    > >

    >
    > can you ping the host from the sonicwall (settings-diagnostics)
    > M



  13. Re: Sonicwall newbie question...

    Actually, I have one more question, if I might be allowed to pick your
    brain once more. I added the nat'd address to the new public IP, and
    created the rule to allow from the LAN to the NAT'd address. This
    worked, and I was able to remote to the machine. Now, however, when I
    try to access the server internally via a network share, myself and
    anyone else that is trying to do so are not able to.

    Any ideas why this might be? I didn't think the new NAT and Access
    Rule would affect local LAN traffic, but it appears to do just that.

    Any input is, as always, greatly appreciated.



    mak wrote:
    > woody wrote:
    > > Could this have something to do with my internal address not showing up
    > > in my firewall ARP table? And why wouldnt it? I can access from
    > > anywhere on the LAN.
    > >

    >
    > can you ping the host from the sonicwall (settings-diagnostics)
    > M



  14. Re: Sonicwall newbie question...

    woody wrote:
    > Actually, I have one more question, if I might be allowed to pick your
    > brain once more. I added the nat'd address to the new public IP, and
    > created the rule to allow from the LAN to the NAT'd address.


    i am assuming this is a typo and should be WAN
    >This
    > worked, and I was able to remote to the machine. Now, however, when I
    > try to access the server internally via a network share, myself and
    > anyone else that is trying to do so are not able to.
    >

    network share in your LAN has nothing to do with rdp access from outside and
    > Any ideas why this might be? I didn't think the new NAT and Access
    > Rule would affect local LAN traffic, but it appears to do just that.

    no:
    the nat and access rule from wan to lan only affect your access through the firewall (obviosly)

    so, if your you are not using the DMZ interface and client and server are in the same segment, and you are using the
    correct internal adresses, you'r problem is not the sonicwall.

    M

  15. Re: Sonicwall newbie question...

    OK, I have question, related to when I added the One-to-One NAT rule...


    When doing so, this appears at the top of the window:

    NOTE: Computers connected in the One-To-One NAT IP range specified will
    be disconnected.

    I'm wondering if this was my problem, because I had to add my internal
    IP address. So if users were connected to the network share at the
    time, they would have been disconnected. I also wonder if just
    rebooting the server in question would restore the connectivity.


    mak wrote:
    > woody wrote:
    > > Actually, I have one more question, if I might be allowed to pick your
    > > brain once more. I added the nat'd address to the new public IP, and
    > > created the rule to allow from the LAN to the NAT'd address.

    >
    > i am assuming this is a typo and should be WAN
    > >This
    > > worked, and I was able to remote to the machine. Now, however, when I
    > > try to access the server internally via a network share, myself and
    > > anyone else that is trying to do so are not able to.
    > >

    > network share in your LAN has nothing to do with rdp access from outside and
    > > Any ideas why this might be? I didn't think the new NAT and Access
    > > Rule would affect local LAN traffic, but it appears to do just that.

    > no:
    > the nat and access rule from wan to lan only affect your access through the firewall (obviosly)
    >
    > so, if your you are not using the DMZ interface and client and server arein the same segment, and you are using the
    > correct internal adresses, you'r problem is not the sonicwall.
    >
    > M



+ Reply to Thread