SonicWall – Access Server Behind SonicWall from LAN Using Public IP

firewalllansonicwallwan

We have a SonicWall TZ 400 with a Comcast Modem in Bridge Mode. Everything works fine, except the fact that the exposed services on the LAN couldn´t be reached using the public IP of the WAN from the LAN zone.

We tried these steps with NAT Policies but doesn´t work.

https://www.sonicwall.com/en-us/support/knowledge-base/170505780814635

This is the NAT policy configured only for test the access of the dot200 Services:

NAT Policy

These are the firewall rules WAN-LAN:

enter image description here

This is the only LAN-WAN rule configured:

enter image description here

Monitoring the packets we have this log:

*Packet number: 1220*
Header Values:
 Bytes captured: 62, Actual Bytes on the wire: 62
Packet Info(Time:01/25/2019 12:53:49.112):
 in:X0*(interface), out:--, DROPPED, Drop Code: 717(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2118_qpmjdzDifdl), 2:1)
Ethernet Header
 Ether Type: IP(0x800), Src=[b8:ca:3a:9a:83:69], Dst=[xx:xx:xx:xx:xx:xx]
IP Packet Header
 IP Type: TCP(0x6), Src=[10.1.10.6], Dst=[xx.xx.xx.xx]
TCP Packet Header
 TCP Flags = [SYN,], Src=[61006], Dst=[81], Checksum=0x7bd7
Application Header
 Not Known

What we done wrong?

Best Answer

It sounds like what you want is hairpin routing. This is not a good idea because it is suboptimal routing, involving NAT (a kludge that should be avoided whenever possible), and it unnecessarily burdens your firewall and slows your communication.

If you really want to do it, there are documents describing how. For example, this one:

Configuring access to a server behind the SonicWall from the LAN / DMZ using Public IP addresses

Last Updated: 12/6/2018 35339 Views 101 Users found this article helpful

Description

This document describes how a host on a SonicWall LAN or DMZ can access a server on the SonicWall LAN or DMZ using the server's public IP address or FQDN.

This document describes how a host on a SonicWall LAN can access a server on the SonicWall LAN using the server's public IP address (typically provided by DNS). Imagine a NSA 4500 (SonicOS Enhanced) network in which the Primary LAN Subnet is 10.100.0.0 /24 and the Primary WAN IP is 3.3.2.1. Let's say you have a Web site for your customers, and its hostname is . You have already written the policies and rules needed so that outsiders can get to the web site, but it's really running on a private side server 10.100.0.2. Now imagine that you are a person using a laptop on the private side, with IP of 10.100.0.200. You want to reach the server using its public name, because you do the same thing when your laptop is with you on the road. If you sit on the private side, and request http://www.domain.com>, loopback is what makes it possible for that to work, even though the server is actually right next to you on a local IP address.

To allow this functionality you need to create a loop-back policy.

Resolution

The idea behind this policy is that you must translate your source into a public object if you wish to talk to the public IPs from the LAN.

  • Login to the SonicWall Management GUI.
  • Navigate to Manage | Policies | Rules | NAT Policies submenu.
  • Click on the Add button.
  • Create the following NAT Policy.
  • Original Source: LAN Subnets (or Firewalled Subnets if you want hosts in other zones to be included)
  • Translated Source: WAN Interface IP
  • Original Destination: WAN Interface IP
  • Translated Destination: (LAN server object)
  • Original Service: Any
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Any

enter image description here

Related Topic