I've inherited a Sonicwall TZ-210 (SonicOS Enhanced 5.5.20-3o) firewall running a multiple interface config:
1st Interface: Running LAN (data network)
2nd Interface: Running PBX network (voice network)
I've disabled some NAT settings for the PBX server, and now the server (on X5) cannot communicate with the internet, nor is it reachable from X1. I've tried re-enabling the NAT policies and restarting the server, however there is still no luck.
Additionally, there is no status for the voice network (X5) as indicated in the screenshot below.
Question: How can I allow internet and access from X1 (WAN) to all of X5 interface or just the PBX server running on X5?
Here are the NAT policies:
..and here are the Routing policies:
Thanks!
Best Answer
With the Sonicwall Enhanced OS you can define Address Objects and Service objects to make management much simpler. First, make sure your host or server is listed as an Address Object under Network -> Address Objects. Then move on to Network -> Services to add your services you wish to route. Note that you can add individual services and put them into groups. This makes it simpler to route items based on individual ports or port groups.
Once your Address Object and Services are ready, go to the Firewall->Access Rules and make sure you Allow the service(s) you wish to route from the WAN to LAN zones. Now that you've allowed the traffic you can go to Network -> NAT policies and click Add at the top. Here you will use the Address Object and Service/Service group that you created.
Above you see that the source is ANY allowing all external IPs, the Translated Source keeps the original information, the Original destination is your WAN IP of your WAN interface, the Translated Destination is your target host, and the Original Service is the ports you wish to map to that target server. You can translate the services if you like, for instance routing port 3390 to 3389 for RDP on a machine to avoid registry hacks but ensure you have a reverse rule enabled for the outbound path. You can also define which interfaces this policy is bound to if you like, so for your example the Inbound would be x1 and Outbound x5.
This should allow you to point to your external IP for these services via x.x.x.x:port and route to the target server.
EDIT:
For the internal routing under Network-->Zones choose LAN and check the box for Allow Interface Trust. This should allow traffic to flow between interfaces. Keep in mind this does open all LAN interfaces to share traffic so any segmentation that is currently configured may be broken. If you do not wish for all traffic to be trusted between interfaces then do not use this option.
For specific LAN routing you can manually add a route from x5 subnet to x0 subnet over any service with the local gateway (0.0.0.0) and use the x0 interface. If you wish to route directly to an individual host then select it as your Destination instead of the x5 Subnet. Make sure that there is a converse rule to allow traffic from that host to the x0 subnet as well.