Routing NAT with SonicWall NSA 2400 and Multiple Public IPs

nat;routingsonicwall

Currently I have set 1:1 NAT to translate 1 public IP to 1 private IP but is there any way to set multiple public IPs to one private IP on NSA 2400? Or I need to set another 1:1 NAT with different private IP and add that IP as secondary to that device from the first NAT?

Best Answer

You certainly can do MANY:1 NAT -- that is: have several Public WAN IPs point to 1 internal LAN IP.

Just create Address Objects for each WAN IP and put those Address Objects into an Address Object Group. Then create your NAT (and Firewall) rule using the Address Object GROUP. Inbound Internet traffic destined to any of the Public IPs in the Address Object Group will be NAT'd to the internal IP.

So, for example, if you have 3 ISPs and one internal LAN looking something like:

X0: LAN 192.168.1.1
X1: WAN1 123.56.78.89
X2: WAN2 65.32.98.2 thru .6
X3: WAN3 9.50.23.8 and .9

And you want to use a Public IP from each ISP: select which IPs and create Address Objects for each (in my example the X1 WAN IP Object will be the only IP for that interface, for X2 and X3 you will need to create Objects for the IPs you want) such as:

X1 WAN IP (something like this already exists)
X2 Public .5  (create this Object = 65.32.98.5)
X3 WAN IP  (something like this already exists for the .8 IP)

Put all of them into an Address Object Group called: SERVER-16 Public IPs (or whatever)

Then create an inbound NAT rule that uses that Address Object Group for the Destination, like:

Original Source: Any
Translated Source: Original
Original Destination: SERVER-16 Public IPs    (your GROUP)
Translated Destination: SERVER-16 Private IP  (IP of your server on the LAN 192.168.1.16)
Original Service: HTTP   (or whatever service)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: X0   (the LAN interface)

You will need to create a similar Firewall rule from WAN > LAN using SERVER-16 Public IPs as the Destination (since it is a NAT rule), the same Service, and Any as the Source.

I have done this on several SonicWALL devices and it works just fine.

PS: You could probably set multiple 1:1 inbound NAT rules if you'd prefer, but that just gets messy with many WAN IPs, and when you want to make changes.

For OUTBOUND return traffic the SonicWALL will send the data back using the original inbound interface (so if someone connects to the X3 IP it will come back to the user via X3.

For OUTBOUND original traffic -- meaning browsing from SERVER-16 for Updates NTP time updates, etc -- the outbound interface/IP will be determined by the Outbound NAT rules and likely the Load Balancing settings and routes.

Related Topic