Post date: May 25, 2012 9:29:55 AM
UTM: How to configure Port Address Translation (PAT) or Port redirection in SonicOS Enhanced
Answer/Article
Applies to:
Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
TZ series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 W, TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.
Firmware/Software Version: All Enhanced versions.
Services: PAT Port Address Translation, Port redirection
Feature/Application:
Port Address Translation (PAT) can be used when you need to forward the same external port to more than one internal IP address but only have one public IP.
For example;
You have multiple internal Terminal Servers, at 10.51.51.10, 10.51.51.11, etc. But only one public address at 65.45.46.14 (which is also the wan primary IP of the SonicWALL)
Because we cannot forward the same port off of the same public IP to more than 1 internal IP, in order to use the same public IP, you would need to do a port translation.
A port translation is simply creating a fake public port for terminal services (33899) and translating the fake public port to the real port (3389).
Procedure:
1) Create a fake Port range for your service. In this scenario we will be creating a PAT for Terminal services.
· Log into your SonicWALL, go to: Firewall>Services>Scroll to the bottom of the page and click on “Add new service”
Name: Name the service accordingly.
Protocol: TCP
Port Range: 33899-33899 (Or any un-used port of your choice)
Click on the “add” button
· We will now need to add the same service but for UDP protocol.
Name: Name the service accordingly.
Protocol: UDP
Port Range: 33899-33899 (Or any un-used port of your choice)
· Create a new service group By Clicking on “Add Group”, Name accordingly and move the two custom services just created, from the left side to the right side.
· Click on OK.
2) Navigate to Network > Address Objects > scroll down and add an Address Object for one of the internal servers.
· Click on Add.
3) Navigate to Network > Nat Policies and add a Nat Policy as follows:
Original Source: Any
Translated Source: Original
Original Destination: X1 IP
Translated Destination: Terminal Server 1
Original Service: Terminal Services Fake Group
Translated Service: Terminal Services
Inbound Interface: X1
Outbound Interface: Any
· Click on Add>Close
4) Navigate to Firewall > Access rules and put a dot “.” In the Matrix. Go from Wan to Lan and click edit.
· Add a new rule as follows:
Action: Allow
Service: Terminal Services Fake Group
Source: Any
Destination: X1 IP
Users Allowed: All
Schedule Always on
Click Add.
5) This Combination of rules, NAT policies and Services will no allow you to forward Terminal Services to Multiple internal IP addresses off of a single public IP
· You will need to specify the port that will be used for each session.
· For example, if you wished to Remote Desk Top to the server at 10.51.51.10, You would need to specify the fake port in the RDP session. You would do so by adding the IP to the RDP console, followed by a colon, then the port number (65.45.46.14:33899)