sonicos enhanced- three types of network modes
Post on 10-Apr-2018
228 Views
Preview:
TRANSCRIPT
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
1/13
NETWORKING SonicOS Enhanced: Three Types of Network Modes
Introduction
There are three different types of network modes that you can deploy on a SonicWALL running SonicOS Enhancedfirmware.
The three network modes are:
NAT Mode
Transparent Mode
Route Mode
This document describes the characteristics and configurations of each network mode.
NAT ModeNAT mode is the default network mode on the Sonicwall. It is the network mode that SonicWALL administrators are most
familiar with, as it is the most common. NAT divides the network into a private address space and a public address space.The private address space resides on the LAN side and the public address space resides on the WAN side.
Network Diagram:
In NAT mode, when traffic traverses from the private network to the public network, the default behavior is to translate allprivate LAN source IP addresses to the WAN IP address of the SonicWALL. This is referred to as many-to-oneNAT.Many-to-one NAT mode is ideal when the ISP has only given the administrator one public IP address.
You can also use NAT mode with a one-to-one configuration. One-to-one NAT mode is appropriate when the ISP hasallocated a public IP range, and the administrator wants to translate the internal servers to unique public IP addresses.
Default NAT Policy:
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
2/13
2
For traffic to traverse the SonicWALL in NAT mode, two sets of policies are required:
The NAT policy
The Access Rules policy
In the SonicOS user interface, you can configure the NAT Policy on the Network > NAT Policies page, and the AccessRules Policy on the Firewall > Access Rules page. The NAT Policy translates the private IP addresses to a public IPaddress so that the private network can communicate with the public network. The Access Rules Policy defines theconditions under which the firewall should allow or drop traffic.
For outbound connections, no additional configuration is necessary because the default NAT policies already exist andthe default LAN to WAN Access Rule allows all traffic out.
For inbound connections, you must configure an inbound NAT policy and an inbound Access Rule policy. In this scenario,only one public IP address is configured on the SonicWALL WAN interface. In NAT mode, traffic arriving on the public IPaddress of the SonicWALL is redirected to specific services on private servers. This is commonly referred to as PortForwarding.
Two examples are provided below to show the configuration for the following inbound NAT modes:
Port Forwarding One-to-One NAT
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
3/13
3
Port Forwarding Example
1. Create the address object:
2. Create an Inbound NAT Policy
For Original Destination, select WAN Primary IP from the drop-down list so that SMTP traffic arriving on the WAN IPaddress of the SonicWALL is redirected to the SMTP server on the LAN.
For Inbound Interface, select X1 from the drop-down list if X1 is the WAN interface.
The resulting NAT Policies are shown below:
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
4/13
4
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN
The resulting WAN > LAN Access Rules are shown below:
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
5/13
5
One-to-One NAT Example
When the ISP has allocated more than one public IP address, you can create a one-to-one NAT between the public andprivate IP addresses. Once the inbound NAT Policy and Access Rules Policy are configured, public networks can reachthe private server using the translated public IP address of that server.
1. Create the public and private Address objects under Network > Address Objects
Public Object
Private Object
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
6/13
6
2a. Create an inbound NAT Policy under Network > NAT Policies
2b. Create an outbound NAT Policy under Network > NAT Policies (Optional)
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
7/13
7
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN
The resulting WAN > LAN Access Rules are shown below:
Hint: You can use the Public Server Wizard to create address objects, NAT Policies, and access rules in one step. Referto the SonicWALL Technote: Using the SonicOS Enhanced Wizard to Configure a Public Serverfor a detailed descriptionof how the Public Server Wizard works.
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
8/13
8
Transparent ModeTransparent mode is ideal in a situation where the public servers are already assigned public IP addresses. In this case,the administrator wants to protect the network with a SonicWALL, but does not wish to reassign the servers with private IP
addresses. Changing IP addresses is often required in NAT mode.
The Network Diagram depicts a situation where the ISP has given the administrator a public IP address range of10.50.26.0/24. The administrator does not want to change the IP addresses of the SMTP server and the Web server. Withtransparent mode, the SonicWALL can protect both servers from the public network without disrupting the current IPaddressing scheme.
Network Diagram:
PRO 3060
10.50.26.0/2410.50.26.6
10.50.26.8www server
10.50.26.7smtp server
Although it appears that the SonicWALL is acting like a bridge, it is not. The LAN devices see all WAN devices with theMAC address of the SonicWALL LAN interface. Likewise, the directly connected WAN devices see all LAN devices withthe MAC address of the SonicWALL WAN interface.
Note: SonicOS Enhanced 3.5 has a new feature called Layer 2 Bridge Mode that allows the Layer 2 MAC addresses toremain the same as traffic traverses the SonicWALL.
In transparent mode, there are no network address translations. An access rule policy by itself is enough to allow inboundaccess.
Transparent Mode Example
1. Create a Network Address Object to use as the Transparent Range
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
9/13
9
2. Set the X0 Interface in Transparent Mode
3. Create Address Objects for the SMTP and WEB servers
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
10/13
10
4. Create Rules to allow Inbound Access
See the SonicWALL Technote: Transparent Mode Support on SonicOS Enhancedfor a detailed description of transparent
mode configuration.
Route ModeRoute mode is ideal in a situation where the ISP has allocated two or more public IP address ranges and the administratordoes not want to use NAT. In the diagram, the ISP has allocated two public IP address ranges:
10.50.26.0/24
172.16.6.0/24
The SonicWALL will protect the servers in the 172.16.6.0/24 network.
Network Diagram:
Although the network diagram is exactly the same as in NAT mode, the difference here is that there are no networkaddress translations. Instead of using NAT, traffic is routed. An access rule policy by itself is enough to allow inbound
access.
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
11/13
11
Route Mode Example
1. Disable the default NAT Policy
To enable route mode, you can simply disable the default NAT policy in the Network > NAT Policies screen.This prevents the SonicWALL default behavior, which is to NAT traffic traversing from the private network to the publicnetwork.
2. Create the Address Objects
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
12/13
12
3. Create Access Rules
TroubleshootingYou can use the Packet Trace utility on the System > Diagnostics page to test the NAT and Access Rules policies.
To use Packet Trace:1. In the Packet Trace screen, enter the IP address of the test PC and then click Start.2. From a test PC on the Internet, initiate a telnet connection to the specific TCP port.
For example, to see if the SMTP server is working in the route mode example, telnet to 172.16.6.100 on port 25.3. Open a DOS command window and issue the command telnet 172.16.6.100 25.
The Packet Trace Utility will show packets received from the X1(WAN) interface and sent on the X0(LAN) interface.
If the Packet Trace utility does not show any packets, then it means that the packets are not even reaching theSonicWALL. Check with the ISP to see if routing is working properly. If the packets are being received on the X1(WAN)interface but not sent on the X0(LAN) interface, then there is a problem with the NAT Policy and/or Access Rules policy.Check the NAT Policy and Access Rules Policy for incorrect configurations.
Hint: To further simplify the troubleshooting process, change the Service in the NAT Policy and Access Rule Policy toANY.
-
8/8/2019 SonicOS Enhanced- Three Types of Network Modes
13/13
Related DocumentationFor more information, refer to the following SonicWALL TechNotes on www.sonicwall.com/support/documentation:
SonicOS Enhanced: Using a Secondary Public IP Range for NAT SonicOS Enhanced: Configuring the SonicWALL DHCP for GVC
Configuring the SonicWALL DHCP for GVC
Configuring Port Forwarding with the SonicWALL
Terminating the WAN GroupVPN and Using VPN Access in SonicOS Enhanced
Terminating the WAN GroupVPN to the LAN/DMZ using SonicOS Standard
Typical DMZ Setups with FTP, SMTP, and DNS Servers
Common Issues with GVC
Network Browsing with IP Helper NetBIOS Relay
Creating One-to-One NAT Policies in SonicOS Enhanced
SonicOS Enhanced: Three Types of Network Modes
SonicOS 2.0 Enhanced: Configuring GroupVPN for Global VPN Clients
SonicOS Enhanced: Implementing GVC with Windows Networking
Document created: 9/27/06Last updated: 11/11/06
top related