Sonicwall newbie question...

I have a Sonicwall 2040 appliance... its configured with a WAN LAN and
DMZ (all done prior to my arrival with the company). The WAN is our
public IP addresses, such as E-Mail and Web Servers, LAN is all
internal addresses, and i'm not quite sure what the DMZ is.

What I'm wanting to do is enable traffic from my WAN (specifically 1 IP
address) to my LAN (again, specifically 1 IP address) for remote access
purposes. I have a service setup on my firewall for Terminal Services
(port 3389), and a rule setup to all traffic from WAN to LAN for that
service. When I access my local server from the LAN, RDP works fine.
When I try from my public server, it says the service is not running or
it cannot find it.

Any ideas as to what I am doing wrong? Or what configuration option I
am missing?

Any thoughts are greatly appreciated and welcome.

Thanks,

Re: Sonicwall newbie question...

What you have todo is following stepsin sonicwall
1). Create a setvice for RDP=3389
2). Create a local user ie internal ip address of server
3). Create a local user for pubklic ip address of machine what to
access local mahine.
4). Cretae a rule which allows public ip access to local ip on rdp=3389
5). Apply rule to external interface for filtering traffic.
6). Try doing RDP from public machine




CK

woody wrote:
> I have a Sonicwall 2040 appliance... its configured with a WAN LAN and
> DMZ (all done prior to my arrival with the company). The WAN is our
> public IP addresses, such as E-Mail and Web Servers, LAN is all
> internal addresses, and i'm not quite sure what the DMZ is.
>
> What I'm wanting to do is enable traffic from my WAN (specifically 1 IP
> address) to my LAN (again, specifically 1 IP address) for remote access
> purposes. I have a service setup on my firewall for Terminal Services
> (port 3389), and a rule setup to all traffic from WAN to LAN for that
> service. When I access my local server from the LAN, RDP works fine.
> When I try from my public server, it says the service is not running or
> it cannot find it.
>
> Any ideas as to what I am doing wrong? Or what configuration option I
> am missing?
>
> Any thoughts are greatly appreciated and welcome.
>
> Thanks,

Re: Sonicwall newbie question...

CK wrote:
> What you have todo is following stepsin sonicwall
> 1). Create a setvice for RDP=3389
not necessary - it's called "terminal service" and predefined
> 2). Create a local user ie internal ip address of server
i would call it object ,(network-address objects-custom objects)
you need three:
2a) the internal host
2b) the external ip address of this host to be reached,
2c)also the admin host in the internet,

that is supposed to access your internal host

> 3). Create a local user for pubklic ip address of machine what to
> access local mahine.
i would call it NAT (network-nat policies), where you define which service is nated to where (external object to
internal host)
> 4). Cretae a rule which allows public ip access to local ip on rdp=3389
create a rule WAN ->LAN which allows terminal service access- from your admin host (2c) to
EXTERNAL address defined in 2b
> 5). Apply rule to external interface for filtering traffic.
> 6). Try doing RDP from public machine
>
this aplllies to enhanced OS, if you have standard OS, you have less options,
(no fancy objects, no PAT...)
but basically same concept.

M

Re: Sonicwall newbie question...

mak wrote:
> CK wrote:
> > What you have todo is following stepsin sonicwall
> > 1). Create a setvice for RDP=3389
> not necessary - it's called "terminal service" and predefined

Id not then you have to create thsi service.

> > 2). Create a local user ie internal ip address of server
> i would call it object ,(network-address objects-custom objects)
> you need three:
> 2a) the internal host
> 2b) the external ip address of this host to be reached,
> 2c)also the admin host in the internet,
> that is supposed to access your internal host


One way or the other you have to definr the ip addess or groups



> > 3). Create a local user for pubklic ip address of machine what to
> > access local mahine.
> i would call it NAT (network-nat policies), where you define which service is nated to where (external object to
> internal host)

Same as above

> > 4). Cretae a rule which allows public ip access to local ip on rdp=3389
> create a rule WAN ->LAN which allows terminal service access- from your admin host (2c) to
> EXTERNAL address defined in 2b
Both are the same i.e. NAT

> > 5). Apply rule to external interface for filtering traffic.
> > 6). Try doing RDP from public machine
> >
> this aplllies to enhanced OS, if you have standard OS, you have less options,
> (no fancy objects, no PAT...)
> but basically same concept.

OS has not been discussed yet...




> M

Re: Sonicwall newbie question...

> not necessary - it's called "terminal service" and predefined

Yes, mine is predefined...

> i would call it object ,(network-address objects-custom objects)
> you need three:
> 2a) the internal host
> 2b) the external ip address of this host to be reached,
> 2c)also the admin host in the internet,
> that is supposed to access your internal host

I don't have these options... under Network I have the following:

Settings
One-to-One NAT
Web Proxy
Intranet
Routing
ARP
DHCP Server

I don't see anywhere in these options where I can add a custom object.
Suggestions?

> i would call it NAT (network-nat policies), where you define which service is nated to where (external object to
> internal host)

Again, i don't have nat policies.

> > 4). Cretae a rule which allows public ip access to local ip on rdp=3389
> create a rule WAN ->LAN which allows terminal service access- from your admin host (2c) to
> EXTERNAL address defined in 2b
> > 5). Apply rule to external interface for filtering traffic.
> > 6). Try doing RDP from public machine
> >
> this aplllies to enhanced OS, if you have standard OS, you have less options,
> (no fancy objects, no PAT...)
> but basically same concept.
>
> M

Re: Sonicwall newbie question...

woody wrote:
>> not necessary - it's called "terminal service" and predefined
>
> Yes, mine is predefined...
>
>> i would call it object ,(network-address objects-custom objects)
>> you need three:
>> 2a) the internal host
>> 2b) the external ip address of this host to be reached,
>> 2c)also the admin host in the internet,
>> that is supposed to access your internal host
>
> I don't have these options... under Network I have the following:
>
> Settings
> One-to-One NAT
> Web Proxy
> Intranet
> Routing
> ARP
> DHCP Server
>
>
allright,
looks like you have standard OS:

if your WAN Interface is NAT enabled:
go to network- one-to one nat-add: private and public adress and range lenght 1
(you need a separate public IP from your providers pool)

go to firewall-access-rule-add:

action: allow
service:term serv
source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
dest:LAN ip_of_internalhost_

that's it,
if it doesn't work, check your logs

M

Re: Sonicwall newbie question...

Well, I followed per your instructions... but it seems that every time
I try to access my Internal address from my Public address, I get the
following responses in the logs:

12/18/2006 14:12:59.544 Web management request allowed 69.15.x.x,
37713, LAN 10.0.x.x, 80, LAN Web (HTTP)
12/18/2006 14:12:53.320 UDP packet from LAN dropped 10.0.x.x, 16924,
LAN 10.0.x.x, 1900, LAN Port: 1900
mak wrote:

*scratches head* What am I doing wrong?

> woody wrote:
> >> not necessary - it's called "terminal service" and predefined
> >
> > Yes, mine is predefined...
> >
> >> i would call it object ,(network-address objects-custom objects)
> >> you need three:
> >> 2a) the internal host
> >> 2b) the external ip address of this host to be reached,
> >> 2c)also the admin host in the internet,
> >> that is supposed to access your internal host
> >
> > I don't have these options... under Network I have the following:
> >
> > Settings
> > One-to-One NAT
> > Web Proxy
> > Intranet
> > Routing
> > ARP
> > DHCP Server
> >
> >
> allright,
> looks like you have standard OS:
>
> if your WAN Interface is NAT enabled:
> go to network- one-to one nat-add: private and public adress and range lenght 1
> (you need a separate public IP from your providers pool)
>
> go to firewall-access-rule-add:
>
> action: allow
> service:term serv
> source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
> dest:LAN ip_of_internalhost_
>
> that's it,
> if it doesn't work, check your logs
>
> M

Re: Sonicwall newbie question...

When you say...

ip_of_adminhost_in_the_internet, this is my public IP of the server I
want to access from? Or my public IP that I added in the one-to-one
NAT?

and...

ip_of_internalhost_, this is the normal LAN address of the server I
want to access, correct?

Just making sure...

Thanks again for all the information... I greatly appreciate it!

Ray



mak wrote:
> woody wrote:
> >> not necessary - it's called "terminal service" and predefined
> >
> > Yes, mine is predefined...
> >
> >> i would call it object ,(network-address objects-custom objects)
> >> you need three:
> >> 2a) the internal host
> >> 2b) the external ip address of this host to be reached,
> >> 2c)also the admin host in the internet,
> >> that is supposed to access your internal host
> >
> > I don't have these options... under Network I have the following:
> >
> > Settings
> > One-to-One NAT
> > Web Proxy
> > Intranet
> > Routing
> > ARP
> > DHCP Server
> >
> >
> allright,
> looks like you have standard OS:
>
> if your WAN Interface is NAT enabled:
> go to network- one-to one nat-add: private and public adress and range lenght 1
> (you need a separate public IP from your providers pool)
>
> go to firewall-access-rule-add:
>
> action: allow
> service:term serv
> source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
> dest:LAN ip_of_internalhost_
>
> that's it,
> if it doesn't work, check your logs
>
> M

Re: Sonicwall newbie question...

Could this have something to do with my internal address not showing up
in my firewall ARP table? And why wouldnt it? I can access from
anywhere on the LAN.

mak wrote:
> woody wrote:
> >> not necessary - it's called "terminal service" and predefined
> >
> > Yes, mine is predefined...
> >
> >> i would call it object ,(network-address objects-custom objects)
> >> you need three:
> >> 2a) the internal host
> >> 2b) the external ip address of this host to be reached,
> >> 2c)also the admin host in the internet,
> >> that is supposed to access your internal host
> >
> > I don't have these options... under Network I have the following:
> >
> > Settings
> > One-to-One NAT
> > Web Proxy
> > Intranet
> > Routing
> > ARP
> > DHCP Server
> >
> >
> allright,
> looks like you have standard OS:
>
> if your WAN Interface is NAT enabled:
> go to network- one-to one nat-add: private and public adress and range lenght 1
> (you need a separate public IP from your providers pool)
>
> go to firewall-access-rule-add:
>
> action: allow
> service:term serv
> source: WAN ip_of_adminhost_in_the_internet (range begin and end is identical)
> dest:LAN ip_of_internalhost_
>
> that's it,
> if it doesn't work, check your logs
>
> M

Re: Sonicwall newbie question...

woody wrote:
> When you say...
>
> ip_of_adminhost_in_the_internet, this is my public IP of the server I
> want to access from?

correct
Or my public IP that I added in the one-to-one
> NAT?
>
> and...
>
> ip_of_internalhost_, this is the normal LAN address of the server I
> want to access, correct?

correct

> Just making sure...
>
> Thanks again for all the information... I greatly appreciate it!
>
> Ray
>
<

Re: Sonicwall newbie question...

woody wrote:
> Could this have something to do with my internal address not showing up
> in my firewall ARP table? And why wouldnt it? I can access from
> anywhere on the LAN.
>

can you ping the host from the sonicwall (settings-diagnostics)
M

Re: Sonicwall newbie question...

I got it all working last night. I really appreciate all the great
feedback and help from you. This was all a bit new to me. I knew the
terminology, but putting it all to use was a new experience.

Thanks, again!

mak wrote:
> woody wrote:
> > Could this have something to do with my internal address not showing up
> > in my firewall ARP table? And why wouldnt it? I can access from
> > anywhere on the LAN.
> >
>
> can you ping the host from the sonicwall (settings-diagnostics)
> M

Re: Sonicwall newbie question...

Actually, I have one more question, if I might be allowed to pick your
brain once more. I added the nat'd address to the new public IP, and
created the rule to allow from the LAN to the NAT'd address. This
worked, and I was able to remote to the machine. Now, however, when I
try to access the server internally via a network share, myself and
anyone else that is trying to do so are not able to.

Any ideas why this might be? I didn't think the new NAT and Access
Rule would affect local LAN traffic, but it appears to do just that.

Any input is, as always, greatly appreciated.



mak wrote:
> woody wrote:
> > Could this have something to do with my internal address not showing up
> > in my firewall ARP table? And why wouldnt it? I can access from
> > anywhere on the LAN.
> >
>
> can you ping the host from the sonicwall (settings-diagnostics)
> M

Re: Sonicwall newbie question...

woody wrote:
> Actually, I have one more question, if I might be allowed to pick your
> brain once more. I added the nat'd address to the new public IP, and
> created the rule to allow from the LAN to the NAT'd address.
°°°
i am assuming this is a typo and should be WAN
>This
> worked, and I was able to remote to the machine. Now, however, when I
> try to access the server internally via a network share, myself and
> anyone else that is trying to do so are not able to.
>
network share in your LAN has nothing to do with rdp access from outside and
> Any ideas why this might be? I didn't think the new NAT and Access
> Rule would affect local LAN traffic, but it appears to do just that.
no:
the nat and access rule from wan to lan only affect your access through the firewall (obviosly)

so, if your you are not using the DMZ interface and client and server are in the same segment, and you are using the
correct internal adresses, you'r problem is not the sonicwall.

M

Re: Sonicwall newbie question...

OK, I have question, related to when I added the One-to-One NAT rule...


When doing so, this appears at the top of the window:

NOTE: Computers connected in the One-To-One NAT IP range specified will
be disconnected.

I'm wondering if this was my problem, because I had to add my internal
IP address. So if users were connected to the network share at the
time, they would have been disconnected. I also wonder if just
rebooting the server in question would restore the connectivity.


mak wrote:
> woody wrote:
> > Actually, I have one more question, if I might be allowed to pick your
> > brain once more. I added the nat'd address to the new public IP, and
> > created the rule to allow from the LAN to the NAT'd address.
> °°°
> i am assuming this is a typo and should be WAN
> >This
> > worked, and I was able to remote to the machine. Now, however, when I
> > try to access the server internally via a network share, myself and
> > anyone else that is trying to do so are not able to.
> >
> network share in your LAN has nothing to do with rdp access from outside =
and
> > Any ideas why this might be? I didn't think the new NAT and Access
> > Rule would affect local LAN traffic, but it appears to do just that.
> no:
> the nat and access rule from wan to lan only affect your access through t=
he firewall (obviosly)
>
> so, if your you are not using the DMZ interface and client and server are=
in the same segment, and you are using the
> correct internal adresses, you'r problem is not the sonicwall.
>=20
> M