Creating Nat Policies: Panel - Addnatpoldlg

14/06/2016
PANEL_addNatPolDlg
PANEL_addNatPolDlg
CreatingNATPolicies
ForgeneralinformationonNATPolicies,seeNetwork>NATPolicies.
NATpoliciesallowyoutheflexibilitytocontrolNetworkAddressTranslationbasedonmatchingcombinations
ofSourceIPaddress,DestinationIPaddress,andDestinationServices.PolicybasedNATallowsyouto
deploydifferenttypesofNATsimultaneously.Thissectioncontainsthefollowingsubsections:
CreatingaManytoOneNATPolicy
CreatingaManytoManyNATPolicy
CreatingaOnetoOneNATPolicyforOutboundTraffic
CreatingaOnetoOneNATPolicyforInboundTraffic(Reflective)
ConfiguringOnetoManyNATLoadBalancing
InboundPortAddressTranslationviaOnetoOneNATPolicy
InboundPortAddressTranslationviaWANIPAddress
UsingNATLoadBalancing
Forthischapter,theexamplesusethefollowingIPaddressesasexamplestodemonstratetheNATpolicy
creationandactivation.YoucanusetheseexamplestocreateNATpoliciesforyournetwork,substitutingyour
IPaddressesfortheexamplesshownhere:
192.168.10.0/24IPsubnetoninterfaceX0
X0IPaddressis192.168.10.1
X1IPaddressis67.115.118.68
X2SalesIPaddressis192.168.30.1
Webserversprivateaddressat192.168.30.200
Webserverspublicaddressat67.115.118.70
PublicIPrangeaddressesof67.115.118.7167.115.118.74
CreatingaManytoOneNATPolicy
ManytoOneisthemostcommonNATpolicyonaSonicWALLsecurityappliance,andallowsyoutotranslate
agroupofaddressesintoasingleaddress.Mostofthetime,thismeansthatyouretakinganinternalprivate
IPsubnetandtranslatingalloutgoingrequestsintotheIPaddressoftheWANinterfaceoftheSonicWALL
securityappliance(bydefault,theX1interface),suchthatthedestinationseestherequestascomingfromthe
IPaddressoftheSonicWALLsecurityapplianceWANinterface,andnotfromtheinternalprivateIPaddress.
Thispolicyiseasytosetupandactivate.FromtheManagementInterface,gototheNetwork>NATPolicies
pageandclickontheAddbutton.TheAddNATPolicywindowisdisplayedforaddingthepolicy.Tocreatea
NATpolicytoallowallsystemsontheX2interfacetoinitiatetrafficusingtheSonicWALLsecurityappliances
WANIPaddress,choosethefollowingfromthedropdownboxes:
OriginalSource:X2Subnet
TranslatedSource:WANPrimaryIP
OriginalDestination:Any
TranslatedDestination:Original
OriginalService:Any
TranslatedService:Original
InboundInterface:X2
OutboundInterface:X1
Comment:Enterashortdescription
EnableNATPolicy:Checked
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
1/9
14/06/2016
PANEL_addNatPolDlg
Createareflectivepolicy:Unchecked
Whendone,clickontheOKbuttontoaddandactivatetheNATPolicy.Thispolicycanbeduplicatedfor
subnetsbehindtheotherinterfacesoftheSonicWALLsecurityappliancejustreplacetheOriginalSource
withthesubnetbehindthatinterface,adjustthesourceinterface,andaddanotherNATpolicy.
CreatingaManytoManyNATPolicy
TheManytoManyNATpolicyallowsyoutotranslateagroupofaddressesintoagroupofdifferentaddresses.
ThisallowstheSonicWALLsecurityappliancetoutilizeseveraladdressestoperformthedynamictranslation.
ThusallowingamuchhighernumberofconcurrenttheSonicWALLsecurityappliancetoperformuptoahalf
millionconcurrentconnectionsacrosstheinterfaces.
Thispolicyiseasytosetupandactivate.YoufirstneedtogototheNetwork>AddressObjectsandclickon
theAddbuttonatthebottomofthescreen.WhentheAddAddressObjectwindowappears,enterina
descriptionfortherangeintheNamefield,chooseRangefromthedropdownmenu,entertherangeof
addresses(usuallypublicIPaddressessuppliedbyyourISP)intheStartingIPAddressandEndingIP
Addressfields,andselectWANasthezonefromtheZoneAssignmentmenu.Whendone,clickontheOK
buttontocreatetherangeobject.
SelectNetwork>NATPoliciesandclickontheAddbutton.TheAddNATPolicywindowisdisplayed.To
createaNATpolicytoallowthesystemsontheLANinterface(bydefault,theX0interface)toinitiatetraffic
usingthepublicrangeaddresses,choosethefollowingfromthedropdownmenus:
OriginalSource:LANPrimarySubnet
TranslatedSource:public_range
OriginalService:Any
InboundInterface:X0
Whendone,clickontheOKbuttontoaddandactivatetheNATPolicy.Withthispolicyinplace,the
SonicWALLsecurityappliancedynamicallymapsoutgoingtrafficusingthefouravailableIPaddressesinthe
rangewecreated.
YoucantestthedynamicmappingbyinstallingseveralsystemsontheLANinterface(bydefault,theX0
interface)ataspreadoutrangeofaddresses(forexample,192.168.10.10,192.168.10.100,and
192.168.10.200)andaccessingthepublicWebsitehttp://www.whatismyip.comfromeachsystem.Each
systemshoulddisplayadifferentIPaddressfromtherangewecreatedandattachedtotheNATpolicy.
CreatingaOnetoOneNATPolicyforOutboundTraffic
OnetoOneNATforoutboundtrafficisanothercommonNATpolicyonaSonicWALLsecurityappliancefor
translatinganinternalIPaddressintoauniqueIPaddress.Thisisusefulwhenyouneedspecificsystems,
suchasservers,touseaspecificIPaddresswhentheyinitiatetraffictootherdestinations.Mostofthetime,
aNATpolicysuchasthisOnetoOneNATpolicyforoutboundtrafficisusedtomapaserversprivateIP
addresstoapublicIPaddress,anditispairedwithareflective(mirror)policythatallowsanysystemfromthe
publicInternettoaccesstheserver,alongwithamatchingfirewallaccessrulethatpermitsthis.Reflective
NATpoliciesarecoveredinthenextsection.
Thispolicyiseasytosetupandactivate.SelectNetwork>AddressObjectsandclickontheAddbuttonat
thebottomofthescreen.IntheAddAddressObjectwindow,enteradescriptionforserversprivateIP
addressintheNamefield.ChooseHostfromtheTypemenu,entertheserversprivateIPaddressintheIP
Addressfield,andselectthezonethattheserverassignedfromtheZoneAssignmentmenu.ClickOK.
Then,createanotherobjectintheAddAddressObjectwindowfortheserverspublicIPaddressandwiththe
correctvalues,andselectWANfromZoneAssignmentmenu.Whendone,clickontheOKbuttontocreate
therangeobject.
Next,selectNetwork>NATPoliciesandclickontheAddbuttontodisplaytheAddNATPolicywindow.To
createaNATpolicytoallowtheWebservertoinitiatetraffictothepublicInternetusingitsmappedpublicIP
address,choosethefollowingfromthedropdownmenus:
2/9
14/06/2016
PANEL_addNatPolDlg
OriginalSource:webserver_private_ip
TranslatedSource:webserver_public_ip
OriginalService:Any
InboundInterface:X2
Createareflectivepolicy:Checked
Whendone,clickontheOKbuttontoaddandactivatetheNATPolicy.Withthispolicyinplace,the
SonicWALLsecurityappliancetranslatestheserversprivateIPaddresstothepublicIPaddresswhenit
initiatestrafficouttheWANinterface(bydefault,theX1interface).
YoucantesttheOnetoOnemappingbyopeningupaWebbrowserontheserverandaccessingthepublic
Websitehttp://www.whatismyip.com.TheWebsiteshoulddisplaythepublicIPaddressweattachedtothe
privateIPaddressintheNATpolicywejustcreated.
CreatingaOnetoOneNATPolicyforInboundTraffic(Reflective)
ThisisthemirrorpolicyfortheonecreatedintheprevioussectionwhenyoucheckCreateareflectivepolicy.
ItallowsyoutotranslateanexternalpublicIPaddressesintoaninternalprivateIPaddress.ThisNATpolicy,
whenpairedwithapermitaccesspolicy,allowsanysourcetoconnecttotheinternalserverusingthepublic
IPaddresstheSonicWALLsecurityappliancehandlesthetranslationbetweentheprivateandpublicaddress.
Withthispolicyinplace,theSonicWALLsecurityappliancetranslatestheserverspublicIPaddresstothe
privateIPaddresswhenconnectionrequestsarriveviatheWANinterface(bydefault,theX1interface).
Below,youcreatetheentryaswellastheruletoallowHTTPaccesstotheserver.Youneedtocreatethe
accesspolicythatallowsanyonetomakeHTTPconnectionstotheWebserverviatheWebserverspublicIP
address.
Note
Withpreviousversionsoffirmware,itwasnecessarytowriterulestotheprivateIP
address.ThishasbeenchangedasofSonicOSEnhanced.Ifyouwritearuletothe
privateIPaddress,theruledoesnotwork.
GototheFirewall>AccessRulespageandchoosethepolicyfortheWANtoSaleszoneintersection(or,
whateverzoneyouputyourserverin).ClickontheAddbuttontobringupthepopupaccesspolicyscreen.
Whenthepopupappears,enterinthefollowingvalues:
Action:Allow
Service:HTTP
Source:Any
Destination:Webserver_public_ip
UsersAllowed:All
Schedule:Alwayson
Logging:Checked
Comment:(Enterashortdescription)
Whenyouaredone,attempttoaccesstheWebserverspublicIPaddressusingasystemlocatedonthe
publicInternet.Youshouldbeabletosuccessfullyconnect.Ifnot,reviewthissection,andthesectionbefore,
andensurethatyouhaveenteredinallrequiredsettingscorrectly.
ConfiguringOnetoManyNATLoadBalancing
OnetoManyNATpoliciescanbeusedtopersistentlyloadbalancethetranslateddestinationusingtheoriginal
sourceIPaddressasthekeytopersistence.Forexample,SonicWALLsecurityappliancescanloadbalance
multipleSonicWALLSSLVPNappliances,whilestillmaintainingsessionpersistencebyalwaysbalancing
clientstothecorrectdestinationSSLVPN.Thefollowingfigureshowsasampletopologyandconfiguration.
3/9
14/06/2016
PANEL_addNatPolDlg
ToconfigureOnetoManyNATloadbalancing,firstgototheFirewall>AccessRulespageandchoosethe
policyforWANtoLAN.ClickontheAddbuttontobringupthepopupaccesspolicyscreen.Whenthepop
upappears,enterinthefollowingvalues:
Action:Allow
Service:HTTPS
Source:Any
Destination:WANPrimaryIP
UsersAllowed:All
Schedule:Alwayson
Comment:Descriptivetext,suchasSSLVPNLB
Logging:Checked
AllowFragmentedPackets:Unchecked
Next,createthefollowingNATpolicybyselectingNetwork>NATPoliciesandclickingontheAdd...button:
OriginalSource:Any
TranslatedSource:Original
OriginalDestination:WANPrimaryIP
TranslatedDestination:SelectCreatenewaddressobject...tobringuptheAddAddressObject
screen.
Name:Adescriptivename,suchasmySSLVPN
Zoneassignment:LAN
Type:Host
IPAddress:TheIPaddressesforthedevicestobeloadbalanced(inthetopologyshownabove,
thisis192.168.200.10,192.168.200.20,and192.168.200.30.)
OriginalService:HTTPS
TranslatedService:HTTPS
InboundInterface:Any
OutboundInterface:Any
Comment:Descriptivetext,suchasSSLVPNLB
InboundPortAddressTranslationviaOnetoOneNATPolicy
ThistypeofNATpolicyisusefulwhenyouwanttoconcealaninternalserversreallisteningport,butprovide
publicaccesstotheserveronadifferentport.Intheexamplebelow,youmodifytheNATpolicyandrule
createdintheprevioussectiontoallowpublicuserstoconnecttotheprivateWebserveronitspublicIP
address,butviaadifferentport(TCP9000),insteadofthestandardHTTPport(TCP80).
Step1 Createacustomserviceforthedifferentport.GototheFirewall>CustomServicespageandselect
4/9
14/06/2016
PANEL_addNatPolDlg
theAddbutton.Whenthepopupscreenappears,giveyourcustomserviceanamesuchas
webserver_public_port,enterin9000asthestartingandendingport,andchooseTCP(6)asthe
protocol.Whendone,clickontheOKbuttontosavethecustomservice.
Step2 ModifytheNATpolicycreatedintheprevioussectionthatallowedanypublicusertoconnecttothe
WebserveronitspublicIPaddress.GototheNetwork>NATPoliciesmenuandclickontheEdit
buttonnexttothisNATpolicy.TheEditNATPolicywindowisdisplayedforeditingthepolicy.Editthe
NATpolicysothatitincludesthefollowingfromthedropdownmenus:
OriginalSource:Any
OriginalDestination:webserver_public_ip
TranslatedDestination:webserver_private_ip
OriginalService:webserver_public_port(orwhateveryounameditabove)
TranslatedService:HTTP
InboundInterface:X1
Note MakesureyouchoseAnyasthedestinationinterface,andnottheinterfacethatthe
serverison.Thismayseemcounterintuitive,butitisactuallythecorrectthingto
do(ifyoutrytospecifytheinterface,yougetanerror).
Step3 Whenfinished,clickontheOKbuttontoaddandactivatetheNATPolicy.Withthispolicyinplace,
theSonicWALLsecurityappliancetranslatestheserverspublicIPaddresstotheprivateIPaddress
whenconnectionrequestsarrivefromtheWANinterface(bydefault,theX1interface),andtranslates
therequestedprotocol(TCP9000)totheserversactuallisteningport(TCP80).
Finally,youregoingtomodifythefirewallaccessrulecreatedintheprevioussectiontoallowanypublicuser
toconnecttotheWebserveronthenewport(TCP9000)insteadoftheserversactuallisteningport(TCP80).
Note
WithpreviousversionsoftheSonicOSfirmware,itwasnecessarytowriterulesto
theprivateIPaddress.ThishasbeenchangedasofSonicOSEnhanced.Ifyouwrite
aruletotheprivateIPaddress,theruledoesnotwork.
GototheFirewall>AccessRulessectionandchoosethepolicyfortheWANtoSaleszoneintersection(or,
whateverzoneyouputyourserverin).ClickontheConfigurebuttontobringupthepreviouslycreatedpolicy.
Whenthepopupappears,editinthefollowingvalues:
Action:Allow
Service:server_public_port(orwhateveryounameditabove)
Source:Any
Destination:webserver_public_ip
UsersAllowed:All
Schedule:Alwayson
Logging:checked
Comment:(enterashortdescription)
Whenyouredone,attempttoaccesstheWebserverspublicIPaddressusingasystemlocatedonthepublic
Internetonthenewcustomport(example:http://67.115.118.70:9000).Youshouldbeabletosuccessfully
connect.Ifnot,reviewthissection,andthesectionbefore,andensurethatyouhaveenteredinallrequired
settingscorrectly.
InboundPortAddressTranslationviaWANIPAddress
ThisisoneofthemorecomplexNATpoliciesyoucancreateonaSonicWALLsecurityappliancerunning
SonicOSEnhanceditallowsyoutousetheWANIPaddressoftheSonicWALLsecurityappliancetoprovide
accesstomultipleinternalservers.ThisismostusefulinsituationswhereyourISPhasonlyprovidedasingle
publicIPaddress,andthatIPaddresshastobeusedbytheSonicWALLsecurityappliancesWANinterface
(bydefault,theX1interface).
Below,youcreatetheprogrammingtoprovidepublicaccesstotwointernalWebserversviatheSonicWALL
securityappliancesWANIPaddresseachistiedtoauniquecustomport.Inthefollowingexamples,youset
uptwo,butitispossibletocreatemorethantheseaslongastheportsareallunique.
Inthissection,wehavefivetaskstocomplete:
1.
Createtwocustomserviceobjectsfortheuniquepublicportstheserversrespondon.
5/9
14/06/2016
PANEL_addNatPolDlg
2.
3.
4.
CreatetwoaddressobjectsfortheserversprivateIPaddresses.
CreatetwoNATentriestoallowthetwoserverstoinitiatetraffictothepublicInternet.
CreatetwoNATentriestomapthecustomportstotheactuallisteningports,andtomaptheprivateIP
addressestotheSonicWALLsWANIPaddress.
5. CreatetwoaccessruleentriestoallowanypublicusertoconnecttobothserversviatheSonicWALLs
WANIPaddressandtheserversrespectiveuniquecustomports.
Step1 Createacustomserviceforthedifferentport.GototheFirewall>CustomServicespageandclick
ontheAddbutton.Whenthepopupscreenappears,giveyourcustomservicesnamessuchas
servone_public_portandservtwo_public_port,enterin9100and9200asthestartingandending
port,andchooseTCP(6)astheprotocol.Whendone,clickontheOKbuttontosavethecustom
services.
Step2 GototheNetwork>AddressObjectsandclickontheAddbuttonatthebottomofthepage.Inthe
AddAddressObjectswindow,enterinadescriptionforserversprivateIPaddresses,chooseHost
fromthedropdownbox,entertheserversprivateIPaddresses,andselectthezonethattheservers
arein.Whendone,clickontheOKbuttontocreatetherangeobject.
Step3 GototheNetwork>NATPoliciesmenuandclickontheAddbutton.TheAddNATPolicywindow
isdisplayed.TocreateaNATpolicytoallowthetwoserverstoinitiatetraffictothepublicInternet
usingtheSonicWALLsecurityappliancesWANIPaddress,choosethefollowingfromthedropdown
boxes:
OriginalSource:servone_private_ip
OriginalService:Any
InboundInterface:X2
And:
OriginalSource:servtwo_private_ip
OriginalService:Any
InboundInterface:X2
Whenfinished,clickontheOKbuttontoaddandactivatetheNATpolicies.Withthesepoliciesinplace,the
SonicWALLsecurityappliancetranslatestheserversprivateIPaddressestothepublicIPaddresswhenit
initiatestrafficouttheWANinterface(bydefault,theX1interface).
Step4 GototheNetwork>NATPoliciesmenuandclickontheAddbutton.TheAddNATPolicywindow
isdisplayed.TocreatetheNATpoliciestomapthecustomportstotheserversreallisteningports
andtomaptheSonicWALLsWANIPaddresstotheserversprivateaddresses,choosethefollowing
fromthedropdownboxes:
OriginalSource:Any
TranslatedDestination:servone_private_ip
OriginalService:servone_public_port
InboundInterface:X1
6/9
14/06/2016
PANEL_addNatPolDlg
And:
OriginalSource:Any
TranslatedDestination:servtwo_private_ip
OriginalService:servtwo_public_port
SourceInterface:X1
DestinationInterface:Any
Note MakesureyouchooseAnyasthedestinationinterface,andnottheinterfacethatthe
serverison.Thismayseemcounterintuitive,butitisactuallythecorrectthingto
do(ifyoutrytospecifytheinterface,yougetanerror).
Whenfinished,clickontheOKbuttontoaddandactivatetheNATpolicies.Withthesepoliciesinplace,the
SonicWALLsecurityappliancetranslatestheserverspublicIPaddresstotheprivateIPaddresswhen
connectionrequestsarrivefromtheWANinterface(bydefault,theX1interface).
Step5 CreatetheaccessrulesthatallowsanyonefromthepublicInternettoaccessthetwoWebservers
usingthecustomportsandtheSonicWALLsecurityappliancesWANIPaddress.
Note Withpreviousversionsoffirmware,itwasnecessarytowriterulestotheprivateIP
address.ThishasbeenchangedasofSonicOS2.0Enhanced.Ifyouwritearuleto
theprivateIPaddress,theruledoesnotwork.
GototheFirewall>AccessRulespageandchoosethepolicyfortheWANtoSaleszoneintersection(or,
whateverzoneyouputyourservesin).ClickontheAddbuttontobringupthepopupwindowtocreatethe
policies.Whenthepopupappears,enterthefollowingvalues:
Action:Allow
Service:servone_public_port(orwhateveryounameditabove)
Source:Any
Destination:WANIPaddress
UsersAllowed:All
Schedule:Alwayson
Logging:checked
And:
Action:Allow
Service:servtwo_public_port(orwhateveryounameditabove)
Source:Any
Destination:WANIPaddress
UsersAllowed:All
Schedule:Alwayson
Logging:checked
Whenyourefinished,attempttoaccesstheWebserversviatheSonicWALLsWANIPaddressusinga
systemlocatedonthepublicInternetonthenewcustomport(example:
http://67.115.118.70:9100andhttp://67.115.118.70:9200).Youshouldbeabletosuccessfullyconnect.Ifnot,
reviewthissection,andthesectionbefore,andensurethatyouhaveenteredinallrequiredsettingscorrectly.
UsingNATLoadBalancing
Thissectioncontainsthefollowingsubsections:
NATLoadBalancingTopology
Prerequisites
ConfiguringNATLoadBalancing
7/9
14/06/2016
PANEL_addNatPolDlg
TroubleshootingNATLoadBalancing
NATLoadBalancingTopology
ThefollowingfigureshowsthetopologyfortheNATloadbalancingnetwork.
Prerequisites
TheexamplesshownintheTasklistsectiononthenextfewpagesutilizeIPaddressinginformationfroma
demosetuppleasemakesureandreplaceanyIPaddressinginformationshownintheexampleswiththe
correctaddressinginformationforyoursetup.Alsonotethattheinterfacenamesmaybedifferent.
Note
Itisstronglyadvisedthatyouenableloggingforallcategories,andenablename
resolutionforlogging.
Toenableloggingandalerting,logintotheSonicWALLsManagementGUI,gotoLog>Categories,choose
DebugfromthedropdownnexttoLoggingLevel,choseAllCategoriesfromthedropdownnexttoView
Style,checktheboxesinthetitlebarnexttoLogandAlertstocaptureallcategories,andclickontheApply
buttonintheupperrighthandcornertosaveandactivatethechanges.Foranexample,seethescreenshot
below.Debuglogsshouldonlybeusedforinitialconfigurationandtroubleshooting,anditisadvisedthatonce
setupiscomplete,yousettheloggingleveltoamoreappropriatelevelforyournetworkenvironment.
Toenablelognameresolution,gotoLog>NameResolution,chooseDNSthenNetBIOSfromtheName
ResolutionMenudropdownlist,andclickontheApplybuttonintheupperrighthandcornertosaveand
activatethechanges.
ConfiguringNATLoadBalancing
ToconfigureNATloadbalancing,youmustcompletethefollowingtasks:
1.
2.
3.
4.
5.
6.
Createaddressobjects.
Createaddressgroup.
CreateinboundNATLBPolicy.
CreateoutboundNATLBPolicy.
CreateFirewallRule.
Verifyandtroubleshootthenetworkifnecessary.
Tocompletethisconfiguration,performthefollowingsteps:
Step1 CreateNetworkObjectsGototheNetwork>AddressObjectspageintheManagementGUIand
createthenetworkobjectsforbothoftheinternalWebservers,andtheVirtualIP(VIP)onwhich
externaluserswillaccesstheservers.
Step2 CreateAddressGroupNowcreateanaddressgroupnamedwww_groupandaddthetwointernal
serveraddressobjectsyoujustcreated.
Step3 CreateInboundNATRuleforGroupNowcreateaNATruletoallowanyoneattemptingtoaccess
8/9
14/06/2016
PANEL_addNatPolDlg
Step4
Step5
Step6
Step7
theVIPtogettranslatedtotheaddressgroupyoujustcreated,usingStickyIPastheNATmethod.
Note DonotsavetheNATrulejustyet.
SetLBTypeandServerLivelinessMethodOntheAdvancedtaboftheNATpolicyconfiguration
control,youcanspecifythattheobject(orgroupofobjects,orgroupofgroups)bemonitoredvia
ICMPpingorbycheckingforTCPsocketsopened.Forthisexample,wearegoingtochecktoseeif
theserverisupandrespondingbymonitoringTCPport80(whichisgood,sincethatiswhatpeople
aretryingtoaccess).YoucannowclickontheOKbuttontosaveandactivatethechanges.
Note Beforeyougoanyfurther,checkthelogsandthestatuspagetoseeiftheresources
havebeendetectedandhavebeenloggedasonline.Twoalertswillappearas
FirewallEventswiththemessageNetworkMonitor:Host192.160.200.220isonline
(withyourIPaddresses).Ifyoudonotseethesetwomessagesbelow,checkthe
stepsabove.
CreateOutboundNATRuleforLBGroupWriteaNATruletoallowtheinternalserverstoget
translatedtotheVIPwhenaccessingresourcesouttheWANinterface(bydefault,theX1interface).
CreateFirewallRuleforVIPWriteafirewallruletoallowtrafficfromtheoutsidetoaccessthe
internalWebserversviatheVIP.
TestYourWorkFromalaptopoutsidetheWAN,connectviaHTTPtotheVIPusingaWeb
browser.
Note IfyouwishtoloadbalanceoneormoreSSLVPNAppliances,repeatsteps17,
usingHTTPSinsteadastheallowedservice.
TroubleshootingNATLoadBalancing
IftheWebserversdonotseemtobeaccessible,gototheFirewall>AccessRulespageandmouseoverthe
Statisticsicon.
IftheruleisconfiguredincorrectlyyouwillnotseeanyRxorTXBytesifitisworking,youwillseethese
incrementwitheachsuccessfulexternalaccessoftheloadbalancedresources.Youcanalsocheckthe
Firewall>NATPoliciespageandmouseovertheStatisticsicon.Ifthepolicyisconfiguredincorrectlyyou
willnotseeanyRxorTXBytesifitisworking,youwillseetheseincrementwitheachsuccessfulexternal
accessoftheloadbalancedresources.
Finally,checkthelogsandthestatuspagetoseeifthereareanyalerts(notedinyellow)abouttheNetwork
Monitornotinghoststhatareofflineitmaybethatallofyourloadbalancingresourcesarenotreachableby
theSonicWALLapplianceandthattheprobingmechanismhasmarkedthemofflineandoutofservice.Check
theloadbalancingresourcestoensurethattheyarefunctionalandcheckthenetworkingconnectionsbetween
themandtheSonicWALLappliance.
9/9

Creating Nat Policies: Panel - Addnatpoldlg

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Creating Nat Policies: Panel - Addnatpoldlg

Încărcat de

Drepturi de autor:

Formate disponibile

14/06/2016

S-ar putea să vă placă și