Documente Academic
Documente Profesional
Documente Cultură
PANEL_addNatPolDlg
PANEL_addNatPolDlg
CreatingNATPolicies
ForgeneralinformationonNATPolicies,seeNetwork>NATPolicies.
NATpoliciesallowyoutheflexibilitytocontrolNetworkAddressTranslationbasedonmatchingcombinations
ofSourceIPaddress,DestinationIPaddress,andDestinationServices.PolicybasedNATallowsyouto
deploydifferenttypesofNATsimultaneously.Thissectioncontainsthefollowingsubsections:
CreatingaManytoOneNATPolicy
CreatingaManytoManyNATPolicy
CreatingaOnetoOneNATPolicyforOutboundTraffic
CreatingaOnetoOneNATPolicyforInboundTraffic(Reflective)
ConfiguringOnetoManyNATLoadBalancing
InboundPortAddressTranslationviaOnetoOneNATPolicy
InboundPortAddressTranslationviaWANIPAddress
UsingNATLoadBalancing
Forthischapter,theexamplesusethefollowingIPaddressesasexamplestodemonstratetheNATpolicy
creationandactivation.YoucanusetheseexamplestocreateNATpoliciesforyournetwork,substitutingyour
IPaddressesfortheexamplesshownhere:
192.168.10.0/24IPsubnetoninterfaceX0
67.115.118.64/27IPsubnetoninterfaceX1
192.168.30.0/24IPsubnetoninterfaceX2
X0IPaddressis192.168.10.1
X1IPaddressis67.115.118.68
X2SalesIPaddressis192.168.30.1
Webserversprivateaddressat192.168.30.200
Webserverspublicaddressat67.115.118.70
PublicIPrangeaddressesof67.115.118.7167.115.118.74
CreatingaManytoOneNATPolicy
ManytoOneisthemostcommonNATpolicyonaSonicWALLsecurityappliance,andallowsyoutotranslate
agroupofaddressesintoasingleaddress.Mostofthetime,thismeansthatyouretakinganinternalprivate
IPsubnetandtranslatingalloutgoingrequestsintotheIPaddressoftheWANinterfaceoftheSonicWALL
securityappliance(bydefault,theX1interface),suchthatthedestinationseestherequestascomingfromthe
IPaddressoftheSonicWALLsecurityapplianceWANinterface,andnotfromtheinternalprivateIPaddress.
Thispolicyiseasytosetupandactivate.FromtheManagementInterface,gototheNetwork>NATPolicies
pageandclickontheAddbutton.TheAddNATPolicywindowisdisplayedforaddingthepolicy.Tocreatea
NATpolicytoallowallsystemsontheX2interfacetoinitiatetrafficusingtheSonicWALLsecurityappliances
WANIPaddress,choosethefollowingfromthedropdownboxes:
OriginalSource:X2Subnet
TranslatedSource:WANPrimaryIP
OriginalDestination:Any
TranslatedDestination:Original
OriginalService:Any
TranslatedService:Original
InboundInterface:X2
OutboundInterface:X1
Comment:Enterashortdescription
EnableNATPolicy:Checked
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
1/9
14/06/2016
PANEL_addNatPolDlg
Createareflectivepolicy:Unchecked
Whendone,clickontheOKbuttontoaddandactivatetheNATPolicy.Thispolicycanbeduplicatedfor
subnetsbehindtheotherinterfacesoftheSonicWALLsecurityappliancejustreplacetheOriginalSource
withthesubnetbehindthatinterface,adjustthesourceinterface,andaddanotherNATpolicy.
CreatingaManytoManyNATPolicy
TheManytoManyNATpolicyallowsyoutotranslateagroupofaddressesintoagroupofdifferentaddresses.
ThisallowstheSonicWALLsecurityappliancetoutilizeseveraladdressestoperformthedynamictranslation.
ThusallowingamuchhighernumberofconcurrenttheSonicWALLsecurityappliancetoperformuptoahalf
millionconcurrentconnectionsacrosstheinterfaces.
Thispolicyiseasytosetupandactivate.YoufirstneedtogototheNetwork>AddressObjectsandclickon
theAddbuttonatthebottomofthescreen.WhentheAddAddressObjectwindowappears,enterina
descriptionfortherangeintheNamefield,chooseRangefromthedropdownmenu,entertherangeof
addresses(usuallypublicIPaddressessuppliedbyyourISP)intheStartingIPAddressandEndingIP
Addressfields,andselectWANasthezonefromtheZoneAssignmentmenu.Whendone,clickontheOK
buttontocreatetherangeobject.
SelectNetwork>NATPoliciesandclickontheAddbutton.TheAddNATPolicywindowisdisplayed.To
createaNATpolicytoallowthesystemsontheLANinterface(bydefault,theX0interface)toinitiatetraffic
usingthepublicrangeaddresses,choosethefollowingfromthedropdownmenus:
OriginalSource:LANPrimarySubnet
TranslatedSource:public_range
OriginalDestination:Any
TranslatedDestination:Original
OriginalService:Any
TranslatedService:Original
InboundInterface:X0
OutboundInterface:X1
Comment:Enterashortdescription
EnableNATPolicy:Checked
Createareflectivepolicy:Unchecked
Whendone,clickontheOKbuttontoaddandactivatetheNATPolicy.Withthispolicyinplace,the
SonicWALLsecurityappliancedynamicallymapsoutgoingtrafficusingthefouravailableIPaddressesinthe
rangewecreated.
YoucantestthedynamicmappingbyinstallingseveralsystemsontheLANinterface(bydefault,theX0
interface)ataspreadoutrangeofaddresses(forexample,192.168.10.10,192.168.10.100,and
192.168.10.200)andaccessingthepublicWebsitehttp://www.whatismyip.comfromeachsystem.Each
systemshoulddisplayadifferentIPaddressfromtherangewecreatedandattachedtotheNATpolicy.
CreatingaOnetoOneNATPolicyforOutboundTraffic
OnetoOneNATforoutboundtrafficisanothercommonNATpolicyonaSonicWALLsecurityappliancefor
translatinganinternalIPaddressintoauniqueIPaddress.Thisisusefulwhenyouneedspecificsystems,
suchasservers,touseaspecificIPaddresswhentheyinitiatetraffictootherdestinations.Mostofthetime,
aNATpolicysuchasthisOnetoOneNATpolicyforoutboundtrafficisusedtomapaserversprivateIP
addresstoapublicIPaddress,anditispairedwithareflective(mirror)policythatallowsanysystemfromthe
publicInternettoaccesstheserver,alongwithamatchingfirewallaccessrulethatpermitsthis.Reflective
NATpoliciesarecoveredinthenextsection.
Thispolicyiseasytosetupandactivate.SelectNetwork>AddressObjectsandclickontheAddbuttonat
thebottomofthescreen.IntheAddAddressObjectwindow,enteradescriptionforserversprivateIP
addressintheNamefield.ChooseHostfromtheTypemenu,entertheserversprivateIPaddressintheIP
Addressfield,andselectthezonethattheserverassignedfromtheZoneAssignmentmenu.ClickOK.
Then,createanotherobjectintheAddAddressObjectwindowfortheserverspublicIPaddressandwiththe
correctvalues,andselectWANfromZoneAssignmentmenu.Whendone,clickontheOKbuttontocreate
therangeobject.
Next,selectNetwork>NATPoliciesandclickontheAddbuttontodisplaytheAddNATPolicywindow.To
createaNATpolicytoallowtheWebservertoinitiatetraffictothepublicInternetusingitsmappedpublicIP
address,choosethefollowingfromthedropdownmenus:
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
2/9
14/06/2016
PANEL_addNatPolDlg
OriginalSource:webserver_private_ip
TranslatedSource:webserver_public_ip
OriginalDestination:Any
TranslatedDestination:Original
OriginalService:Any
TranslatedService:Original
InboundInterface:X2
OutboundInterface:X1
Comment:Enterashortdescription
EnableNATPolicy:Checked
Createareflectivepolicy:Checked
Whendone,clickontheOKbuttontoaddandactivatetheNATPolicy.Withthispolicyinplace,the
SonicWALLsecurityappliancetranslatestheserversprivateIPaddresstothepublicIPaddresswhenit
initiatestrafficouttheWANinterface(bydefault,theX1interface).
YoucantesttheOnetoOnemappingbyopeningupaWebbrowserontheserverandaccessingthepublic
Websitehttp://www.whatismyip.com.TheWebsiteshoulddisplaythepublicIPaddressweattachedtothe
privateIPaddressintheNATpolicywejustcreated.
CreatingaOnetoOneNATPolicyforInboundTraffic(Reflective)
ThisisthemirrorpolicyfortheonecreatedintheprevioussectionwhenyoucheckCreateareflectivepolicy.
ItallowsyoutotranslateanexternalpublicIPaddressesintoaninternalprivateIPaddress.ThisNATpolicy,
whenpairedwithapermitaccesspolicy,allowsanysourcetoconnecttotheinternalserverusingthepublic
IPaddresstheSonicWALLsecurityappliancehandlesthetranslationbetweentheprivateandpublicaddress.
Withthispolicyinplace,theSonicWALLsecurityappliancetranslatestheserverspublicIPaddresstothe
privateIPaddresswhenconnectionrequestsarriveviatheWANinterface(bydefault,theX1interface).
Below,youcreatetheentryaswellastheruletoallowHTTPaccesstotheserver.Youneedtocreatethe
accesspolicythatallowsanyonetomakeHTTPconnectionstotheWebserverviatheWebserverspublicIP
address.
Note
Withpreviousversionsoffirmware,itwasnecessarytowriterulestotheprivateIP
address.ThishasbeenchangedasofSonicOSEnhanced.Ifyouwritearuletothe
privateIPaddress,theruledoesnotwork.
GototheFirewall>AccessRulespageandchoosethepolicyfortheWANtoSaleszoneintersection(or,
whateverzoneyouputyourserverin).ClickontheAddbuttontobringupthepopupaccesspolicyscreen.
Whenthepopupappears,enterinthefollowingvalues:
Action:Allow
Service:HTTP
Source:Any
Destination:Webserver_public_ip
UsersAllowed:All
Schedule:Alwayson
Logging:Checked
Comment:(Enterashortdescription)
Whenyouaredone,attempttoaccesstheWebserverspublicIPaddressusingasystemlocatedonthe
publicInternet.Youshouldbeabletosuccessfullyconnect.Ifnot,reviewthissection,andthesectionbefore,
andensurethatyouhaveenteredinallrequiredsettingscorrectly.
ConfiguringOnetoManyNATLoadBalancing
OnetoManyNATpoliciescanbeusedtopersistentlyloadbalancethetranslateddestinationusingtheoriginal
sourceIPaddressasthekeytopersistence.Forexample,SonicWALLsecurityappliancescanloadbalance
multipleSonicWALLSSLVPNappliances,whilestillmaintainingsessionpersistencebyalwaysbalancing
clientstothecorrectdestinationSSLVPN.Thefollowingfigureshowsasampletopologyandconfiguration.
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
3/9
14/06/2016
PANEL_addNatPolDlg
ToconfigureOnetoManyNATloadbalancing,firstgototheFirewall>AccessRulespageandchoosethe
policyforWANtoLAN.ClickontheAddbuttontobringupthepopupaccesspolicyscreen.Whenthepop
upappears,enterinthefollowingvalues:
Action:Allow
Service:HTTPS
Source:Any
Destination:WANPrimaryIP
UsersAllowed:All
Schedule:Alwayson
Comment:Descriptivetext,suchasSSLVPNLB
Logging:Checked
AllowFragmentedPackets:Unchecked
Next,createthefollowingNATpolicybyselectingNetwork>NATPoliciesandclickingontheAdd...button:
OriginalSource:Any
TranslatedSource:Original
OriginalDestination:WANPrimaryIP
TranslatedDestination:SelectCreatenewaddressobject...tobringuptheAddAddressObject
screen.
Name:Adescriptivename,suchasmySSLVPN
Zoneassignment:LAN
Type:Host
IPAddress:TheIPaddressesforthedevicestobeloadbalanced(inthetopologyshownabove,
thisis192.168.200.10,192.168.200.20,and192.168.200.30.)
OriginalService:HTTPS
TranslatedService:HTTPS
InboundInterface:Any
OutboundInterface:Any
Comment:Descriptivetext,suchasSSLVPNLB
EnableNATPolicy:Checked
Createareflectivepolicy:Unchecked
InboundPortAddressTranslationviaOnetoOneNATPolicy
ThistypeofNATpolicyisusefulwhenyouwanttoconcealaninternalserversreallisteningport,butprovide
publicaccesstotheserveronadifferentport.Intheexamplebelow,youmodifytheNATpolicyandrule
createdintheprevioussectiontoallowpublicuserstoconnecttotheprivateWebserveronitspublicIP
address,butviaadifferentport(TCP9000),insteadofthestandardHTTPport(TCP80).
Step1 Createacustomserviceforthedifferentport.GototheFirewall>CustomServicespageandselect
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
4/9
14/06/2016
PANEL_addNatPolDlg
theAddbutton.Whenthepopupscreenappears,giveyourcustomserviceanamesuchas
webserver_public_port,enterin9000asthestartingandendingport,andchooseTCP(6)asthe
protocol.Whendone,clickontheOKbuttontosavethecustomservice.
Step2 ModifytheNATpolicycreatedintheprevioussectionthatallowedanypublicusertoconnecttothe
WebserveronitspublicIPaddress.GototheNetwork>NATPoliciesmenuandclickontheEdit
buttonnexttothisNATpolicy.TheEditNATPolicywindowisdisplayedforeditingthepolicy.Editthe
NATpolicysothatitincludesthefollowingfromthedropdownmenus:
OriginalSource:Any
TranslatedSource:Original
OriginalDestination:webserver_public_ip
TranslatedDestination:webserver_private_ip
OriginalService:webserver_public_port(orwhateveryounameditabove)
TranslatedService:HTTP
InboundInterface:X1
OutboundInterface:Any
Comment:Enterashortdescription
EnableNATPolicy:Checked
Createareflectivepolicy:Unchecked
Note MakesureyouchoseAnyasthedestinationinterface,andnottheinterfacethatthe
serverison.Thismayseemcounterintuitive,butitisactuallythecorrectthingto
do(ifyoutrytospecifytheinterface,yougetanerror).
Step3 Whenfinished,clickontheOKbuttontoaddandactivatetheNATPolicy.Withthispolicyinplace,
theSonicWALLsecurityappliancetranslatestheserverspublicIPaddresstotheprivateIPaddress
whenconnectionrequestsarrivefromtheWANinterface(bydefault,theX1interface),andtranslates
therequestedprotocol(TCP9000)totheserversactuallisteningport(TCP80).
Finally,youregoingtomodifythefirewallaccessrulecreatedintheprevioussectiontoallowanypublicuser
toconnecttotheWebserveronthenewport(TCP9000)insteadoftheserversactuallisteningport(TCP80).
Note
WithpreviousversionsoftheSonicOSfirmware,itwasnecessarytowriterulesto
theprivateIPaddress.ThishasbeenchangedasofSonicOSEnhanced.Ifyouwrite
aruletotheprivateIPaddress,theruledoesnotwork.
GototheFirewall>AccessRulessectionandchoosethepolicyfortheWANtoSaleszoneintersection(or,
whateverzoneyouputyourserverin).ClickontheConfigurebuttontobringupthepreviouslycreatedpolicy.
Whenthepopupappears,editinthefollowingvalues:
Action:Allow
Service:server_public_port(orwhateveryounameditabove)
Source:Any
Destination:webserver_public_ip
UsersAllowed:All
Schedule:Alwayson
Logging:checked
Comment:(enterashortdescription)
Whenyouredone,attempttoaccesstheWebserverspublicIPaddressusingasystemlocatedonthepublic
Internetonthenewcustomport(example:http://67.115.118.70:9000).Youshouldbeabletosuccessfully
connect.Ifnot,reviewthissection,andthesectionbefore,andensurethatyouhaveenteredinallrequired
settingscorrectly.
InboundPortAddressTranslationviaWANIPAddress
ThisisoneofthemorecomplexNATpoliciesyoucancreateonaSonicWALLsecurityappliancerunning
SonicOSEnhanceditallowsyoutousetheWANIPaddressoftheSonicWALLsecurityappliancetoprovide
accesstomultipleinternalservers.ThisismostusefulinsituationswhereyourISPhasonlyprovidedasingle
publicIPaddress,andthatIPaddresshastobeusedbytheSonicWALLsecurityappliancesWANinterface
(bydefault,theX1interface).
Below,youcreatetheprogrammingtoprovidepublicaccesstotwointernalWebserversviatheSonicWALL
securityappliancesWANIPaddresseachistiedtoauniquecustomport.Inthefollowingexamples,youset
uptwo,butitispossibletocreatemorethantheseaslongastheportsareallunique.
Inthissection,wehavefivetaskstocomplete:
1.
Createtwocustomserviceobjectsfortheuniquepublicportstheserversrespondon.
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
5/9
14/06/2016
PANEL_addNatPolDlg
2.
3.
4.
CreatetwoaddressobjectsfortheserversprivateIPaddresses.
CreatetwoNATentriestoallowthetwoserverstoinitiatetraffictothepublicInternet.
CreatetwoNATentriestomapthecustomportstotheactuallisteningports,andtomaptheprivateIP
addressestotheSonicWALLsWANIPaddress.
5. CreatetwoaccessruleentriestoallowanypublicusertoconnecttobothserversviatheSonicWALLs
WANIPaddressandtheserversrespectiveuniquecustomports.
Step1 Createacustomserviceforthedifferentport.GototheFirewall>CustomServicespageandclick
ontheAddbutton.Whenthepopupscreenappears,giveyourcustomservicesnamessuchas
servone_public_portandservtwo_public_port,enterin9100and9200asthestartingandending
port,andchooseTCP(6)astheprotocol.Whendone,clickontheOKbuttontosavethecustom
services.
Step2 GototheNetwork>AddressObjectsandclickontheAddbuttonatthebottomofthepage.Inthe
AddAddressObjectswindow,enterinadescriptionforserversprivateIPaddresses,chooseHost
fromthedropdownbox,entertheserversprivateIPaddresses,andselectthezonethattheservers
arein.Whendone,clickontheOKbuttontocreatetherangeobject.
Step3 GototheNetwork>NATPoliciesmenuandclickontheAddbutton.TheAddNATPolicywindow
isdisplayed.TocreateaNATpolicytoallowthetwoserverstoinitiatetraffictothepublicInternet
usingtheSonicWALLsecurityappliancesWANIPaddress,choosethefollowingfromthedropdown
boxes:
OriginalSource:servone_private_ip
TranslatedSource:WANPrimaryIP
OriginalDestination:Any
TranslatedDestination:Original
OriginalService:Any
TranslatedService:Original
InboundInterface:X2
OutboundInterface:X1
Comment:Enterashortdescription
EnableNATPolicy:Checked
Createareflectivepolicy:Unchecked
And:
OriginalSource:servtwo_private_ip
TranslatedSource:WANPrimaryIP
OriginalDestination:Any
TranslatedDestination:Original
OriginalService:Any
TranslatedService:Original
InboundInterface:X2
OutboundInterface:X1
Comment:Enterashortdescription
EnableNATPolicy:Checked
Createareflectivepolicy:Unchecked
Whenfinished,clickontheOKbuttontoaddandactivatetheNATpolicies.Withthesepoliciesinplace,the
SonicWALLsecurityappliancetranslatestheserversprivateIPaddressestothepublicIPaddresswhenit
initiatestrafficouttheWANinterface(bydefault,theX1interface).
Step4 GototheNetwork>NATPoliciesmenuandclickontheAddbutton.TheAddNATPolicywindow
isdisplayed.TocreatetheNATpoliciestomapthecustomportstotheserversreallisteningports
andtomaptheSonicWALLsWANIPaddresstotheserversprivateaddresses,choosethefollowing
fromthedropdownboxes:
OriginalSource:Any
TranslatedSource:Original
OriginalDestination:WANPrimaryIP
TranslatedDestination:servone_private_ip
OriginalService:servone_public_port
TranslatedService:HTTP
InboundInterface:X1
OutboundInterface:Any
Comment:Enterashortdescription
EnableNATPolicy:Checked
Createareflectivepolicy:Unchecked
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
6/9
14/06/2016
PANEL_addNatPolDlg
And:
OriginalSource:Any
TranslatedSource:Original
OriginalDestination:WANPrimaryIP
TranslatedDestination:servtwo_private_ip
OriginalService:servtwo_public_port
TranslatedService:HTTP
SourceInterface:X1
DestinationInterface:Any
Comment:Enterashortdescription
EnableNATPolicy:Checked
Createareflectivepolicy:Unchecked
Note MakesureyouchooseAnyasthedestinationinterface,andnottheinterfacethatthe
serverison.Thismayseemcounterintuitive,butitisactuallythecorrectthingto
do(ifyoutrytospecifytheinterface,yougetanerror).
Whenfinished,clickontheOKbuttontoaddandactivatetheNATpolicies.Withthesepoliciesinplace,the
SonicWALLsecurityappliancetranslatestheserverspublicIPaddresstotheprivateIPaddresswhen
connectionrequestsarrivefromtheWANinterface(bydefault,theX1interface).
Step5 CreatetheaccessrulesthatallowsanyonefromthepublicInternettoaccessthetwoWebservers
usingthecustomportsandtheSonicWALLsecurityappliancesWANIPaddress.
Note Withpreviousversionsoffirmware,itwasnecessarytowriterulestotheprivateIP
address.ThishasbeenchangedasofSonicOS2.0Enhanced.Ifyouwritearuleto
theprivateIPaddress,theruledoesnotwork.
GototheFirewall>AccessRulespageandchoosethepolicyfortheWANtoSaleszoneintersection(or,
whateverzoneyouputyourservesin).ClickontheAddbuttontobringupthepopupwindowtocreatethe
policies.Whenthepopupappears,enterthefollowingvalues:
Action:Allow
Service:servone_public_port(orwhateveryounameditabove)
Source:Any
Destination:WANIPaddress
UsersAllowed:All
Schedule:Alwayson
Logging:checked
Comment:(enterashortdescription)
And:
Action:Allow
Service:servtwo_public_port(orwhateveryounameditabove)
Source:Any
Destination:WANIPaddress
UsersAllowed:All
Schedule:Alwayson
Logging:checked
Comment:(enterashortdescription)
Whenyourefinished,attempttoaccesstheWebserversviatheSonicWALLsWANIPaddressusinga
systemlocatedonthepublicInternetonthenewcustomport(example:
http://67.115.118.70:9100andhttp://67.115.118.70:9200).Youshouldbeabletosuccessfullyconnect.Ifnot,
reviewthissection,andthesectionbefore,andensurethatyouhaveenteredinallrequiredsettingscorrectly.
UsingNATLoadBalancing
Thissectioncontainsthefollowingsubsections:
NATLoadBalancingTopology
Prerequisites
ConfiguringNATLoadBalancing
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
7/9
14/06/2016
PANEL_addNatPolDlg
TroubleshootingNATLoadBalancing
NATLoadBalancingTopology
ThefollowingfigureshowsthetopologyfortheNATloadbalancingnetwork.
Prerequisites
TheexamplesshownintheTasklistsectiononthenextfewpagesutilizeIPaddressinginformationfroma
demosetuppleasemakesureandreplaceanyIPaddressinginformationshownintheexampleswiththe
correctaddressinginformationforyoursetup.Alsonotethattheinterfacenamesmaybedifferent.
Note
Itisstronglyadvisedthatyouenableloggingforallcategories,andenablename
resolutionforlogging.
Toenableloggingandalerting,logintotheSonicWALLsManagementGUI,gotoLog>Categories,choose
DebugfromthedropdownnexttoLoggingLevel,choseAllCategoriesfromthedropdownnexttoView
Style,checktheboxesinthetitlebarnexttoLogandAlertstocaptureallcategories,andclickontheApply
buttonintheupperrighthandcornertosaveandactivatethechanges.Foranexample,seethescreenshot
below.Debuglogsshouldonlybeusedforinitialconfigurationandtroubleshooting,anditisadvisedthatonce
setupiscomplete,yousettheloggingleveltoamoreappropriatelevelforyournetworkenvironment.
Toenablelognameresolution,gotoLog>NameResolution,chooseDNSthenNetBIOSfromtheName
ResolutionMenudropdownlist,andclickontheApplybuttonintheupperrighthandcornertosaveand
activatethechanges.
ConfiguringNATLoadBalancing
ToconfigureNATloadbalancing,youmustcompletethefollowingtasks:
1.
2.
3.
4.
5.
6.
Createaddressobjects.
Createaddressgroup.
CreateinboundNATLBPolicy.
CreateoutboundNATLBPolicy.
CreateFirewallRule.
Verifyandtroubleshootthenetworkifnecessary.
Tocompletethisconfiguration,performthefollowingsteps:
Step1 CreateNetworkObjectsGototheNetwork>AddressObjectspageintheManagementGUIand
createthenetworkobjectsforbothoftheinternalWebservers,andtheVirtualIP(VIP)onwhich
externaluserswillaccesstheservers.
Step2 CreateAddressGroupNowcreateanaddressgroupnamedwww_groupandaddthetwointernal
serveraddressobjectsyoujustcreated.
Step3 CreateInboundNATRuleforGroupNowcreateaNATruletoallowanyoneattemptingtoaccess
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
8/9
14/06/2016
PANEL_addNatPolDlg
Step4
Step5
Step6
Step7
theVIPtogettranslatedtotheaddressgroupyoujustcreated,usingStickyIPastheNATmethod.
Note DonotsavetheNATrulejustyet.
SetLBTypeandServerLivelinessMethodOntheAdvancedtaboftheNATpolicyconfiguration
control,youcanspecifythattheobject(orgroupofobjects,orgroupofgroups)bemonitoredvia
ICMPpingorbycheckingforTCPsocketsopened.Forthisexample,wearegoingtochecktoseeif
theserverisupandrespondingbymonitoringTCPport80(whichisgood,sincethatiswhatpeople
aretryingtoaccess).YoucannowclickontheOKbuttontosaveandactivatethechanges.
Note Beforeyougoanyfurther,checkthelogsandthestatuspagetoseeiftheresources
havebeendetectedandhavebeenloggedasonline.Twoalertswillappearas
FirewallEventswiththemessageNetworkMonitor:Host192.160.200.220isonline
(withyourIPaddresses).Ifyoudonotseethesetwomessagesbelow,checkthe
stepsabove.
CreateOutboundNATRuleforLBGroupWriteaNATruletoallowtheinternalserverstoget
translatedtotheVIPwhenaccessingresourcesouttheWANinterface(bydefault,theX1interface).
CreateFirewallRuleforVIPWriteafirewallruletoallowtrafficfromtheoutsidetoaccessthe
internalWebserversviatheVIP.
TestYourWorkFromalaptopoutsidetheWAN,connectviaHTTPtotheVIPusingaWeb
browser.
Note IfyouwishtoloadbalanceoneormoreSSLVPNAppliances,repeatsteps17,
usingHTTPSinsteadastheallowedservice.
TroubleshootingNATLoadBalancing
IftheWebserversdonotseemtobeaccessible,gototheFirewall>AccessRulespageandmouseoverthe
Statisticsicon.
IftheruleisconfiguredincorrectlyyouwillnotseeanyRxorTXBytesifitisworking,youwillseethese
incrementwitheachsuccessfulexternalaccessoftheloadbalancedresources.Youcanalsocheckthe
Firewall>NATPoliciespageandmouseovertheStatisticsicon.Ifthepolicyisconfiguredincorrectlyyou
willnotseeanyRxorTXBytesifitisworking,youwillseetheseincrementwitheachsuccessfulexternal
accessoftheloadbalancedresources.
Finally,checkthelogsandthestatuspagetoseeifthereareanyalerts(notedinyellow)abouttheNetwork
Monitornotinghoststhatareofflineitmaybethatallofyourloadbalancingresourcesarenotreachableby
theSonicWALLapplianceandthattheprobingmechanismhasmarkedthemofflineandoutofservice.Check
theloadbalancingresourcestoensurethattheyarefunctionalandcheckthenetworkingconnectionsbetween
themandtheSonicWALLappliance.
http://help.mysonicwall.com/sw/eng/6931/ui2/25201/PANEL_addNatPolDlg.html
9/9