7:00 AM
Paul B
Holy hell folks. I ran into an issue over the last few weeks that seemed way harder than it should have been in my opinion. The problem I ran into was a mix of a difference in terminology between Cisco and Sonicwall, and how they handle traffic going from an internal LAN to a WAN IP. For instance, for this setup Cisco said that I needed a NAT reflection policy on my firewall. Well, Sonicwall doesn't know what a NAT reflection policy is, because they call it a loopback policy.
Another thing I ran into is how Sonicwall handles loopback, it's not how Cisco wants it done. For instance, when you want an internal LAN server to talk to another server on it's public IP address, Sonicwall NAT's the connection outbound in order to communicate to the public IP of the server you want to connect to,
Ok, that being said, here is a really basic diagram of my setup. The IP addresses have been changed to protect the innocent. In this example, 1.1.1.1 is the public IP of my Expressway-E device that is NAT'd to it's internal LAN IP of 192.168.1.3. The Expressway-E is setup with a single NIC, with static NAT enabled.
host 192.168.1.2
object network obj-192.168.1.3
host 192.168.1.3
object network obj-1.1.1.1
host 1.1.1.1
nat (inside,outside) source static obj-192.168.1.2 obj-192.168.1.2 destination static
obj-1.1.1.1 obj-1.1.1.1
Let me see if I can break this down...
On the Sonicwall, assign a public IP address for Expressway-C, let's use 1.1.1.2 in this example. You will need to create a NAT rule to to point 1.1.1.2 to 192.168.1.2. Make sure it's reflexive so that the outbound traffic of 192.168.1.2 goes out as 1.1.1.2 as well. Your network should now look like this:
Now you need to create your loopback policy (NAT reflection) as follows:
- Original Source: 192.168.1.2
- Translated Source: 1.1.1.2
- Original Destination: 1.1.1.1
- Translated Destination: 192.168.1.3
- Original Service: Any
- Translated Service: Original
- Inbound Interface: Any
- Outbound Interface: Any
- Comment: NAT reflection
