SonicWall TZ 210: Access Public Server from within LAN and DMZ
This article describes how to setup a loop-back NAT policy that allows firewalled computers to access a server using the server’s public IP address or FQDN.
Tags: firewall networking sonicwall
Overview
Unlike most off-the-shelf routers, SonicWalls do not automatically allow access of resources on the LAN or DMZ from within the firewalled networks, even though a reflexive NAT policy for mapping the WAN ports to the internal servers has been added. As a result, locally hosted public servers are accessible from the internet and can access the internet themselves, but cannot be reached from computers on the local networks.
Solution
A NAT policy that maps the public WAN IP address to a server behind the SonicWall only covers connections that are being made from the WAN subnet. In order to allow computers on the LAN, DMZ or any other firewalled network to access this server, a loop-back NAT policy that maps the WAN IP address to the server’s IP address if the source subnet is LAN or DMZ needs to be established.
This can be accomplished by performing the following steps:
- Login to the SonicWall management interface
- Navigate to Network → NAT Policies
- Click the Add button
- Create the following entry:
- Original Source: Firewalled Subnets
- Translated Source: WAN Interface IP
- Original Translation: WAN Interface IP
- Translated Translation: [Server IP Address Object]
- Original Service: [Server Service Group]
- Translated Service: Original
- Inbound Interface: Any
- Outbound Interface: Any
Leave the Create a reflexive policy unchecked. If not already done, you may have to create the proper objects for the server’s IP address and service group.