sonicos enhanced- three types of network modes

8/8/2019 SonicOS Enhanced- Three Types of Network Modes

1/13

NETWORKING SonicOS Enhanced: Three Types of Network Modes

Introduction

There are three different types of network modes that you can deploy on a SonicWALL running SonicOS Enhancedfirmware.

The three network modes are:

NAT Mode

Transparent Mode

Route Mode

This document describes the characteristics and configurations of each network mode.

NAT ModeNAT mode is the default network mode on the Sonicwall. It is the network mode that SonicWALL administrators are most

familiar with, as it is the most common. NAT divides the network into a private address space and a public address space.The private address space resides on the LAN side and the public address space resides on the WAN side.

Network Diagram:

In NAT mode, when traffic traverses from the private network to the public network, the default behavior is to translate allprivate LAN source IP addresses to the WAN IP address of the SonicWALL. This is referred to as many-to-oneNAT.Many-to-one NAT mode is ideal when the ISP has only given the administrator one public IP address.

You can also use NAT mode with a one-to-one configuration. One-to-one NAT mode is appropriate when the ISP hasallocated a public IP range, and the administrator wants to translate the internal servers to unique public IP addresses.

Default NAT Policy:


2/13

2

For traffic to traverse the SonicWALL in NAT mode, two sets of policies are required:

The NAT policy

The Access Rules policy

In the SonicOS user interface, you can configure the NAT Policy on the Network > NAT Policies page, and the AccessRules Policy on the Firewall > Access Rules page. The NAT Policy translates the private IP addresses to a public IPaddress so that the private network can communicate with the public network. The Access Rules Policy defines theconditions under which the firewall should allow or drop traffic.

For outbound connections, no additional configuration is necessary because the default NAT policies already exist andthe default LAN to WAN Access Rule allows all traffic out.

For inbound connections, you must configure an inbound NAT policy and an inbound Access Rule policy. In this scenario,only one public IP address is configured on the SonicWALL WAN interface. In NAT mode, traffic arriving on the public IPaddress of the SonicWALL is redirected to specific services on private servers. This is commonly referred to as PortForwarding.

Two examples are provided below to show the configuration for the following inbound NAT modes:

Port Forwarding One-to-One NAT


3/13

3

Port Forwarding Example

1. Create the address object:

2. Create an Inbound NAT Policy

For Original Destination, select WAN Primary IP from the drop-down list so that SMTP traffic arriving on the WAN IPaddress of the SonicWALL is redirected to the SMTP server on the LAN.

For Inbound Interface, select X1 from the drop-down list if X1 is the WAN interface.

The resulting NAT Policies are shown below:


4/13

4

3. Create an Access Rule under Firewall > Access Rules for WAN > LAN

The resulting WAN > LAN Access Rules are shown below:


5/13

5

One-to-One NAT Example

When the ISP has allocated more than one public IP address, you can create a one-to-one NAT between the public andprivate IP addresses. Once the inbound NAT Policy and Access Rules Policy are configured, public networks can reachthe private server using the translated public IP address of that server.

1. Create the public and private Address objects under Network > Address Objects

Public Object

Private Object


6/13

6

2a. Create an inbound NAT Policy under Network > NAT Policies

2b. Create an outbound NAT Policy under Network > NAT Policies (Optional)


7/13

7

3. Create an Access Rule under Firewall > Access Rules for WAN > LAN

The resulting WAN > LAN Access Rules are shown below:

Hint: You can use the Public Server Wizard to create address objects, NAT Policies, and access rules in one step. Referto the SonicWALL Technote: Using the SonicOS Enhanced Wizard to Configure a Public Serverfor a detailed descriptionof how the Public Server Wizard works.


8/13

8

Transparent ModeTransparent mode is ideal in a situation where the public servers are already assigned public IP addresses. In this case,the administrator wants to protect the network with a SonicWALL, but does not wish to reassign the servers with private IP

addresses. Changing IP addresses is often required in NAT mode.

The Network Diagram depicts a situation where the ISP has given the administrator a public IP address range of10.50.26.0/24. The administrator does not want to change the IP addresses of the SMTP server and the Web server. Withtransparent mode, the SonicWALL can protect both servers from the public network without disrupting the current IPaddressing scheme.

Network Diagram:

PRO 3060

10.50.26.0/2410.50.26.6

10.50.26.8www server

10.50.26.7smtp server

Although it appears that the SonicWALL is acting like a bridge, it is not. The LAN devices see all WAN devices with theMAC address of the SonicWALL LAN interface. Likewise, the directly connected WAN devices see all LAN devices withthe MAC address of the SonicWALL WAN interface.

Note: SonicOS Enhanced 3.5 has a new feature called Layer 2 Bridge Mode that allows the Layer 2 MAC addresses toremain the same as traffic traverses the SonicWALL.

In transparent mode, there are no network address translations. An access rule policy by itself is enough to allow inboundaccess.

Transparent Mode Example

1. Create a Network Address Object to use as the Transparent Range


9/13

9

2. Set the X0 Interface in Transparent Mode

3. Create Address Objects for the SMTP and WEB servers


10/13

10

4. Create Rules to allow Inbound Access

See the SonicWALL Technote: Transparent Mode Support on SonicOS Enhancedfor a detailed description of transparent

mode configuration.

Route ModeRoute mode is ideal in a situation where the ISP has allocated two or more public IP address ranges and the administratordoes not want to use NAT. In the diagram, the ISP has allocated two public IP address ranges:

10.50.26.0/24

172.16.6.0/24

The SonicWALL will protect the servers in the 172.16.6.0/24 network.

Network Diagram:

Although the network diagram is exactly the same as in NAT mode, the difference here is that there are no networkaddress translations. Instead of using NAT, traffic is routed. An access rule policy by itself is enough to allow inbound

access.


11/13

11

Route Mode Example

1. Disable the default NAT Policy

To enable route mode, you can simply disable the default NAT policy in the Network > NAT Policies screen.This prevents the SonicWALL default behavior, which is to NAT traffic traversing from the private network to the publicnetwork.

2. Create the Address Objects


12/13

12

3. Create Access Rules

TroubleshootingYou can use the Packet Trace utility on the System > Diagnostics page to test the NAT and Access Rules policies.

To use Packet Trace:1. In the Packet Trace screen, enter the IP address of the test PC and then click Start.2. From a test PC on the Internet, initiate a telnet connection to the specific TCP port.

For example, to see if the SMTP server is working in the route mode example, telnet to 172.16.6.100 on port 25.3. Open a DOS command window and issue the command telnet 172.16.6.100 25.

The Packet Trace Utility will show packets received from the X1(WAN) interface and sent on the X0(LAN) interface.

If the Packet Trace utility does not show any packets, then it means that the packets are not even reaching theSonicWALL. Check with the ISP to see if routing is working properly. If the packets are being received on the X1(WAN)interface but not sent on the X0(LAN) interface, then there is a problem with the NAT Policy and/or Access Rules policy.Check the NAT Policy and Access Rules Policy for incorrect configurations.

Hint: To further simplify the troubleshooting process, change the Service in the NAT Policy and Access Rule Policy toANY.


13/13

Related DocumentationFor more information, refer to the following SonicWALL TechNotes on www.sonicwall.com/support/documentation:

SonicOS Enhanced: Using a Secondary Public IP Range for NAT SonicOS Enhanced: Configuring the SonicWALL DHCP for GVC

Configuring the SonicWALL DHCP for GVC

Configuring Port Forwarding with the SonicWALL

Terminating the WAN GroupVPN and Using VPN Access in SonicOS Enhanced

Terminating the WAN GroupVPN to the LAN/DMZ using SonicOS Standard

Typical DMZ Setups with FTP, SMTP, and DNS Servers

Common Issues with GVC

Network Browsing with IP Helper NetBIOS Relay

Creating One-to-One NAT Policies in SonicOS Enhanced

SonicOS Enhanced: Three Types of Network Modes

SonicOS 2.0 Enhanced: Configuring GroupVPN for Global VPN Clients

SonicOS Enhanced: Implementing GVC with Windows Networking

Document created: 9/27/06Last updated: 11/11/06

sonicos enhanced- three types of network modes

Documents