NETWORKING SonicOS Enhanced: Three Types of Network Modes

Introduction
There are three different types of network modes that you can deploy on a SonicWALL running SonicOS Enhanced
firmware.

The three network modes are:

• NAT Mode
• Transparent Mode
• Route Mode

This document describes the characteristics and configurations of each network mode.

NAT Mode
NAT mode is the default network mode on the Sonicwall. It is the network mode that SonicWALL administrators are most
familiar with, as it is the most common. NAT divides the network into a private address space and a public address space.
The private address space resides on the LAN side and the public address space resides on the WAN side.

Network Diagram:

In NAT mode, when traffic traverses from the private network to the public network, the default behavior is to translate all
private LAN source IP addresses to the WAN IP address of the SonicWALL. This is referred to as many-to-one NAT.
Many-to-one NAT mode is ideal when the ISP has only given the administrator one public IP address.

You can also use NAT mode with a one-to-one configuration. One-to-one NAT mode is appropriate when the ISP has
allocated a public IP range, and the administrator wants to translate the internal servers to unique public IP addresses.

Default NAT Policy:

For traffic to traverse the SonicWALL in NAT mode, two sets of policies are required:
• The NAT policy
• The Access Rules policy

In the SonicOS user interface, you can configure the NAT Policy on the Network > NAT Policies page, and the Access
Rules Policy on the Firewall > Access Rules page. The NAT Policy translates the private IP addresses to a public IP
address so that the private network can communicate with the public network. The Access Rules Policy defines the
conditions under which the firewall should allow or drop traffic.

For outbound connections, no additional configuration is necessary because the default NAT policies already exist and
the default ‘LAN to WAN’ Access Rule allows all traffic out.

For inbound connections, you must configure an inbound NAT policy and an inbound Access Rule policy. In this scenario,
only one public IP address is configured on the SonicWALL WAN interface. In NAT mode, traffic arriving on the public IP
address of the SonicWALL is redirected to specific services on private servers. This is commonly referred to as Port
Forwarding.

Two examples are provided below to show the configuration for the following inbound NAT modes:
• Port Forwarding
• One-to-One NAT

2
Port Forwarding Example
1. Create the address object:

2. Create an Inbound NAT Policy

For Original Destination, select WAN Primary IP from the drop-down list so that SMTP traffic arriving on the WAN IP
address of the SonicWALL is redirected to the SMTP server on the LAN.
For Inbound Interface, select X1 from the drop-down list if X1 is the WAN interface.

The resulting NAT Policies are shown below:

3
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN

The resulting WAN > LAN Access Rules are shown below:

4
One-to-One NAT Example
When the ISP has allocated more than one public IP address, you can create a one-to-one NAT between the public and
private IP addresses. Once the inbound NAT Policy and Access Rules Policy are configured, public networks can reach
the private server using the translated public IP address of that server.

1. Create the public and private Address objects under Network > Address Objects

Public Object

Private Object

5
2a. Create an inbound NAT Policy under Network > NAT Policies

2b. Create an outbound NAT Policy under Network > NAT Policies (Optional)

6
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN

The resulting WAN > LAN Access Rules are shown below:

Hint: You can use the Public Server Wizard to create address objects, NAT Policies, and access rules in one step. Refer
to the SonicWALL Technote: Using the SonicOS Enhanced Wizard to Configure a Public Server for a detailed description
of how the Public Server Wizard works.

7
Transparent Mode
Transparent mode is ideal in a situation where the public servers are already assigned public IP addresses. In this case,
the administrator wants to protect the network with a SonicWALL, but does not wish to reassign the servers with private IP
addresses. Changing IP addresses is often required in NAT mode.

The Network Diagram depicts a situation where the ISP has given the administrator a public IP address range of
10.50.26.0/24. The administrator does not want to change the IP addresses of the SMTP server and the Web server. With
transparent mode, the SonicWALL can protect both servers from the public network without disrupting the current IP
addressing scheme.

Network Diagram:

10.50.26.6 10.50.26.0/24

PRO 3060

10.50.26.7 10.50.26.8
smtp server www server

Although it appears that the SonicWALL is acting like a bridge, it is not. The LAN devices see all WAN devices with the
MAC address of the SonicWALL LAN interface. Likewise, the directly connected WAN devices see all LAN devices with
the MAC address of the SonicWALL WAN interface.

Note: SonicOS Enhanced 3.5 has a new feature called Layer 2 Bridge Mode that allows the Layer 2 MAC addresses to
remain the same as traffic traverses the SonicWALL.

In transparent mode, there are no network address translations. An access rule policy by itself is enough to allow inbound
access.

Transparent Mode Example

1. Create a Network Address Object to use as the Transparent Range

8
2. Set the X0 Interface in Transparent Mode

3. Create Address Objects for the SMTP and WEB servers

9
4. Create Rules to allow Inbound Access

See the SonicWALL Technote: Transparent Mode Support on SonicOS Enhanced for a detailed description of transparent
mode configuration.

Route Mode
Route mode is ideal in a situation where the ISP has allocated two or more public IP address ranges and the administrator
does not want to use NAT. In the diagram, the ISP has allocated two public IP address ranges:
• 10.50.26.0/24
• 172.16.6.0/24
The SonicWALL will protect the servers in the 172.16.6.0/24 network.

Network Diagram:

Although the network diagram is exactly the same as in NAT mode, the difference here is that there are no network
address translations. Instead of using NAT, traffic is routed. An access rule policy by itself is enough to allow inbound
access.

10
Route Mode Example
1. Disable the default NAT Policy

To enable route mode, you can simply disable the default NAT policy in the Network > NAT Policies screen.
This prevents the SonicWALL default behavior, which is to NAT traffic traversing from the private network to the public
network.

2. Create the Address Objects

11
3. Create Access Rules

Troubleshooting
You can use the Packet Trace utility on the System > Diagnostics page to test the NAT and Access Rules policies.

To use Packet Trace:

1. In the Packet Trace screen, enter the IP address of the test PC and then click Start.
2. From a test PC on the Internet, initiate a telnet connection to the specific TCP port.
For example, to see if the SMTP server is working in the route mode example, telnet to 172.16.6.100 on port 25.
3. Open a DOS command window and issue the command telnet 172.16.6.100 25.
The Packet Trace Utility will show packets received from the X1(WAN) interface and sent on the X0(LAN) interface.

If the Packet Trace utility does not show any packets, then it means that the packets are not even reaching the
SonicWALL. Check with the ISP to see if routing is working properly. If the packets are being received on the X1(WAN)
interface but not sent on the X0(LAN) interface, then there is a problem with the NAT Policy and/or Access Rules policy.
Check the NAT Policy and Access Rules Policy for incorrect configurations.

Hint: To further simplify the troubleshooting process, change the Service in the NAT Policy and Access Rule Policy to
ANY.

12
Related Documentation
For more information, refer to the following SonicWALL TechNotes on www.sonicwall.com/support/documentation:

• SonicOS Enhanced: Using a Secondary Public IP Range for NAT

• SonicOS Enhanced: Configuring the SonicWALL DHCP for GVC
• Configuring the SonicWALL DHCP for GVC
• Configuring Port Forwarding with the SonicWALL
• Terminating the WAN GroupVPN and Using VPN Access in SonicOS Enhanced
• Terminating the WAN GroupVPN to the LAN/DMZ using SonicOS Standard
• Typical DMZ Setups with FTP, SMTP, and DNS Servers
• Common Issues with GVC
• Network Browsing with IP Helper NetBIOS Relay
• Creating One-to-One NAT Policies in SonicOS Enhanced
• SonicOS Enhanced: Three Types of Network Modes
• SonicOS 2.0 Enhanced: Configuring GroupVPN for Global VPN Clients
• SonicOS Enhanced: Implementing GVC with Windows Networking

Document created: 9/27/06

Last updated: 11/11/06

13