Escolar Documentos
Profissional Documentos
Cultura Documentos
Introduction
There are three different types of network modes that you can deploy on a SonicWALL running SonicOS Enhanced
firmware.
This document describes the characteristics and configurations of each network mode.
NAT Mode
NAT mode is the default network mode on the Sonicwall. It is the network mode that SonicWALL administrators are most
familiar with, as it is the most common. NAT divides the network into a private address space and a public address space.
The private address space resides on the LAN side and the public address space resides on the WAN side.
Network Diagram:
In NAT mode, when traffic traverses from the private network to the public network, the default behavior is to translate all
private LAN source IP addresses to the WAN IP address of the SonicWALL. This is referred to as many-to-one NAT.
Many-to-one NAT mode is ideal when the ISP has only given the administrator one public IP address.
You can also use NAT mode with a one-to-one configuration. One-to-one NAT mode is appropriate when the ISP has
allocated a public IP range, and the administrator wants to translate the internal servers to unique public IP addresses.
In the SonicOS user interface, you can configure the NAT Policy on the Network > NAT Policies page, and the Access
Rules Policy on the Firewall > Access Rules page. The NAT Policy translates the private IP addresses to a public IP
address so that the private network can communicate with the public network. The Access Rules Policy defines the
conditions under which the firewall should allow or drop traffic.
For outbound connections, no additional configuration is necessary because the default NAT policies already exist and
the default ‘LAN to WAN’ Access Rule allows all traffic out.
For inbound connections, you must configure an inbound NAT policy and an inbound Access Rule policy. In this scenario,
only one public IP address is configured on the SonicWALL WAN interface. In NAT mode, traffic arriving on the public IP
address of the SonicWALL is redirected to specific services on private servers. This is commonly referred to as Port
Forwarding.
Two examples are provided below to show the configuration for the following inbound NAT modes:
• Port Forwarding
• One-to-One NAT
2
Port Forwarding Example
1. Create the address object:
3
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN
The resulting WAN > LAN Access Rules are shown below:
4
One-to-One NAT Example
When the ISP has allocated more than one public IP address, you can create a one-to-one NAT between the public and
private IP addresses. Once the inbound NAT Policy and Access Rules Policy are configured, public networks can reach
the private server using the translated public IP address of that server.
1. Create the public and private Address objects under Network > Address Objects
Public Object
Private Object
5
2a. Create an inbound NAT Policy under Network > NAT Policies
2b. Create an outbound NAT Policy under Network > NAT Policies (Optional)
6
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN
The resulting WAN > LAN Access Rules are shown below:
Hint: You can use the Public Server Wizard to create address objects, NAT Policies, and access rules in one step. Refer
to the SonicWALL Technote: Using the SonicOS Enhanced Wizard to Configure a Public Server for a detailed description
of how the Public Server Wizard works.
7
Transparent Mode
Transparent mode is ideal in a situation where the public servers are already assigned public IP addresses. In this case,
the administrator wants to protect the network with a SonicWALL, but does not wish to reassign the servers with private IP
addresses. Changing IP addresses is often required in NAT mode.
The Network Diagram depicts a situation where the ISP has given the administrator a public IP address range of
10.50.26.0/24. The administrator does not want to change the IP addresses of the SMTP server and the Web server. With
transparent mode, the SonicWALL can protect both servers from the public network without disrupting the current IP
addressing scheme.
Network Diagram:
10.50.26.6 10.50.26.0/24
PRO 3060
10.50.26.7 10.50.26.8
smtp server www server
Although it appears that the SonicWALL is acting like a bridge, it is not. The LAN devices see all WAN devices with the
MAC address of the SonicWALL LAN interface. Likewise, the directly connected WAN devices see all LAN devices with
the MAC address of the SonicWALL WAN interface.
Note: SonicOS Enhanced 3.5 has a new feature called Layer 2 Bridge Mode that allows the Layer 2 MAC addresses to
remain the same as traffic traverses the SonicWALL.
In transparent mode, there are no network address translations. An access rule policy by itself is enough to allow inbound
access.
8
2. Set the X0 Interface in Transparent Mode
9
4. Create Rules to allow Inbound Access
See the SonicWALL Technote: Transparent Mode Support on SonicOS Enhanced for a detailed description of transparent
mode configuration.
Route Mode
Route mode is ideal in a situation where the ISP has allocated two or more public IP address ranges and the administrator
does not want to use NAT. In the diagram, the ISP has allocated two public IP address ranges:
• 10.50.26.0/24
• 172.16.6.0/24
The SonicWALL will protect the servers in the 172.16.6.0/24 network.
Network Diagram:
Although the network diagram is exactly the same as in NAT mode, the difference here is that there are no network
address translations. Instead of using NAT, traffic is routed. An access rule policy by itself is enough to allow inbound
access.
10
Route Mode Example
1. Disable the default NAT Policy
To enable route mode, you can simply disable the default NAT policy in the Network > NAT Policies screen.
This prevents the SonicWALL default behavior, which is to NAT traffic traversing from the private network to the public
network.
11
3. Create Access Rules
Troubleshooting
You can use the Packet Trace utility on the System > Diagnostics page to test the NAT and Access Rules policies.
If the Packet Trace utility does not show any packets, then it means that the packets are not even reaching the
SonicWALL. Check with the ISP to see if routing is working properly. If the packets are being received on the X1(WAN)
interface but not sent on the X0(LAN) interface, then there is a problem with the NAT Policy and/or Access Rules policy.
Check the NAT Policy and Access Rules Policy for incorrect configurations.
Hint: To further simplify the troubleshooting process, change the Service in the NAT Policy and Access Rule Policy to
ANY.
12
Related Documentation
For more information, refer to the following SonicWALL TechNotes on www.sonicwall.com/support/documentation:
13