Blog

DNAT On Sonicwall

Setting up Destination NAT (DNAT) on a SonicWall NSv in AWS involves a three-step process: defining the Objects, creating the NAT Policy, and adding an Access Rule.

In your specific scenario, you are doing Port Address Translation (PAT) because you are changing the external port (8964) to the internal SSH port (22).

Step 1: Create Address and Service Objects

First, you must define the “what” and “where” in the SonicWall database.

  1. Ubuntu Server Address Object:
    • Navigate to Object > Match Objects > Addresses.
    • Click +Add.
    • Name: Ubuntu_Webserver_Internal
    • Zone: LAN (or whichever zone your server sits in).
    • Type: Host | IP Address: 10.2.2.100
  2. Custom Service Object:
    • Navigate to Object > Match Objects > Services.
    • Click +Add.
    • Name: TCP_8964
    • Protocol: TCP
    • Port Range: 8964 to 8964.

Step 2: Create the NAT Policy

This is the rule that tells the firewall to translate the traffic.

  1. Navigate to Policy > Rules and Policies > NAT Rules.
  2. Click +Add and configure the following:
    • Original Source: Any
    • Translated Source: Original
    • Original Destination: WAN Interface IP (This refers to your 10.2.1.10 address).
    • Translated Destination: Ubuntu_Webserver_Internal (The object created in Step 1).
    • Original Service: TCP_8964 (The custom port object).
    • Translated Service: SSH (The standard built-in service for port 22).
    • Inbound Interface: X1 (or your specific WAN interface).

Step 3: Create the Access Rule

Even with a NAT policy, the SonicWall will block the traffic by default unless an Access Rule allows it.

  1. Navigate to Policy > Rules and Policies > Security Policy (or Access Rules).
  2. Click +Add and set:
    • Source Zone: WAN
    • Destination Zone: LAN (Match the zone of your Ubuntu server).
    • Source Address: Any
    • Destination Address: WAN Interface IP (Note: In newer firmware, you may need to use the internal object Ubuntu_Webserver_Internal depending on if the rule is processed post-NAT).
    • Service: TCP_8964
    • Action: Allow

[!IMPORTANT] AWS Security Groups: Don’t forget that AWS has its own firewall layer. Ensure the Security Group attached to the SonicWall’s WAN interface allows inbound traffic on port 8964, and the Security Group on your Ubuntu server allows port 22 from the SonicWall’s LAN interface IP.

Leave a Reply