Professional Documents
Culture Documents
SonicOS Enhanced - Three Types of Network Modes
SonicOS Enhanced - Three Types of Network Modes
Introduction
There are three different types of network modes that you can deploy on a SonicWALL running SonicOS Enhanced firmware. The three network modes are: NAT Mode Transparent Mode Route Mode
This document describes the characteristics and configurations of each network mode.
NAT Mode
NAT mode is the default network mode on the Sonicwall. It is the network mode that SonicWALL administrators are most familiar with, as it is the most common. NAT divides the network into a private address space and a public address space. The private address space resides on the LAN side and the public address space resides on the WAN side. Network Diagram:
In NAT mode, when traffic traverses from the private network to the public network, the default behavior is to translate all private LAN source IP addresses to the WAN IP address of the SonicWALL. This is referred to as many-to-one NAT. Many-to-one NAT mode is ideal when the ISP has only given the administrator one public IP address. You can also use NAT mode with a one-to-one configuration. One-to-one NAT mode is appropriate when the ISP has allocated a public IP range, and the administrator wants to translate the internal servers to unique public IP addresses. Default NAT Policy:
For traffic to traverse the SonicWALL in NAT mode, two sets of policies are required: The NAT policy The Access Rules policy
In the SonicOS user interface, you can configure the NAT Policy on the Network > NAT Policies page, and the Access Rules Policy on the Firewall > Access Rules page. The NAT Policy translates the private IP addresses to a public IP address so that the private network can communicate with the public network. The Access Rules Policy defines the conditions under which the firewall should allow or drop traffic. For outbound connections, no additional configuration is necessary because the default NAT policies already exist and the default LAN to WAN Access Rule allows all traffic out. For inbound connections, you must configure an inbound NAT policy and an inbound Access Rule policy. In this scenario, only one public IP address is configured on the SonicWALL WAN interface. In NAT mode, traffic arriving on the public IP address of the SonicWALL is redirected to specific services on private servers. This is commonly referred to as Port Forwarding. Two examples are provided below to show the configuration for the following inbound NAT modes: Port Forwarding One-to-One NAT
2. Create an Inbound NAT Policy For Original Destination, select WAN Primary IP from the drop-down list so that SMTP traffic arriving on the WAN IP address of the SonicWALL is redirected to the SMTP server on the LAN. For Inbound Interface, select X1 from the drop-down list if X1 is the WAN interface.
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN
The resulting WAN > LAN Access Rules are shown below:
Private Object
2a. Create an inbound NAT Policy under Network > NAT Policies
2b. Create an outbound NAT Policy under Network > NAT Policies (Optional)
3. Create an Access Rule under Firewall > Access Rules for WAN > LAN
The resulting WAN > LAN Access Rules are shown below:
Hint: You can use the Public Server Wizard to create address objects, NAT Policies, and access rules in one step. Refer to the SonicWALL Technote: Using the SonicOS Enhanced Wizard to Configure a Public Server for a detailed description of how the Public Server Wizard works.
Transparent Mode
Transparent mode is ideal in a situation where the public servers are already assigned public IP addresses. In this case, the administrator wants to protect the network with a SonicWALL, but does not wish to reassign the servers with private IP addresses. Changing IP addresses is often required in NAT mode. The Network Diagram depicts a situation where the ISP has given the administrator a public IP address range of 10.50.26.0/24. The administrator does not want to change the IP addresses of the SMTP server and the Web server. With transparent mode, the SonicWALL can protect both servers from the public network without disrupting the current IP addressing scheme. Network Diagram:
10.50.26.0/24
Although it appears that the SonicWALL is acting like a bridge, it is not. The LAN devices see all WAN devices with the MAC address of the SonicWALL LAN interface. Likewise, the directly connected WAN devices see all LAN devices with the MAC address of the SonicWALL WAN interface. Note: SonicOS Enhanced 3.5 has a new feature called Layer 2 Bridge Mode that allows the Layer 2 MAC addresses to remain the same as traffic traverses the SonicWALL. In transparent mode, there are no network address translations. An access rule policy by itself is enough to allow inbound access.
See the SonicWALL Technote: Transparent Mode Support on SonicOS Enhanced for a detailed description of transparent mode configuration.
Route Mode
Route mode is ideal in a situation where the ISP has allocated two or more public IP address ranges and the administrator does not want to use NAT. In the diagram, the ISP has allocated two public IP address ranges: 10.50.26.0/24 172.16.6.0/24 The SonicWALL will protect the servers in the 172.16.6.0/24 network. Network Diagram:
Although the network diagram is exactly the same as in NAT mode, the difference here is that there are no network address translations. Instead of using NAT, traffic is routed. An access rule policy by itself is enough to allow inbound access.
10
11
Troubleshooting
You can use the Packet Trace utility on the System > Diagnostics page to test the NAT and Access Rules policies.
If the Packet Trace utility does not show any packets, then it means that the packets are not even reaching the SonicWALL. Check with the ISP to see if routing is working properly. If the packets are being received on the X1(WAN) interface but not sent on the X0(LAN) interface, then there is a problem with the NAT Policy and/or Access Rules policy. Check the NAT Policy and Access Rules Policy for incorrect configurations. Hint: To further simplify the troubleshooting process, change the Service in the NAT Policy and Access Rule Policy to ANY.
12
Related Documentation
For more information, refer to the following SonicWALL TechNotes on www.sonicwall.com/support/documentation: SonicOS Enhanced: Using a Secondary Public IP Range for NAT SonicOS Enhanced: Configuring the SonicWALL DHCP for GVC Configuring the SonicWALL DHCP for GVC Configuring Port Forwarding with the SonicWALL Terminating the WAN GroupVPN and Using VPN Access in SonicOS Enhanced Terminating the WAN GroupVPN to the LAN/DMZ using SonicOS Standard Typical DMZ Setups with FTP, SMTP, and DNS Servers Common Issues with GVC Network Browsing with IP Helper NetBIOS Relay Creating One-to-One NAT Policies in SonicOS Enhanced SonicOS Enhanced: Three Types of Network Modes SonicOS 2.0 Enhanced: Configuring GroupVPN for Global VPN Clients SonicOS Enhanced: Implementing GVC with Windows Networking
13