SonicWALL Security Products My Account (Jianxun) Sign Out | Partners | Contact Sales 1-800-509-1265

Support
Knowledge Base
?
Welc ome Guest | Log In |

SuperMassive / NSA / TZ series > 1.6 Firewall > Firewall Access Rules

UTM: How to Open Ports to Allow (Webserver, FTP, Search Tools

Email, Terminal Service, etc.) to a server behind the
SonicWALL (SonicOS Enhanced)

Rat ing: 9.20 out of 10 (51 Ratings) Rate Art icle Relat ed Co nt ent (12)

Article Applies To:

Gen6 SM E10000 series: NSA E10800, NSA E10400, NSA E10200, NSA E10100
Gen6 SM 9000 series: NSA 9600, NSA 9400, NSA 9200
Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600

Gen5: NSA 8510, NSA 8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX,
NSA 220, NSA 220W, NSA 240, NSA 250M, NSA 250MW
Gen5 TZ series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 W, TZ 215, TZ 215 W, TZ 105, TZ 105W, TZ 205, TZ
205W

Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260.
Gen4: TZ Series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.

Firmware/So ft ware Versio n: All Version (SonicOS Enhanced only). For Instructions on SonicOS Standard refer KBID 3703
Services: Port forw arding (NAT policies, Address objects, firew all access rules).

Feature/Application:
Manually opening Ports to allow (Webserver, FTP, Email, Terminal Service, etc.) from Internet to a server behind the
SonicWALL in SonicOS Enhanced involves the following steps:

Step 1: Creating the necessary Address Object s

Step 2: Defining the appropriate NAT Policies (Inbound, Outbound and Loopback)
Step 3: Creating the necessary WAN > Zone Access Rules for public access

Recommendat ion: The Public Server Wizard quickly configure your SonicWALL to provide public access to an internal
server. The Public Server Wizard is the most ambitious and functional wizard developed to date. It simplifies the complex
process of creating a publicly and internally accessible server resource by automating above mentioned steps. Please refer
KBID 7027 and KBID 4178 for complete instructions.

Alert : The SonicWALL security appliance can be managed using HTTP (Port 80) or HTTPS (443) and a Web browser. Both
HTTP and HTTPS are enabled by default. If you are using the SonicWALL WAN IP address for HTTP or HTTPS port forwarding
to a server, then the default Management port must be changed to another unused port number (e.g. 8080, 444, 4443,
etc.). You can change this under the Sy st em > Administ rat ion page.

Scenario:
The following example covers allowing HTTP (webserver) service from the Internet to a server on the LAN with private IP
address as 192.168.1.100. Once the configuration is complete, Internet users can access the HTTP (webserver) service
behind the SonicWALL UTM appliance through the WAN (Public) IP address 1.1.1.1.
Procedure:
In this example we have chosen to demonstrate using HTTP service, however the following steps apply to any service you
wish to use (like HTTPS, SMTP, FTP, Terminal Services, SSH, etc).

Step 1: Creating the necessary Address Objects

TIP: For complete information on creating Address Objects refer: KBID 7486

1. Select Net work > Address Object s.

2. Click the Add a new address object button and create two address objects one for Server IP on LAN and another for
Public IP of the server:

Address Object for Server on LAN

Name: Mywebserver Private

Zone Assignment: LAN
Type: Host
IP Address: 192.168.1.100
 Address Object for
Server's Public IP

Name:
Mywebserver
Public
Zone
Assignment: WAN
Type: Host
IP Address: 1.1.1.1

3. Click the OK button to complete creation of the new address objects.

Step 2: Defining the appropriate NAT Policies

1. Select Net work > NAT Policies.
2. Click the Add a new NAT Policy button and chose the following settings from the drop-down menu:

Understanding how to use NAT policies starts with the construction of an IP packet. Every packet contains addressing
information that allows the packet to get to its destination, and for the destination to respond to the original requester.
The packet contains (among other things) the requester’s IP address, the protocol information of the requestor, and the
destination’s IP address. The NAT Policies engine in SonicOS Enhanced can inspect the relevant portions of the packet and
can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

Not e: To Add custom port in SonicOS Enhanced refer KBID 7133

Adding appropriate NAT Policies

 Original Source: Any
Translated Source: Original
Original Destination: Mywebserver
Public
Translated Destination: Mywebserver
Private
Original Service: HTTP
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Comment: Webserver behind SonicWALL.
Enable NAT Policy: Checked
Create a reflexive policy: Checked

Not e: Creat e a reflect ive policy : When you check this box, a mirror outbound or inbound NAT policy for the NAT policy you
defined in the Add NAT Policy w indow is automatically created.

3. Click the Add button.

Loopback Policy:
If you wish to access this server from other internal zones using the Public IP address 1.1.1.1 consider creating a
Loopback NAT Policy else go t o next st ep:

Original Source: Firewalled Subnets

Translat ed Source: Mywebserver Public
Original Dest inat ion: Mywebserver Public
Translat ed Dest inat ion: Mywebserver Private
Original Service: HTTP
Translat ed Service: Original
Inbound Int erface: Any
Out bound Int erface: Any
Comment : Loopback policy
Enable NAT Policy : Checked
 Enable NAT Policy : Checked
Creat e a reflexive policy : unchecked

4. Upon completion under Net work > Nat Policies tab the above Inbound and Out bond NAT policies will be created.

Step 3: Creating Firewall Access Rules

1. Click Firewall > Access Rules t ab.
2. Select the type of view in the View St y le section and go to WAN t o LAN access rules.
3. Click Add a new ent ry and create the rule by entering the following into the fields:

Caut ion: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall
protection or block all access to the Internet. Use caution when creating or deleting network access rules.

Action: Allow
From Zone: WAN
To Zone: LAN
Service: HTTP
Source: Any
 Source: Any
Destination: My webserver Public
Users Allowed: All
Schedule: Always on
Enable Logging: checked
Allow Fragmented Packets:
checked

4. Under the Advanced tab, you can leave the “Inact ivit y Timeout in Minut es” at 15 minutes. Some protocols, such as
Telnet, FTP, SSH, VNC and RDP can take advantage of longer timeouts where increased values like 30 or 60 minutes can be
tried with caution in those cases. Longer timeout values will not help at all for HTTP or HTTPS.

5: Click OK.

See Also:
KBID 7027: UTM: How to quickly open ports (port forwarding) using wizards? (SonicOS Enhanced)

Related Articles

UTM: Accessing a Small Business Server (SBS) from

Behind a SonicWALL

UTM - OS Standard: How to Open Ports to Allow

(Webserver, FTP, Email, Terminal Service, etc.) to a server
behind the SonicWALL
SonicOS: Altigen PBX setup w ith sonicw all

UTM: How to forw ard all the SMTP traffic to Email

security device behind SonicWALL UTM appliance

UTM - How to create Address Objects in Sonicw all UTM

Appliances (SonicOS Enhanced)

UTM: How to Open non-standard port (custom service)

to a server behind the SonicWALL in SonicOS Enhanced

UTM: How to Open FTP traffic to a FTP Server behind

the SonicWALL (SonicOS Enhanced)

UTM: How to Open SMTP, IMAP or POP3 traffic to an

Email Server behind the SonicWALL (SonicOS Enhanced)

UTM: How to Open HTTP or HTTPS traffic to a

w ebserver behind the SonicWALL (SonicOS Enhanced)

UTM: How to Open PPTP traffic to a PPTP server behind

the SonicWALL (SonicOS Enhanced)

UTM: Using an XBox Gaming Console Behind a

SonicWALL

UTM: How to Open Remote Desktop, Citrix ICA or RDP

traffic to a Terminal Server behind the SonicWALL