1

We have a block of static IPs that are utilized by a few different routers -- one provided by our VoIP company, one provided by Verizon (used mostly for the TVs / guest wifi), and one that goes to our SonicWall TZ210.

I have a zone set up on a different port in the SonicWall -- a sort of DMZ, set up for apps that are separated from our LAN. However, until now, this wasn't used for anything public-facing. It was a development subnet where folks are building apps in VMs, etc.

However, now we need to interface with an outside system that requires an IP address. I'd prefer not to give them the IP address of our entire SonicWall, but would rather assign a specific static IP to that DMZ subnet. This way, I can port forward from that static IP to the machine in question directly and block all other traffic (traffic is current blocked between the WAN and this subnet).

Any thoughts on how I might be able to go about doing this? Again, this is a SonicWall TZ210 with the latest version of SonicOS.

Thanks in advance for any help you can give!

SeanKilleen
  • 1,073
  • 8
  • 25
  • 38

1 Answers1

2

This is relatively straightforward. There are essentially two parts required. First, a NAT rule providing address translation, and a firewall access rule, permitting traffic to cross zones.

For the NAT piece, create a rule that keeps the originating IP intact, but translates from your external static IP, to your internal DMZ, and does so for whatever specific service (TCP/IP port) you wish to translate. I would also recommend making a second rule for ICMP traffic, so you can ping the server from the outside world.

  • Original Source: Any
  • Translated Source: Original
  • Original Service:
  • Translated Service: Original.
  • Original Destination: External IP address object
  • Translated Destination: Internal DMZ IP address

Next, you need to enable that service in the firewall. You'll also want a second rule for ICMP traffic, so those pings work. These two rules will be created the From WAN to DMZ. (Or whatever zone you have your server in)

  • Source: Any
  • Destination: External IP address object.
  • Service:
  • Action: Allow


--Christopher Karel

Christopher Karel
  • 6,442
  • 1
  • 26
  • 34
  • Hi Christopher, thanks for the response! I'm looking to do something a little different than you suggested, I think. Assuming our SonicWall IP -- let's say 123.456.789.1 -- i would like our DMZ Subnet to be accessible by a different, public-facing static IP (123.456.789.2). This way we would not be giving out the IP of our SonicWall, even if it's connecting through the SonicWall. – SeanKilleen Mar 11 '11 at 14:19
  • That's fine, Goober. The IP you use doesn't have to be the official IP address of your WAN interface on the Sonicwall. The above will work for any address on that network. Now, your Sonicwall will obviously have to respond and address packets to that IP, but it will be different than the one used for outbound traffic, for example. – Christopher Karel Mar 11 '11 at 19:52