Tech nsa-stack

Published on December 15th, 2011 | by Kieran

3

SonicWALL DNS NAT Loopback

Quite often I come across an configuration issue where a client has exposed an internal service (for example Outlook Web Access) through their SonicWall firewall using a NAT rule. To make things easy to access they then associate their external WAN IP address with a DNS A Record via their hosting provider, such as webmail.company.com.  The problem arises if the user then tries to access the same URL from behind the firewall.

The solution is commonly known as a DNS NAT Loopback and is discussed in the SonicWALL Technical Note:  SonicOS Enhanced 2.0: Configuring DNS NAT Loopback.

Loopback is supported without any special configurations in both firmware 6.x.x.x and SonicOS 2.0 Standard.

In SonicOS 2.0 Enhanced, you need a custom NAT policy like this:

Original Source: LAN Subnets
Translated Source: WAN Primary IP
Original Destination: WAN Primary IP
Translated Destination: (LAN server object)
Original Service: Any
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

The idea behind this policy is that you must translate your source into a public object if you wish to talk to the public IPs from the LAN. You can apply this to 1:1 NAT, as well. Imagine that you now have a working setup with private side 10.100.0.3 (LAN server object) and public side 3.3.2.10 (WAN server object). You would need this custom NAT Policy:

Original Source: LAN Subnets
Translated Source: WAN Primary IP
Original Destination: (WAN server object)
Translated Destination: (LAN server object)
Original Service: Any
Translated Service: Original
Inbound Interface: LAN Interface
Outbound Interface: Any

This example can be modified to provide the same access for a server on the DMZ (or other zone) by using DMZ server object in place of the LAN server object.

Tags: , , , ,


About the Author

has worked with computers and technology for nearly 20 years. Based in the United Kingdom, he works throughout EMEA as a Solution Consultant, specialising in Fax & Document Distribution technologies. Predominantly blogging on KieranLane.com he can also be found on Twitter @KieranLane, and Flickr.



3 Responses to SonicWALL DNS NAT Loopback

  1. Manikandan says:

    Hi Kieran,

    DNS NAT loop-back forum helped me to resolve my issues.
    Thanks a lot

    Thanks & Regards
    Manikandan.K

  2. Wade says:

    I have wireless users on our DMZ who were not able to access OWA. Your article helped us get it working.

    Thanks

  3. Arjen says:

    this works fine from the lan. When i connect with the global vpn client ( that gets a lan ip address from dhcp server) it still don’t work

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑