Solved: Re: Cannot access LAN from WAN

tristanrafael63184 · ‎01-27-2020

hi, can you help me, how to access Server-A from WAN. I have 3 devices:

- firewall (sonicwall)
- router (Cisco)
- Switch (Cisco)

with the topology as shown below:

as default initially installs the Sonicwall firewall, the x0 and x1 interfaces are activated. x0 as a LAN interface and x1 as a WAN interface.

interface x0 connects to the router interface gi0 / 0 and gets the ip address 192.168.168.65 as dhcp from the firewall device.

to drive traffic to Server-A, on my firewall device I create NAT policies and Access rules, as shown below:

192.168.168.65 -------------> referred to as "Web Server"

NAT Policy Settings
====================

Original Source       : Any
 
Translated Source     : Original

Original Destination : WAN Interface IP

Translated Destination : Web Server

Original Service     : HTTP

Translated Service   : Original

Inbound Interface     : X1

Outbound Interface   : Any


Access Rules
============

From         : WAN

To           : LAN

Source Port   : HTTP

Service       : HTTP

Source       : Any

Destination   : WAN Interface IP

Users Included : All

Users Excluded : None

Schedule     : Always On

also on cisco router devices, I made a NAT policy:

!
ip nat inside source static tcp 172.16.10.10 443 interface gi0/0 80
!
ip access-list standard NAT
 permit 172.16.10.0 0.0.0.255
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!

using the settings above, on LAN I can access Server-A. Server-A can also access the internet.

but when I try to access Server-A from WAN, the connection is refused.

Thank you in advance

balaji.bandi · ‎01-28-2020

So Do you have on Sonicwall Firewall for this IP

36.255.220.93

if anyone accessing from outside, do you have NAT and Access-list allowed the connection in?

you need put the config in place to work.

1. Sonicwall required to allow from outside connection NAT and ACL ( and forwarding to router)

https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-nat-policies-on-a-sonicwall-firewall/170505782921100/

2. The router should have an ACL and forward table to server.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎01-27-2020

Do you have enough policy ACL available from your Soniwall to allow traffc in ?

can you post full config of router to look your NAT and ACL.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tristanrafael63184 · ‎01-27-2020

thank you for responding, "show run" my router:

Building configuration...
Current configuration : 3025 bytes

cwmp
!
vlan 1
!
vlan 10
 name VLAN-MGMT
!
vlan 16
 name VLAN_DMZ
!
vlan 20
 name VLAN-WIFI
!
!
no service password-encryption
service dhcp
!
ip dhcp excluded-address 192.168.10.1 192.168.10.9
ip dhcp excluded-address 192.168.20.1 192.168.20.9
ip dhcp excluded-address 172.16.10.1 172.16.10.9
!
!
ip dhcp pool User_Pool
 network 192.168.10.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.10.1
!
ip dhcp pool User_Pool_20
 network 192.168.20.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.20.1
!
ip dhcp pool DMZ_Pool
 network 172.16.10.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 172.16.10.1
!
control-plane
!
control-plane protocol
 acpp bw-rate 1250 bw-burst-rate 2500
!
control-plane manage
 port-filter
 arp-car 5
 acpp bw-rate 1250 bw-burst-rate 2500
!
control-plane data
 glean-car 5
 acpp bw-rate 1250 bw-burst-rate 2500
!
enable secret 5 $1$mniP$pC9F4FzyuA3Dxyvx
enable service web-server http
enable service web-server https
!
interface GigabitEthernet 0/0
 ip nat outside
 ip address dhcp
 duplex auto
 speed auto
!
interface GigabitEthernet 0/1
 duplex auto
 speed auto
!
interface GigabitEthernet 0/2
 duplex auto
 speed auto
!
interface GigabitEthernet 0/3
 duplex auto
 speed auto
!
interface GigabitEthernet 1/0
!
interface GigabitEthernet 1/1
 switchport mode trunk
!
interface GigabitEthernet 1/2
!
interface GigabitEthernet 1/3
!
interface GigabitEthernet 1/4
!
interface GigabitEthernet 1/5
!
interface GigabitEthernet 1/6
!
interface GigabitEthernet 1/7
!
interface GigabitEthernet 1/8
!
interface GigabitEthernet 1/9
!
interface GigabitEthernet 1/10
!
interface GigabitEthernet 1/11
!
interface GigabitEthernet 1/12
!
interface GigabitEthernet 1/13
!
interface GigabitEthernet 1/14
!
interface GigabitEthernet 1/15
!
interface GigabitEthernet 1/16
!
interface GigabitEthernet 1/17
!
interface GigabitEthernet 1/18
!
interface GigabitEthernet 1/19
!
interface GigabitEthernet 1/20
!
interface GigabitEthernet 1/21
!
interface GigabitEthernet 1/22
!
interface GigabitEthernet 1/23
!
interface VLAN 1
 ip address 192.168.1.1 255.255.255.0
!
interface VLAN 10
 ip nat inside
 ip address 192.168.10.1 255.255.255.0
!
interface VLAN 16
 ip nat inside
 ip address 172.16.10.1 255.255.255.0
!
interface VLAN 20
 ip nat inside
 ip address 192.168.20.1 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
end

Georg Pauwen · ‎01-27-2020

Hello,

what IP address are you using to connect from the WAN (I assume with WAN you mean the Internet) to Server-A ?

tristanrafael63184 · ‎01-27-2020

as inbound, i use ip address 192.168.168.65 on the router interface gi0/0.

Georg Pauwen · ‎01-27-2020

Hello,

192.168.168.65 is a private space address, from where are you trying to access this address ? What is the WAN ? Is the WAN the Internet ?

I suggest you add the IP addresses to your drawing so we can see how you want to access the server, and from where.

tristanrafael63184 · ‎01-27-2020

Firewall devices have 2 interfaces, x0 as a LAN interface and x1 as a WAN interface.

interface x0 is connected to the router interface gi0/0 and gets the ip address 192.168.168.65 from the firewall device.

thank you.

balaji.bandi · ‎01-27-2020

adding to another post as your drawing not show any IP address, we understand the router has 192.x ip address, But from the internet what IP address you trying to connect (hope your WAN definition is from the internet ?)

so the NAT needs to take place from Sonicwall, Router - then Server.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tristanrafael63184 · ‎01-27-2020

I want to access the web server on port 443/80 and redirect to the internal (private) server ip address on port 443, for example:

if in the browser I access the ip address https://36.255.220.93 directed to server 
computer 172.16.10.12 on port 443.

that's it.

thank you

balaji.bandi · ‎01-28-2020

So Do you have on Sonicwall Firewall for this IP

36.255.220.93

if anyone accessing from outside, do you have NAT and Access-list allowed the connection in?

you need put the config in place to work.

1. Sonicwall required to allow from outside connection NAT and ACL ( and forwarding to router)

https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-nat-policies-on-a-sonicwall-firewall/170505782921100/

2. The router should have an ACL and forward table to server.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tristanrafael63184 · ‎01-29-2020

Thank you, I will try your advice. I will return with the results.

tristanrafael63184 · ‎01-29-2020

Hi, using my settings above, on the firewall device, I made a nat policy using the private use ip translation 192.168.168.65 (router ip address, get from the firewall device) And now I can access the web server from WAN / LAN.

Thank you guys for your help