Monday, May 20, 2019

SonicWall WAN -> DMZ works for one device and not the other?

Thanks in advance for your time and any insight you might have.

Using:
SonicWall NSA 2600 (SonicOS Enhanced 6.2.6.0-20n)

Setup:
I currently have a working NAT/Access setup for VPN phones entering from the WAN -> DMZ to a VPN concentrator. I also have an Nginx reverse proxy sitting in the DMZ that I'm trying to forward HTTP/S from the WAN, and it's set up exactly the same as the working setup for the VPN phones. This is why I don't know the reason it's not working from the WAN. I see no activity in the Nginx access logs so I don't think it's getting that far.

Note that when I modify the NAT to bypass the reverse proxy and go direct to the destination server's DMZ NIC, it still does not work. However, when I NAT to the destination server's LAN NIC, it works fine. It seems to be an access issue between the WAN to DMZ but I have the access rule set up, I assume correctly.

Devices within the DMZ can access each other fine.

Edit:
It also cannot be connected to externally if I assign the Dest Server Public IP to the DMZ zone and set up the public IP directly on the DMZ NIC of the reverse proxy. This probably rules out the NAT and focuses on access rules.

Interfaces:
X1 - WAN
X4 - DMZ

Address Objects:
Dest Server Public IP | 1.2.3.4 | WAN Zone
Reverse Proxy Private IP | 192.168.1.10 | DMZ Zone
Dest Server DMZ IP | 192.168.1.11 | DMZ Zone

NAT:
Original Source: Any
Translated Source: Original
Original Destination: Dest Server Public IP
Translated Destination: Reverse Proxy Private IP
Original Service: HTTP, HTTPS (Service group)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Enable NAT Policy: Checked

Access Rules:
(Note, default "allow all" rules exist for traversing to less secure zones)

Action: Allow
From: WAN
To: DMZ
Source Port: Any
Service: HTTP, HTTPS (Service group)
Source: Any
Destination: Dest Server Public IP
Users Included: All

I didn't have a NAT from private -> public but adding NATs for both DMZ IPs -> Dest Server Public IP does not do anything.

Using various external tools I cannot communicate through HTTP/S to the FQDN of the device in the DMZ. Those tools elapse a timeout. The only way I can access is to NAT it to the private IP in the LAN zone. I don't see any logging in the SonicWall related to the NAT while testing.

Firewalld on reverse proxy:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0f0 (temp LAN NIC) enp1s0f1 (DMZ NIC)
sources:
services: ssh dhcpv6-client http https

Is there anything specific I should be looking at? Any ideas?
Thanks again.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)