en-US
search-icon

Knowledge Base

How to Enable Port Forwarding and Allow Access to a Server Through the SonicWall via the CLI

Description

This article describes how to access an internet device or server behind the SonicWall firewall, using the CLI. To enable port forwarding using the SonicOS interface please view How to Enable Port Forwarding and Allow Access to a Server Through the SonicWall. This process is also known as opening ports, PATing, NAT or Port Forwarding.

For this process the device can be any of the following:
  • Web Server
  • FTP Server
  • Email Server
  • Terminal Server
  • DVR (Digital Video Recorder)
  • PBX
  • SIP Server
  • IP Camera
  • Printer
  • Application Server
  • Any custom Server Roles
  • Game Consoles

Resolution

Manually opening Ports / enabling Port forwarding to allow traffic from the Internet to a Server behind the SonicWall using SonicOS involves the following steps:

  1. Logging into the SonicWall via the CLI
  2. Creating the necessary Address Objects and Service Objects
  3. Creating the appropriate NAT Policies which can include Inbound, Outbound, and Loopback
  4. Creating the necessary Firewall Access Rules

 

TIP: The Public Server Wizard is a straightforward and simple way to provide public access to an internal Server through the SonicWall. The Public Server Wizard will simplify the above three steps by prompting your for information and creating the necessary Settings automatically.

You can learn more about the Public Server Wizard by reading How to open ports using the SonicWall Public Server Wizard.

 

CAUTION: The SonicWall security appliance is managed by HTTP (Port 80) and HTTPS (Port 443), with HTTPS Management being enabled by default. If you are using one or more of the WAN IP Addresses for HTTP/HTTPS Port Forwarding to a Server then you must change the Management Port to an unused Port, or change the Port when navigating to your Server via NAT or another method.

 

Scenario Overview

The following example covers allowing Port 80 (HTTP) from the Internet to Server on the LAN with Private IP address as 192.168.1.100. Once the configuration is complete, Internet Users can access the Port 80 services behind the SonicWall firewall through the WAN (Public) IP address of 1.1.1.1.

 

Step 1: Logging into the SonicWall via the CLI

For information on logging in via the CLI please see How to login to the SonicWall UTM appliance using the Command Line Interface

 

Step 2: Creating the Necessary Address Objects and Service Objects

Server Private IP Address Object

configure

address-object ipv4 "My Webserver Private" host 192.168.1.100 zone LAN

commit

Image

 

Server Public IP Address Object

address-object ipv4 "My Webserver Public" host 1.1.1.1 zone WAN

commit

Image

 

HTTP Service Object

service-object "Example Service Object" TCP 639 639

commit

 

 Image

3. Creating the appropriate NAT Policies which can include Inbound, Outbound, and Loopback

Inbound NAT

nat-policy inbound X1 oubound X0 source any translated-source original destination name "Example Name Public" translated-destination name "Example Name Private" service name "Example Service Object" translated-service original

commit

 

 Image

Outbound NAT

nat-policy inbound X0 outbound X1 source name "My Webserver Private" translated-source name "My Webserver Public" destination any translated-destination original service name "HTTP" translated-service original

commit

Image

Loopback NAT Policy

nat-policy inbound X0 outbound any source name "Firewalled Subnets" translated-source name "Example Name Public" destination name "Example Name Public" translated-destination name "Example Name Private" service name "Example Service Object" translated-service original

commit

 

 Image

4. Creating the necessary Firewall Access Rules

access-rule from WAN to LAN action allow source address any service name "Example Service Object" destination address any schedule always-on

commit

Image