Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Common mistakes with port forwarding

04/22/2021 178 People found this article helpful 186,682 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article lists some of the common mistakes done while creating port forwarding rules and troubleshooting steps that can be taken.

    Resolution

    Firewall checks for the service and determines whether it is used by itself first on the WAN interface IP. Eg: HTTP/HTTPS management (TCP 80 and 443 respectively), SSH management (TCP 22), IKE (UDP 500), SSLVPN (TCP 4433). If not, the following series of events take place:

    1. NAT policy lookup - We go through the list of NAT policies based on source IP, destination IP, service and inbound interface and stop after the first match based on priority
    2. Determining the destination zone based on the NAT lookup - After it finds a match it checks the zone of the translated destination to find the access rules to match from source zone to that destination zone (If the translated destination is in DMZ, we would check for WAN to DMZ access rules alone)
    3. Checking the necessary access rules - Go through the list of access rules based on priority and stop once a match is found ignoring all subsequent rules
    4. Taking the necessary action based on access rules - Perform allow, deny or discard action as per the access rule
    5. NAT policy action - If the packet is supposed to be allowed, we change the source IP, destination IP and service fields as described by the NAT policy

    EXAMPLE: Let us consider that we are trying to forward Terminal Services (TCP/UDP 3389) to internal IP 192.168.168.68 on LAN and we would like to RDP using the WAN address X1 IP-192.168.188.200 

    NOTE: Usually the X1 IP on the firewall is a public IP and is directly accessible from the internet. Taking a private IP as an example.

    Please take a look at How Can I Enable Port Forwarding And Allow Access To A Server Through The SonicWall? for the necessary steps needed for port forwarding.

    Mistakes in Access rules:

    1. Using the private IP instead of public IP in the destination field.

      Image


      Since the access rule action takes before the NAT policy action, the match is always done against the original source, destination and services fields. Rule of thumb is that original source, destination and service fields in the inbound NAT should be used in the access rule.
    2. Setting the source port to same as service

      Image


      Every connection is made by using a random source port which is decided by the host machine trying to make that connection. Therefore, the source port field on access rule should always be left at Any.
    3. Incorrect destination zone
      Since we only check a specific set of access rules after determining the destination zone, it is essential to create the access rules between the right zones. WAN to LAN access rules will not be checked if the translated destination field resides in DMZ.
    4. Not setting the right priority

      Image


      Access rules and NAT policy are both checked based on priority. An incorrect NAT/access rule with higher priority will make the SonicWall not even check the right rules added just because they are on low priority. Always use the most specific rules with higher priority.

    Mistakes in NAT policy:

    1. Setting the translated service to same as original source

      Image


      When no translation is required for the service it is essential to leave it on Original. Translated service should only be used during PAT. This creates a problem especially when a service group is used in the service fields.
    2. Setting no/incorrect inbound interface.

      Image


      Adding inbound interface for inbound NAT sets the right priority and triggers this rule when traffic reaches the firewall on the right interface. Leaving it on Any can create issues when you have multiple WAN interfaces and you are configuring multiple NATs based on the available public IPs on each of those interfaces. Incorrect inbound interfaces will make the firewall completely overlook this NAT.

    TIP: Always test the port forwarding internally using the internal IP first. If that does not work, it will not work from outside the network as well.

    With all the above taken care of, there might be still situations where the port forwarding is failing. The best way to troubleshoot port forwarding will be doing a packet capture. For more details on Packet monitor tool, please check How Can I Setup And Utilize The Packet Monitor Feature For Troubleshooting?

    Always use the following method for packet capture as it would show the translated packets and makes it easier to find the root cause. Use the source IP field with the source IP you are testing from. This shows you the translated destination and service after the firewall performs the NAT.

    Image

    Working scenario:

    Image

    Here are few scenarios listed along with their troubleshooting steps:

    1. Packets not reaching the firewall
      Not all ports are always allowed inbound to the firewall from the upstream device. Specially if you are dealing with random custom ports please verify with your ISP to make sure that they are allowing those ports till the firewall. Without the traffic reaching the firewall, it cannot take any action on it.
    2. Packets being dropped as Policy drop

      Image


      This could take place due to multiple reasons.
      a) The access rules are created between incorrect zones
      b) The source port is set to something specific in the access rule
      c) The translated destination belongs to the L2TP IP pool. SonicWall binds the L2TP IP pool to the zone VPN irrespective of whether that IP is being used by an L2TP client or not. Make sure that this pool is always set to a reserved pool which is not used anywhere else.
      Image
    3. The packets are reaching the firewall but stay in consumed/received status

      Image


      a) Please check the MANAGE | Network | ARP table and make sure that you can see the ARP entry for the internal device that you are trying to reach
      b) You can try a ping test from the firewall from INVESTIGATE | System Diagnostics and use the ping tool from Diagnostics tools
      c) Also check the MANAGE | Network | Routing section to make sure that there are no incorrect routes added for that destination IP
    4. Packets are being allowed but there is no response

      Image


      a) Make sure that the translated destination is the right private address. If not, please check the priority of the NAT policy
      b) If the translated destination is correct, make sure that there is no windows firewall or 3rd party AV that could be blocking this traffic. Another reason could be a different gateway on the end machine due to which the response could be going to a totally different device rather than reaching the firewall.
    5. Packets are being allowed but the internal machine sends an ACK+RST

      Image


      This usually takes place if the service is not running on that machine or it is running on a different port.
      You can use the following command on the command prompt for a Windows device to see if the required ports are open on the internal machine. It shows a listening state for the ports that are open
      netstat -an
      Image

      For a specific port number, you can use the command below. Replace 3389 with the desired port number.
      netstat –an 1 | find “3389”


    See also:

    • How Can I Configure Port Address Translation (PAT) Or Port Redirection?
    • Access A Server Behind The SonicWall From Internal Networks Using Public IPs (Loopback NAT)
    • How Do I Configure NAT Policies On A SonicWall Firewall?

    Related Articles

    • Identical Access Rules for different users/user groups
    • Advanced Network Security eLearning Training Course
    • Network Security Essentials eLearning Training Course

    Categories

    • Firewalls > NSa Series > Networking
    • Firewalls > TZ Series > Networking
    • Firewalls > SonicWall SuperMassive 9000 Series > Networking

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top