Unlike most off-the-shelf routers, SonicWall firewalls do not automatically allow access of resources on the LAN or DMZ from within those firewalled networks, even though a reflexive NAT policy for mapping the WAN ports to the internal servers has been added. As a result, locally hosted public servers are accessible from the internet and can access the internet themselves, but they cannot be reached from computers on the local networks. This article describes how to setup a loop-back NAT policy that allows firewalled computers to access a server using the server’s public IP address or FQDN.
A NAT policy that maps the public WAN IP address to a server behind the SonicWall only covers connections that are being made from the WAN subnet. In order to allow computers on the LAN, DMZ or any other firewalled network to access this server, a loop-back NAT policy needs to be established that maps the WAN IP address to the server’s IP address if the source subnet is LAN or DMZ. This can be accomplished by performing the following steps:
- Login to the SonicWall management interface
- Navigate to Network → NAT Policies
- Click the Add button
- Create the following entry:
- Original Source: Firewalled Subnets
- Translated Source: WAN Interface IP
- Original Translation: WAN Interface IP
- Translated Translation: [Server IP Address Object]
- Original Service: [Server Service Group]
- Translated Service: Original
- Inbound Interface: Any
- Outbound Interface: Any
Leave the Create a reflexive policy unchecked. If not already done, you may have to create the proper objects for the server’s IP address and service group.