Skip to main content
douglas1942
douglas1942
New Member
November 30, 2021
Question

Converting ports without IP change ?

  • November 30, 2021
  • 3 replies
  • 2124 views

Hello, I am trying to convert incoming port 22 to 2222 with a VIP rule. However I want to keep the same external and internal IP address. The VIP will not accept this.

Is there any way to only convert incoming ports with the same address ?

3 replies

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
December 1, 2021

Hey @douglas1942,

you can check this KB: https://community.fortinet.com/t5/No-tags-TKBs/Technical-Tip-how-to-set-port-translation-port-forwarding-by/ta-p/196058?externalID=FD49310

Is that what you're looking for?

 

Cheers!

pavankr5
Staff
pavankr5
Staff
August 11, 2023

Hello @douglas1942 

 

It sounds like you're trying to set up port forwarding using a VIP but you want to maintain the same external and internal IP addresses. 

If your VIP doesn't allow you to change the port number while keeping the same IP address, Instead of changing the incoming port, consider using a different external port for SSH altogether (e.g., port 2222) and leave the internal port at 22. This way, you won't need to perform any port translation.

 

Remember that whenever you make changes to your network configuration, especially involving port forwarding and SSH, test the behavior in closed environment. Let us know if you have any queries.

 

Thanks

AndyGron
Staff
AndyGron
Staff
April 10, 2026

I recently had the same need, and this article came up a number of times in my searching, so I'm posting the solution I found.

Debbie_FTNT has a link to the solution article, but the answer is hidden towards the bottom and offered as a suggestion, when it our use case it is a must.


Normal VIPs don't allow the same IP as external and internal, we fix this by selecting "set type load-balance" in the VIP configuration.

The next problem we run into is, that this VIP will blackhole all traffic for the IP in question.
This is because VIPs by default have "arp-reply" enabled.
This command makes the FortiGate "own" the IP address in question and basically stop forwarding traffic to the actual host. 

Here is a working config:

A PC on the external port (port10) is trying to SSH to a Server on the internal port (port5), but the server runs SSH on 2222 instead of 22.
Note that the firewall rule needs to reference the internal service (the service post-translation) to allow the traffic.

config firewall vip
edit "VIP_SSH_Test"
set type load-balance
set service "SSH"
set extip 192.168.111.100
set mappedip "192.168.111.100"
set extintf "port10"
set arp-reply disable
set portforward enable
set mappedport 2222
next
end

config firewall policy
edit 0
set name "SSH Test"
set srcintf "port10" (External port)
set dstintf "port5" (Internal port - where server is hosted)
set action accept
set srcaddr "all"
set dstaddr "VIP_SSH_Test" (VIP - see above)
set schedule "always"
set service "ALL_ICMP" "SSH_2222"
set logtraffic all
next
end

Terms & ConditionsAccessibility statement