Description
This article describes how to use Virtual IPs (VIPs) to configure port forwarding.
This configuration allows users on the Internet to connect to the server protected behind a firewall, without knowing the server’s internal IP address and only through chosen ports.
Solution
Diagram:
- Creating three VIPs. Go to Policy & Objects -> Virtual IPs -> Create New -> Virtual IP. Enter the External IP Address/Range, and enter the mapped IP Address/Range. enable Port Forwarding and add a VIP for TCP port 80, webserver-http.
While this example maps port 80 to port 80, any valid external service port can be mapped to any listening port on the destination.
CLI:
config firewall vip
edit "webserver-http"
set extip 172.20.121.67
set mappedip "192.168.100.1"
set extintf "wan1"
set portforward enable
set extport 80
set mappedport 80
next
end
Create a second VIP for TCP port 21, webserver-ftp.
CLI:
config firewall vip
edit "webserver-ftp"
set extip 172.20.121.67
set mappedip "192.168.100.1"
set extintf "wan1"
set portforward enable
set extport 21
set mappedport 21
next
end
Create a third VIP for TCP port 22, webserver-ssh.
CLI:
config firewall vip
edit "webserver-ssh"
set extip 172.20.121.67
set mappedip "192.168.100.1"
set extintf "wan1"
set portforward enable
set extport 22
set mappedport 22
next
end
Note:
In the case of dynamic public IP from an ISP, external IP can be 0.0.0.0. In that case, make sure to specify 'Interface' because 0.0.0.0 cannot be used with 'any' interface.
In the case of dynamic public IP from an ISP, external IP can be 0.0.0.0. In that case, make sure to specify 'Interface' because 0.0.0.0 cannot be used with 'any' interface.
- Adding VIPs to a VIP group. Go to Policy & Objects -> Virtual IPs -> Create New -> Virtual IP Group and create a VIP group, in this example, a webserver group.
Under Members, include all three VIPs previously created.
CLI:
config firewall vipgrp
edit "webserver group"
set interface "wan1"
set member "webserver-ftp" "webserver-http" "webserver-ssh"
next
end
- Creating a security policy. Go to Policy & Objects -> IPv4 Policy and create a security policy allowing access to a server behind the firewall.
Set the Incoming interface to the Internet-facing interface, the outgoing interface to the interface connected to the server, and the destination address to the VIP group (webserver group).
If the FortiGate has Central NAT enabled, the VIP objects will not be available for selection in the policy editing window. Set service to allow HTTP, FTP, and SSH traffic.
NAT is disabled for this policy so that the server sees the source addresses of the packets it receives. This is the preferred setting for several reasons.
For example, the server logs will be more meaningful if they record the actual source addresses of users. Use the appropriate security profiles to protect the servers.
CLI:
config firewall policy
edit 1
set name "port forwarding"
set srcintf "wan1"
set dstintf "lan"
set action accept
set srcaddr "all"
set dstaddr "webserver group"
set schedule "always"
set service "FTP" "HTTP" "SSH"
set utm-status enable
set av-profile "default"
set ips-sensor "default"
next
end
Note:
In case the VIP is not shown to be chosen as the destination in policy, it is because the incoming interface of the policy is different than the interface binding configured from the VIP. Make sure the binding interface is as same as the incoming interface on the policy or use 'any' instead when configuring VIP.
In case the VIP is not shown to be chosen as the destination in policy, it is because the incoming interface of the policy is different than the interface binding configured from the VIP. Make sure the binding interface is as same as the incoming interface on the policy or use 'any' instead when configuring VIP.
Result.
To ensure that TCP port 80 is open, connect to the web server from a remote connection on the other side of the firewall.
Ensure that TCP port 21 is open by using an FTP client to connect to the FTP server from a remote connection on the other side of the firewall.
Finally, ensure that TCP port 22 is open by connecting to the SSH server from a remote connection on the other side of the firewall.
