Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port Translation only one port
Here' s my scenario: I have a VIP public IP NAT' ing to private IP.
I need port 443 to be port forwarded to 8543, but I need everything else
(HTTP, SSH, ICMP) to be NAT' ed but no port translation.
I can' t figure it out. Is this even possible?
Thanks
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try something like this. I don' t like this solution though. I don' t understand why you can' t have a generic external IP to internal IP mapping without specifying the source/destination ports, but I might just missing something.
I tested the below config and it works for me.
external interface = port1
DMZ interface = port2
external VIP IP = 172.16.233.10
DMZ host IP = 192.168.10.10
config firewall policy
edit 1
set srcintf " port1"
set dstintf " port2"
set srcaddr " all"
set dstaddr " webserver-vip-443"
set action accept
set schedule " always"
set service " HTTPS" " TCP-8543"
next
edit 2
set srcintf " port1"
set dstintf " port2"
set srcaddr " all"
set dstaddr " webserver-vip-ssh"
set action accept
set schedule " always"
set service " SSH"
next
end
# show firewall vip
config firewall vip
edit " webserver-vip-443"
set extip 172.16.233.10
set extintf " port1"
set portforward enable
set mappedip 192.168.10.10
set extport 443
set mappedport 8543
next
edit " webserver-vip-ssh"
set extip 172.16.233.10
set extintf " port1"
set portforward enable
set mappedip 192.168.10.10
set extport 22
set mappedport 22
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@fmurray
its doable by configuring two VIPs: first one to precisely define 443 to 8543 and the other one to be configured as range (external port range and internal port range)
Mohammad
Mohammad Al-Zard
Mohammad Al-Zard
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ha ha, Istvan circumvented the problem very cleverly!
The second VIP HAS to be port forwarding as well as the first one, or you will get a " duplicate IP" warning. VIP do not follow the top-down policy ordering (as they do a lot more than just NAT, for example proxy ARP).
So, in fact, I think you can do with 3 VIPs:
policy 1: VIP port 443->8543
policy 2: VIP port [1-442]->[1-442]
policy 2: VIP port [444-1023]->[444-1023]
Thank you lightmoon1992 for the hint to use port ranges.
Note that you will only get TCP/UDP through these VIPs, no ICMP/ping for example. Only non-port forwarding VIPs can do that.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!