Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fmurray
New Contributor

Port Translation only one port

Here' s my scenario: I have a VIP public IP NAT' ing to private IP. I need port 443 to be port forwarded to 8543, but I need everything else (HTTP, SSH, ICMP) to be NAT' ed but no port translation. I can' t figure it out. Is this even possible? Thanks
3 REPLIES 3
Istvan_Takacs_FTNT

You can try something like this. I don' t like this solution though. I don' t understand why you can' t have a generic external IP to internal IP mapping without specifying the source/destination ports, but I might just missing something. I tested the below config and it works for me. external interface = port1 DMZ interface = port2 external VIP IP = 172.16.233.10 DMZ host IP = 192.168.10.10 config firewall policy edit 1 set srcintf " port1" set dstintf " port2" set srcaddr " all" set dstaddr " webserver-vip-443" set action accept set schedule " always" set service " HTTPS" " TCP-8543" next edit 2 set srcintf " port1" set dstintf " port2" set srcaddr " all" set dstaddr " webserver-vip-ssh" set action accept set schedule " always" set service " SSH" next end # show firewall vip config firewall vip edit " webserver-vip-443" set extip 172.16.233.10 set extintf " port1" set portforward enable set mappedip 192.168.10.10 set extport 443 set mappedport 8543 next edit " webserver-vip-ssh" set extip 172.16.233.10 set extintf " port1" set portforward enable set mappedip 192.168.10.10 set extport 22 set mappedport 22 next end
lightmoon1992
New Contributor

@fmurray its doable by configuring two VIPs: first one to precisely define 443 to 8543 and the other one to be configured as range (external port range and internal port range) Mohammad

Mohammad Al-Zard

 

ede_pfau
Esteemed Contributor III

ha ha, Istvan circumvented the problem very cleverly! The second VIP HAS to be port forwarding as well as the first one, or you will get a " duplicate IP" warning. VIP do not follow the top-down policy ordering (as they do a lot more than just NAT, for example proxy ARP). So, in fact, I think you can do with 3 VIPs: policy 1: VIP port 443->8543 policy 2: VIP port [1-442]->[1-442] policy 2: VIP port [444-1023]->[444-1023] Thank you lightmoon1992 for the hint to use port ranges. Note that you will only get TCP/UDP through these VIPs, no ICMP/ping for example. Only non-port forwarding VIPs can do that.

Ede

"Kernel panic: Aiee, killing interrupt handler!"