(2 April 2012)
(
Source)If you have multiple ports from the same destination IP being forwarded to different ports/systems, add the additional targets as separate pools, and the NAT rules as separate rules in the same rule-set:Don't forget your security policies. Note that the port in the security policy must refer to the address and port on the target system, not the public IP port (ie in our example above mapping port 8080 to port 80, the security policy must refer to destination ip 192.168.1.100 and port 80).Note: don't be confused that the rule name is the same as the nat pool -- this isn't mandatory, it just happened to be like that in the example I was working from.
Problem
I want to create a ScreenOS-type VIP (aka a port forward) where one port on one IP is mapped to an unrelated port on another internal IP.For example I want the firewall to listen on public IP 1.1.1.2 port 8080 and forward that traffic to 192.168.1.100 port 80.Solution
Define a single-target NAT pool:set security nat destination pool web-1 address 192.168.1.100/32 set security nat destination pool web-1 address port 80 set security nat destination rule-set incoming-web from zone untrust set security nat destination rule-set incoming-web rule web1 match destination-address 1.1.1.2/32 set security nat destination rule-set incoming-web rule web1 match destination-port 8080 set security nat destination rule-set incoming-web rule web1 then destination-nat pool web-1
Source)If you have multiple ports from the same destination IP being forwarded to different ports/systems, add the additional targets as separate pools, and the NAT rules as separate rules in the same rule-set:set security nat destination pool web-1 address 192.168.1.100/32 set security nat destination pool web-1 address port 80 set security nat destination pool web-2 address 192.168.1.100/32 set security nat destination pool web-2 address port 443 set security nat destination pool smtp-1 address 192.168.1.99/32 set security nat destination pool smtp-1 address port 25 set security nat destination rule-set incoming-traffic from zone untrust set security nat destination rule-set incoming-traffic rule web1 match destination-address 1.1.1.2/32 set security nat destination rule-set incoming-traffic rule web1 match destination-port 8080 set security nat destination rule-set incoming-traffic rule web1 then destination-nat pool web-1 set security nat destination rule-set incoming-traffic rule web2 match destination-address 1.1.1.2/32 set security nat destination rule-set incoming-traffic rule web2 match destination-port 443 set security nat destination rule-set incoming-traffic rule web2 then destination-nat pool web-1 set security nat destination rule-set incoming-traffic rule smtp1 match destination-address 1.1.1.2/32 set security nat destination rule-set incoming-traffic rule smtp1 match destination-port 25 set security nat destination rule-set incoming-traffic rule smtp1 then destination-nat pool smtp-1
no comments |
post comment
Virtual Dave Megaplex:
- Home Page
- This wiki's start page
- Send Feedback To Dave
Logged in Users: (1)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.