Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 100750 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow single IP host through UTM to internal device/port

TomMorgan

I have a contract service tech who works offsite (we'll call Sam), and I have a "box" that he needs to access on-demand from time to time. Sam has a static public IP that needs to get through our SG UTM 9 to the box at 192.168.x.x, port 8080. I've had 1:1 setup which has worked fine until some fine folk found this little hole and have attacked it repeatedly with floods  & such. So now I only want Sam's IP to get through to the box.

Having RULZ 1-5 staring me in the face, I've tried a number of variations of NAT, with and without a firewall rule... firewall rule alone. I've even changed precedence of the rules temporarily. So to simplify, I need:
Only Sam at 1.2.3.4 -> to get through our UTM at 5.6.7.8 -> to the box at 192.168.x.x:8000

I've found a few similar threads but none were answered as solved or were similar enough to resolve this. This should be easy and I'm sure I've over thought it.

Thank you
Tom



This thread was automatically locked due to age.
Parents
  • 0

    You can change the source port too. For example 3395 -> 3389 (rdp). And nobody will atempt to logon in your PC

  • 0 in reply to Ol Deda

    Just to be clear, this is not a PC that is being accessed, it is a special comm control device with a WEB interface.

  • 0 in reply to Ol Deda

    Sam's IP is defined as Host. Thanks & yes, Web Filter is active, that never occurred to me. Changing to 8000 which is one of the comm devices choices. I'll report back when he contacts me this morning.

  • 0 in reply to TomMorgan

    Still not working. I have this DNAT:

    • For traffic from: Tech (1.2.3.4)
    • Using Service: 8000
    • Going to: WAN (Address) (3.4.5.6)
    • Change destination to: 192.168.x.x (comm box)
    • And the service to: (blank)
    • Automatic firewall rule: Yes

    Here's what I'm getting in the FW log:

                                   Techs IP      to    My External IP
    NAT rule #3  TCP  1.2.3.4:58384 →  5.6.7.8:8000

    It should be:
                                   Techs IP      to     IP of comm box
    NAT rule #3  TCP  1.2.3.4:58384 →  192.168.x.x:8000

    The strange thing is that I have two other DNATs to the same box, but using different ports and they "forward" correctly. The only difference is that the Traffic From is Any. It doesn't like a source IP

    Anything? Thanks.

  • 0 in reply to TomMorgan

    Try and move the DNAT rule to the top

  • 0 in reply to Louis-M

    Thanks but it's been at the top since I started having issues.

  • 0 in reply to TomMorgan

    On my home UTM (I'm not at work), my NAT rule X shows the remote ip hitting my external ip (WHITE colour) which is then followed by the remote ip hitting the internal ip (GREEN colour auto generated rule)

  • 0 in reply to TomMorgan

    The Firewall log is correct. What confuses me is the destination port. It is or not 8080? If your internal port is 8080, the destination port must not be BLANK

    The correct rule:

    • For traffic from: Tech (1.2.3.4)
    • Using Service: 8000
    • Going to: WAN (Address) (3.4.5.6)
    • Change destination to: 192.168.x.x (comm box)
    • And the service to: (8080)
    • Automatic firewall rule: Yes

    You can test it with your 3G mobile phone ip and see the firewall log RED

  • 0 in reply to Ol Deda

    The port needed for the comm box is now 8000, we changed it on both sides. It turns out that the tech's software is changing ports every time he tries to connect which is what it always did when it was working. As I stated, none of my DNATs to this box have "Service To". The Service is passed (forwarded) to the comm box.

    What I don't get is that when I change the "For Traffic From" to Any and leave "Service To" blank (on port 8000), he gets in. As soon as I put his IP in, he can't. And yet the firewall doesn't drop it (green to 192.168.x.x). So now I'm thinking maybe the software on his laptop needs a tweak or something in the comm box. I'm looking at that now.

    I appreciate the suggestions, I'll update later.

  • 0 in reply to TomMorgan

    Maybe the TECH ip is not correct

  • 0 in reply to Ol Deda

    I checked all the potentially "stupid mistake" items already... double & triple checked.

  • 0 in reply to TomMorgan

    It turned out to be the software on the techs laptop had two places that the port had to be changed to 8000. Sigh...

    So my original change worked:

    • For traffic from: Tech (1.2.3.4)
    • Using Service: 8000
    • Going to: WAN (Address) (3.4.5.6)
    • Change destination to: 192.168.x.x (comm box)
    • And the service to: (blank)
    • Automatic firewall rule: Yes

Reply
  • 0 in reply to TomMorgan

    It turned out to be the software on the techs laptop had two places that the port had to be changed to 8000. Sigh...

    So my original change worked:

    • For traffic from: Tech (1.2.3.4)
    • Using Service: 8000
    • Going to: WAN (Address) (3.4.5.6)
    • Change destination to: 192.168.x.x (comm box)
    • And the service to: (blank)
    • Automatic firewall rule: Yes

Children
No Data
Unfiltered HTML