Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal Web Server on port 81, How do I NAT from external address on port 81?

CraigLongford

Hi,

How do you create a policy to route and external address such as http://mydoamin.com:81 to an internal web server, also running on port 21?

I have tried creating a business policy but can't seem to get it to work.

Thank you,

Craig



This thread was automatically locked due to age.
  • 0

    Assuming that mydomain.com resolves to the IP of your WAN interface (or WAN alias) then you can create a business policy but you would probably want to try a non_http version. I've ran into issues with HTTP based, which turns on WAF. In my case, the site is over SSL, but when using WAF it appears to terminate the connection abruptly. I have not tested much further yet. So with that, here's the steps to do a non WAF business policy.

    • Add a new rule of type Business Application Policy.
    • Set application template to "Non-HTTP Based Policy".
    • Give it a name.
    • Set your source host to any.
    • Under Hosted Server:
      • Set source zone to "WAN" (Assuming wan is the right zone for your internet interface.)
      • Set hosted address to the port/ip representing your WAN interface.
    • Under Protected Application Servers:
      • Set protected zone to LAN, or the zone representing where your server is.
      • Set protected application server(s) to the server object, if not created, create one representing your server.
      • do not forward all ports.
    • Under Port Forwarding
      • Set your protocol to TCP.
      • External port type is port.
      • External port is 81 (or whatever you need for your external port)
      • Mapped port type is port as well.
      • Set your internal port to 81. (Or 21, or 80, whatever your server on LAN is listening on.)

    Now save it and you should have inbound access to the server.

    Using WAF should work, and let you to do url path based forwarding. But again, I haven't gotten it to work correctly on my side yet so that's not what I showed you here. This is standard "port forwarding" if you will.

    • 0 in reply to JonathanH
      This has been my experience as well and got it to work if you were doing a port forward type. I haven't tried actually Nat'ing to a different pubilc IP in my WAN range, but I'd assume you'd just change to the rewrite MASQ. I just haven't had a chance to play with that.

      However a little frustrating is you have to type in the ports one by one/manually assuming your opening multiple ports to a server. Rather than being able to utilize port groups you've created under "Assets/Hosts and Services/Service Group" or even it was a single port, being able to drop down and pick the services that are pre-defined or one you created.
    • 0

      Here is an example for DNAT TCP 2222 to 22 from specific sources: