Allow single IP host through UTM to internal device/port

You can change the source port too. For example 3395 -> 3389 (rdp). And nobody will atempt to logon in your PC

Just to be clear, this is not a PC that is being accessed, it is a special comm control device with a WEB interface.

I will give it a try in my site. But this could be done with user portal if you want something secure

I will give it a try in my site. But this could be done with user portal if you want something secure

The tech is accessing this WEB interface with a software package that is unable to log into the user portal. It is a direct connection.

I tried DNAT with a specified host and it works. I just specified the source too
You can see from my logs

Thanks but...

My original DNAT which works:
• For traffic from: Any
• Using Service: 8080
• Going to: WAN (Address)
• Change destination to: 192.168.x.x
• Automatic firewall rule: Yes

Tried to close the hole so:
Changed "Any" to the tech's external IP - didn't work
Made my own firewall rule - didn't work
Turned off firewall rule - didn't work

And a number of other iterations that don't work. I'll take it up again Monday morning.

How you defined the Sam IP? Network or Host

Try to change the source port to 8282 an leave the destination to 8080. Because Web Filter owns the port 8080 (if it is active)

Sam's IP is defined as Host. Thanks & yes, Web Filter is active, that never occurred to me. Changing to 8000 which is one of the comm devices choices. I'll report back when he contacts me this morning.

Still not working. I have this DNAT:

• For traffic from: Tech (1.2.3.4)
• Using Service: 8000
• Going to: WAN (Address) (3.4.5.6)
• Change destination to: 192.168.x.x (comm box)
• And the service to: (blank)
• Automatic firewall rule: Yes

Here's what I'm getting in the FW log:

                               Techs IP      to    My External IP
NAT rule #3  TCP  1.2.3.4:58384 →  5.6.7.8:8000

It should be:
                               Techs IP      to     IP of comm box
NAT rule #3  TCP  1.2.3.4:58384 →  192.168.x.x:8000

The strange thing is that I have two other DNATs to the same box, but using different ports and they "forward" correctly. The only difference is that the Traffic From is Any. It doesn't like a source IP

Anything? Thanks.

Try and move the DNAT rule to the top

Thanks but it's been at the top since I started having issues.

On my home UTM (I'm not at work), my NAT rule X shows the remote ip hitting my external ip (WHITE colour) which is then followed by the remote ip hitting the internal ip (GREEN colour auto generated rule)

The Firewall log is correct. What confuses me is the destination port. It is or not 8080? If your internal port is 8080, the destination port must not be BLANK

The correct rule:

• For traffic from: Tech (1.2.3.4)
• Using Service: 8000
• Going to: WAN (Address) (3.4.5.6)
• Change destination to: 192.168.x.x (comm box)
• And the service to: (8080)
• Automatic firewall rule: Yes

You can test it with your 3G mobile phone ip and see the firewall log RED