Allow single IP host through UTM to internal device/port

You can change the source port too. For example 3395 -> 3389 (rdp). And nobody will atempt to logon in your PC

Just to be clear, this is not a PC that is being accessed, it is a special comm control device with a WEB interface.

I will give it a try in my site. But this could be done with user portal if you want something secure

The tech is accessing this WEB interface with a software package that is unable to log into the user portal. It is a direct connection.

I tried DNAT with a specified host and it works. I just specified the source too
You can see from my logs

Thanks but...

My original DNAT which works:
• For traffic from: Any
• Using Service: 8080
• Going to: WAN (Address)
• Change destination to: 192.168.x.x
• Automatic firewall rule: Yes

Tried to close the hole so:
Changed "Any" to the tech's external IP - didn't work
Made my own firewall rule - didn't work
Turned off firewall rule - didn't work

And a number of other iterations that don't work. I'll take it up again Monday morning.

How you defined the Sam IP? Network or Host

Try to change the source port to 8282 an leave the destination to 8080. Because Web Filter owns the port 8080 (if it is active)

Sam's IP is defined as Host. Thanks & yes, Web Filter is active, that never occurred to me. Changing to 8000 which is one of the comm devices choices. I'll report back when he contacts me this morning.

Still not working. I have this DNAT:

• For traffic from: Tech (1.2.3.4)
• Using Service: 8000
• Going to: WAN (Address) (3.4.5.6)
• Change destination to: 192.168.x.x (comm box)
• And the service to: (blank)
• Automatic firewall rule: Yes

Here's what I'm getting in the FW log:

                               Techs IP      to    My External IP
NAT rule #3  TCP  1.2.3.4:58384 →  5.6.7.8:8000

It should be:
                               Techs IP      to     IP of comm box
NAT rule #3  TCP  1.2.3.4:58384 →  192.168.x.x:8000

The strange thing is that I have two other DNATs to the same box, but using different ports and they "forward" correctly. The only difference is that the Traffic From is Any. It doesn't like a source IP

Anything? Thanks.

Still not working. I have this DNAT:

• For traffic from: Tech (1.2.3.4)
• Using Service: 8000
• Going to: WAN (Address) (3.4.5.6)
• Change destination to: 192.168.x.x (comm box)
• And the service to: (blank)
• Automatic firewall rule: Yes

Here's what I'm getting in the FW log:

                               Techs IP      to    My External IP
NAT rule #3  TCP  1.2.3.4:58384 →  5.6.7.8:8000

It should be:
                               Techs IP      to     IP of comm box
NAT rule #3  TCP  1.2.3.4:58384 →  192.168.x.x:8000

The strange thing is that I have two other DNATs to the same box, but using different ports and they "forward" correctly. The only difference is that the Traffic From is Any. It doesn't like a source IP

Anything? Thanks.

Try and move the DNAT rule to the top

Thanks but it's been at the top since I started having issues.

On my home UTM (I'm not at work), my NAT rule X shows the remote ip hitting my external ip (WHITE colour) which is then followed by the remote ip hitting the internal ip (GREEN colour auto generated rule)

The Firewall log is correct. What confuses me is the destination port. It is or not 8080? If your internal port is 8080, the destination port must not be BLANK

The correct rule:

• For traffic from: Tech (1.2.3.4)
• Using Service: 8000
• Going to: WAN (Address) (3.4.5.6)
• Change destination to: 192.168.x.x (comm box)
• And the service to: (8080)
• Automatic firewall rule: Yes

You can test it with your 3G mobile phone ip and see the firewall log RED

The port needed for the comm box is now 8000, we changed it on both sides. It turns out that the tech's software is changing ports every time he tries to connect which is what it always did when it was working. As I stated, none of my DNATs to this box have "Service To". The Service is passed (forwarded) to the comm box.

What I don't get is that when I change the "For Traffic From" to Any and leave "Service To" blank (on port 8000), he gets in. As soon as I put his IP in, he can't. And yet the firewall doesn't drop it (green to 192.168.x.x). So now I'm thinking maybe the software on his laptop needs a tweak or something in the comm box. I'm looking at that now.

I appreciate the suggestions, I'll update later.

Maybe the TECH ip is not correct

I checked all the potentially "stupid mistake" items already... double & triple checked.

It turned out to be the software on the techs laptop had two places that the port had to be changed to 8000. Sigh...

So my original change worked:

• For traffic from: Tech (1.2.3.4)
• Using Service: 8000
• Going to: WAN (Address) (3.4.5.6)
• Change destination to: 192.168.x.x (comm box)
• And the service to: (blank)
• Automatic firewall rule: Yes