Inbound Port Forwarding
Configuration > Overlays & Security > Security > Inbound Port Forwarding
Inbound port forwarding allows traffic from the WAN to reach computers or services within a private LAN when you have a stateful firewall. It helps define and manage inbound traffic, remap a destination IP address and port number to an internal host, and create policies to manage branch devices from the WAN. Use this tab to define the desired inbound traffic.
Inbound Port forwarding is available in two modes when you add or edit a rule, depending on whether the translate mode is enabled or disabled.
The first operating mode for inbound port forwarding is when translate mode is disabled with inbound port forwarding. The LAN-side subnet with private IP addresses is allowed access through an inbound port forwarding rule (defined by you in the following steps) and exposes any external services. This requires LAN side private addresses to be routed on the WAN side. This represents the process of DMZ (Demilitarized Zone).
NOTE: This mode is not common unless the port forwarding source is directly connected to the EdgeConnect or if the LAN side device address is routed from the WAN side. Additionally, inbound port forwarding does not support TFTP servers.
To establish a DMZ connection, complete the following steps:
-
Go to the Inbound Port Forwarding tab.
-
Select the Edit icon next to Appliance.
-
Select Add Rule.
-
Complete each field with the appropriate information.
Field Description Source IP/Subnet Source of the WAN device managing the LAN device(s) specified in the destination. Destination IP/Subnet Address of the LAN device(s) managed remotely.
The second mode is when translate mode is enabled. When enabled, the EdgeConnect WAN interface performs destination NAT to reach LAN side device(s) from an external network.
Complete the following steps to enable the translate mode. This represents the process of DNAT (Destination Network Translation).
-
Go to the Inbound Port Forwarding tab.
-
Select the Edit icon.
-
Select Add Rule.
-
Select the Translate check box to enable Translate mode.
-
Complete each field with the appropriate information.
Field Description Source IP/Subnet Source of the WAN device managing the LAN device(s) specified in the destination. Destination IP/Subnet Address of the WAN interface IP. Destination Port/Range Port/range of the LAN device(s) that are managed remotely. Protocol Select the protocol you want to apply: UDP, TCP, ICMP, Any. If you select Any, the Destination and Translated Ports have a default value that need to be between 0-100. If the value exceeds, 100 a warning appears. Translated IP IP address of the LAN device accessed inside your network. Translated Port/Range Port/range of the LAN device accessed inside your network. Source Interface Source interface name. Segment Name of the segment being used. Comment Any additional details.
Additional Information
-
Interface Modes
Port forwarding is used only when you have ‘stateful’ or ‘stateful+snat’ configured on interfaces. It does not apply when you have ‘Allow All’ or ‘Harden’ configured.
-
Security Policies
*If ‘security policies’ are configured, make sure they allow the traffic specified in the port forwarding rules.
-
You can also reorder the appliances associated with inbound port forwarding by selecting Reorder when adding a rule.
NOTE: ‘Any’ is a protocol option only on versions 8.1.9.4 and later.