Link Search Menu Expand Document

Inbound Port Forwarding

Configuration > Overlays & Security > Security > Inbound Port Forwarding

Inbound port forwarding allows traffic from the WAN to reach computers or services within a private LAN when you have a stateful firewall. It helps define and manage inbound traffic, remap a destination IP address and port number to an internal host, and create policies to manage branch devices from the WAN. Use this tab to define the desired inbound traffic.

Inbound Port forwarding is available in two modes when you add or edit a rule, depending on whether the translate mode is enabled or disabled.

The first operating mode for inbound port forwarding is when translate mode is disabled with inbound port forwarding. The LAN-side subnet with private IP addresses is allowed access through an inbound port forwarding rule (defined by you in the following steps) and exposes any external services. This requires LAN side private addresses to be routed on the WAN side. This represents the process of DMZ (Demilitarized Zone).

NOTE: This mode is not common unless the port forwarding source is directly connected to the EdgeConnect or if the LAN side device address is routed from the WAN side. Additionally, inbound port forwarding does not support TFTP servers.

To establish a DMZ connection, complete the following steps:

  1. Go to the Inbound Port Forwarding tab.

  2. Select the Edit icon next to Appliance.

  3. Select Add Rule.

  4. Complete each field with the appropriate information.

    Field Description
    Source IP/Subnet Source of the WAN device managing the LAN device(s) specified in the destination.
    Destination IP/Subnet Address of the LAN device(s) managed remotely.

The second mode is when translate mode is enabled. When enabled, the EdgeConnect WAN interface performs destination NAT to reach LAN side device(s) from an external network.

Complete the following steps to enable the translate mode. This represents the process of DNAT (Destination Network Translation).

  1. Go to the Inbound Port Forwarding tab.

  2. Select the Edit icon.

  3. Select Add Rule.

  4. Select the Translate check box to enable Translate mode.

  5. Complete each field with the appropriate information.

    Field Description
    Source IP/Subnet Source of the WAN device managing the LAN device(s) specified in the destination.
    Destination IP/Subnet Address of the WAN interface IP.
    Destination Port/Range Port/range of the LAN device(s) that are managed remotely.
    Protocol Select the protocol you want to apply: UDP, TCP, ICMP, Any. If you select Any, the Destination and Translated Ports have a default value that need to be between 0-100. If the value exceeds, 100 a warning appears.
    Translated IP IP address of the LAN device accessed inside your network.
    Translated Port/Range Port/range of the LAN device accessed inside your network.
    Source Interface Source interface name.
    Segment Name of the segment being used.
    Comment Any additional details.

Additional Information

  • Interface Modes

    Port forwarding is used only when you have ‘stateful’ or ‘stateful+snat’ configured on interfaces. It does not apply when you have ‘Allow All’ or ‘Harden’ configured.

  • Security Policies

    *If ‘security policies’ are configured, make sure they allow the traffic specified in the port forwarding rules.

  • You can also reorder the appliances associated with inbound port forwarding by selecting Reorder when adding a rule.

NOTE: ‘Any’ is a protocol option only on versions 8.1.9.4 and later.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America