ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

port forwarding with dhcp isp

04.13.12   |  
‎04-13-2012 08:15 PM

i have tried the standard way of using a vip for port forwarding and i cant use vip with my isp because of a dynamic ip.


is there any work around where i can forward ports from a server in trust to untrust for outside communication?


have attached my cfg as text file



ScreenOS Firewalls (NOT SRX)

Re: port forwarding with dhcp isp

04.14.12   |  
‎04-14-2012 01:30 AM



You can use VIP's with a dynamic IP. But I don't see any VIP's defined in your current config.

I noticed a couple of things:

You have the minecraft en secams services defined with only one source port. Connecting clients will pick a random port in the range 0-65535. So you should define the services as:

set service "seccams" protocol tcp src-port 0-65535 dst-port 8085-8085


You defined the addresses of your servers with a netmask of /24 ( That way your policies allow incoming traffic not only to your server, but to the whole internal LAN. Addresses should be defined as:

set address "Trust" ""




ScreenOS Firewalls (NOT SRX)

Re: port forwarding with dhcp isp

04.14.12   |  
‎04-14-2012 05:28 PM

how would i define a vip, can i just use any ip, or do i have to use one in a certain range?

ScreenOS Firewalls (NOT SRX)

Re: port forwarding with dhcp isp

04.15.12   |  
‎04-15-2012 01:12 PM

You add the VIP to your untrust interface (ethernet3). Because you only have the one public IP address, you add the VIP to that address:


- Network>Interfaces>List>Edit ethernet3>VIP

- Select "Same as the interface IP address" and click Add.

- Click New VIP service, select your public IP as Virtual IP

- Select the service in Map to service

- Enter the internal IP address of your server in "Map to IP"


Now create the policy to allow the traffic:

- Policy>Policies Untrust to Trust

- Source address: Any

- Destination address: VIP (ethernet3)

- Service: select service

- Action permit