ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

port forwarding with dhcp isp

04.13.12   |  
‎04-13-2012 08:15 PM

i have tried the standard way of using a vip for port forwarding and i cant use vip with my isp because of a dynamic ip.

 

is there any work around where i can forward ports from a server in trust to untrust for outside communication?

 

have attached my cfg as text file

 

Attachments

3 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: port forwarding with dhcp isp

04.14.12   |  
‎04-14-2012 01:30 AM

Hi,

 

You can use VIP's with a dynamic IP. But I don't see any VIP's defined in your current config.

I noticed a couple of things:

You have the minecraft en secams services defined with only one source port. Connecting clients will pick a random port in the range 0-65535. So you should define the services as:

set service "seccams" protocol tcp src-port 0-65535 dst-port 8085-8085

 

You defined the addresses of your servers with a netmask of /24 (255.255.255.0). That way your policies allow incoming traffic not only to your server, but to the whole internal LAN. Addresses should be defined as:

set address "Trust" "192.168.11.245" 192.168.11.245 255.255.255.255

 

Steve

 

ScreenOS Firewalls (NOT SRX)

Re: port forwarding with dhcp isp

04.14.12   |  
‎04-14-2012 05:28 PM

how would i define a vip, can i just use any ip, or do i have to use one in a certain range?

ScreenOS Firewalls (NOT SRX)

Re: port forwarding with dhcp isp

04.15.12   |  
‎04-15-2012 01:12 PM

You add the VIP to your untrust interface (ethernet3). Because you only have the one public IP address, you add the VIP to that address:

 

- Network>Interfaces>List>Edit ethernet3>VIP

- Select "Same as the interface IP address" and click Add.

- Click New VIP service, select your public IP as Virtual IP

- Select the service in Map to service

- Enter the internal IP address of your server in "Map to IP"

 

Now create the policy to allow the traffic:

- Policy>Policies Untrust to Trust

- Source address: Any

- Destination address: VIP (ethernet3)

- Service: select service

- Action permit

 

 

Steve