Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 12511 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG17, help with setting inbound port translation as a part of a DNAT?

Lyndon Hall

I'm not sure what I'm doing wrong or if this is a bug in SG17.  I am trying to nat an inbound destination ip and port from the WAN address and WAN port to an internal server and a different port.  

 

eg.

 

Before DNAT:

src IP:  ANY

src tcp port: ANY

dst IP: WAN address

dst tcp port: 40000

 

After DNAT:

dst IP: 192.168.1.10

dst tcp port: 80

 

When I try to configure this under DNAT, the "Change Destination Port(s)" checkbox works, but the "To" field is still greyed out.  Checking the help file tells me that:

Mapped Port (available only if Change Destination Port(s) is selected)
 
Specify the mapped port number on the destination network to which the public port number is mapped. Mapped port must have the same number of ports as specified in the public service, or at least have one port. Mapped Port is disabled if:
 
Black small squareNo TCP/UDP service is selected.
Black small squareMultiple services are selected.
Black small squareService group is selected.
Black small squareSelected service is with TCP/UDP combination
 
My selected service is a tcp/udp, but only because there is no option under the service object to pick either tcp or udp.  TCP/UDP is the only option.  I can't be the first one to see this but couldn't find anything in the forum.  Am I doing something wrong or is this a bug?


This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    Based on the information you configured with your existing "Business Application Rule" DNAT, you actually have created your rule correctly but clarification is just needed regarding the "To" field in the "Forward To: Mapped Port" field.

    The "To" field is greyed-out because you are mapping your single public WAN IP's destination 40000 TCP port to your single internal server's IP destination 80 TCP port.
    This "To" field is used to create a DNAT rule to forward a range of ports. Eg. Your public WAN IP (destination port 40000:40100) to your internal server's IP (destination port 100 "To" 200) for example.

    However, please provide screenshots if you would like further verification for your created rule.

    Thanks,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Hi,

    There was a misunderstanding as I can't create this rule.  This wasn't a check of my config, this is to tell you that it's not working.  The "to" field is grayed out so I can't forward 40000/tcp on the WAN interface to 80/tcp on my internal server.

  • +1 in reply to Lyndon Hall

    Hey  

    My apologies, could you please share a screenshot of the "Service" object that you used to define your 40000/tcp service?
    I was able to re-create your desired DNAT rule on my v17 XG firewall. Please see the screenshots below. I would also advise to attempt deleting your existing rule and re-creating. Please let me know if your still having issues.





    Regards,

    FloSupport | Community

Reply
  • +1 in reply to Lyndon Hall

    Hey  

    My apologies, could you please share a screenshot of the "Service" object that you used to define your 40000/tcp service?
    I was able to re-create your desired DNAT rule on my v17 XG firewall. Please see the screenshots below. I would also advise to attempt deleting your existing rule and re-creating. Please let me know if your still having issues.





    Regards,

    FloSupport | Community

Children
  • 0 in reply to FloSupport

    Thanks, that settles it.  I misunderstood the UI and your original response.  Just a mix up in what "to" meant in Mapped Port.  I thought the mapped port meant forwarding

    "40000 to 80"  That is what is intuitive for me but maybe not for everyone.  When I couldn't fill out the second field I was very puzzled.

    But really the first field should be 80 and the second blank as it's a single port.  If I was forwarding 80:85 to 40000:40005 then I would have "40000 to 40005" in the mapped port fields.  I find that confusing, but sometimes that's life.  Thanks for your response.

    LH