Inbound Port Forwarding

Configuration > Overlays & Security > Security > Inbound Port Forwarding

Inbound port forwarding allows traffic from the WAN to reach computers or services within a private LAN when you have a stateful firewall. It helps define and manage inbound traffic, remap a destination IP address and port number to an internal host, and create policies to manage branch devices from the WAN. Use this tab to define the desired inbound traffic.

Inbound Port forwarding is available in two modes when you add or edit a rule, depending on whether the Translate Mode is enabled or disabled. Inbound Port forwarding supports both IPv4 and IPv6 addresses.

When Translate Mode Is Disabled

The first operating mode for inbound port forwarding is when Translate Mode is disabled with inbound port forwarding. The LAN-side subnet with private IP addresses is allowed access through an inbound port forwarding rule (defined by you in the following steps) and exposes any external services. This requires LAN side private addresses to be routed on the WAN side. This represents the process of DMZ (Demilitarized Zone).

NOTES: 1. This mode is not common unless the port forwarding source is directly connected to the EdgeConnect or if the LAN-side device address is routed from the WAN side; 2. Inbound port forwarding does not support TFTP servers; 3. The DMZ feature is ineffective for local interface addresses. If you try to set up an inbound port forwarding rule to a local interface IP address on the same EdgeConnect appliance upon which the rule is created, the flow will not be successful. However, it will be successful if you enable translation with the same /32 destination IP.

To establish a DMZ connection when Translate Mode is disabled with inbound port forwarding, complete the following steps:

  1. Go to the Inbound Port Forwarding tab.

  2. Select the Edit icon next to Appliance.

  3. Select Add Rule.

  4. Complete each field with the appropriate information.

    Field Description
    Source IP/Subnet Source of the WAN device managing the LAN device(s) specified in the destination.
    Destination IP/Subnet Address of the LAN device(s) managed remotely.

When Translate Mode Is Enabled

When Translate Mode is enabled, the EdgeConnect WAN interface performs destination NAT to reach LAN-side device(s) from an external network.

Complete the following steps to enable the Translate Mode. This represents the process of DNAT (Destination Network Translation).

  1. Go to the Inbound Port Forwarding tab.

  2. Select the Edit icon.

  3. Select Add Rule.

  4. Select the Translate check box to enable Translate Mode.

  5. Complete each field with the appropriate information.

    Field Description
    Source IP/Subnet The source of the WAN device managing the LAN device(s) specified in the destination.
    Destination IP/Subnet The address of the WAN interface IP.
    Destination Port/Range The port/range of the LAN device(s) that are managed remotely.
    Source Interface The source interface name. The network interface from which the inbound traffic originates.
    Source IP/Subnet The source of the WAN device managing the LAN device(s) specified in the destination. This can be used to restrict access to specific IP addresses or ranges. IPv6 Source IP/Subnet addresses are supported.
    Destination IP/Subnet The address of the WAN interface IP. This is the IP address or subnet of the device within the private network to which the inbound traffic is directed. IPv6 Destination IP/Subnet addresses are supported.
    Destination Port/Range The port/range of the LAN device(s) that are managed remotely. This is the port number or range on the destination device that the inbound traffic targets.
    Protocol Select the protocol you want to apply: UDP, TCP, ICMP, Any. If you select Any, the Destination and Translated Ports have a default value that need to be between 0-100. If the value exceeds, 100 a warning appears.
    Translated IP The IP address of the LAN device accessed inside your network.
    Translated Port/Range The port/range of the LAN device accessed inside your network.
    Segment The name of the segment being used.
    Comment Any additional details.

Additional Information

  • Interface Modes

    Port forwarding is used only when you have ‘stateful’ or ‘stateful+snat’ configured on interfaces. It does not apply when you have ‘Allow All’ or ‘Harden’ configured.

  • Security Policies

    *If ‘security policies’ are configured, make sure they allow the traffic specified in the port forwarding rules.

  • You can also reorder the appliances associated with inbound port forwarding by selecting Reorder when adding a rule.

NOTE: ‘Any’ is a protocol option only on versions 8.1.9.4 and later.