Howto Configureportforwardingusingvirtualhosttoaccessdevicesoninternalnetwork 120501100937 Phpapp02
7
Click here to load reader
-
Upload
kernel1987 -
Category
Documents
-
view
218 -
download
5
Transcript of Howto Configureportforwardingusingvirtualhosttoaccessdevicesoninternalnetwork 120501100937 Phpapp02
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
Applicable to – versions 9.5.3 build 14 or above
This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.
Article covers how to
Create virtual host
Create firewall rule to allow the inbound traffic
Virtual host
Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.
Virtual Host maps services of a public IP address to services of a host in a private network. In other words it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host.
Sample schema
Throughout the article we will use the network parameters displayed in the below given network diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail and web server are hosted in DMZ.
Network components
External IP address (Public)
IP address (Internal)
Web server 203.88.135.208 192.168.1.4 (Mapped)
Mail server 204.88.135.192 192.168.1.15 (Mapped)
For virtual host:
External IP: IP address through which Internet user’s access internal server.
Mapped IP: IP address bound to the internal server.
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
Configuration
Entire configuration is to be done from Web Admin Console unless specified.
Step 1: Create virtual host for Web server
Go to Firewall Virtual Host Create and create virtual host with the parameters as specified in sample schema
In our example, Internet users will access internal web server using public IP 203.88.135.208 which is mapped to local IP 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4.
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
Note
If servers are hosted on LAN, change the Physical Zone to LAN.
In case you have custom zones, change the Physical Zones accordingly.
Public IP address is the IP address through which Internet user’s access internal server/host. If public IP address is already configured as main Interface IP or alias IP, then use the option – Interface IP to select it as an external IP or else select the option IP and add the Public IP Address.
Step 2: Create virtual host for Mail server
Go to Firewall Virtual Host Create and create virtual host with the parameters as specified in sample schema
In our example, Internet users will access internal mail server using public IP 203.88.135.192
which is mapped to local IP 192.168.1.15. In other words, all the inbound requests from
203.88.135.192 will be forwarded to 192.168.1.15.
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
Step 3: Loopback firewall rule
Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual host.
Loopback rules allow same zone internal users to access the internal resources using its public IP (external IP) or FQDN.
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to DMZ interface subnet.
Check creation of loopback rule from Firewall Manage Firewall
Step 4: Add Firewall rules
Rule 1
Go to Firewall Create Rule and create firewall rule for each server with the parameters as displayed in the below given screens.
Click Create and the Firewall Rule for Webserver will be created successfully.
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
Click Create and the Firewall Rule for Mailserver will be created successfully.
Note
Change the Destination Host according to the actual server Location (Zone).
To create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP) or FQDN follow the below mentioned steps:
Go to Firewall Create Rule and create firewall rule for each server with the parameters as displayed in the below given screens.
Click Create and the Firewall Rule for Webserver will be created successfully.
How To – Configure Port Forwarding using Virtual Host to access devices on Internal network
Click Create and the Firewall Rule for Mailserver will be created successfully.
Note:
DO NOT “Apply NAT” for inbound SMTP rules. This will setup the MailServer as an OPEN RELAY.
Document version – 3.0- 12/05/2011
