6 Replies Latest reply on Jul 9, 2013 7:36 AM by noor

    port forwarding help ?

    dtagit New Member

      I've received a request from an equipment provider to access their equipment for trouble shooting purposes. I'm required to setup a "port forward" and need some assistance. They've request the following ports be forwarded, 21,23, 80. I've can make this work properly by moving the policy above the admin access, however, if I need to access the netvana from the public netowrk, I can no longer do so. Is there a way I can access both?


      Thanks for any ideas

        • Re: port forwarding help ?
          Employee

          dtagit - Thanks for posting your question on the forum!

           

          There is a conflict as to which ports will access which device. Whichever rule is on top will be the one that is used while the other will not. There are a couple of options to allow access for your equipment provider but maintaining remote admin access to the NetVanta. However, it depends on your public static IP address situation.

           

          1. If you have multiple public static IPs available, then you can use one static IP address to configure your port forward while using the other to access the NetVanta.

          2. If you have a single public IP address to use, then you will need to either:

               A.     Change the ports you are using to access the NetVanta. This can be changed in the "IP Services" page on the GUI. However, once this change is made, you will need to modify your Admin Access rule so that traffic to the new ports are allowed. The change will not be automatic.

               OR

               B.     Configure port translation for the equipment provider. You can give them the static IP and port to use to access each service and then simply translate the destination IP address and destination port to the correct port. The thread below shows a customer setting up something similar: Re: 3448 port fowarding to a different internal port

           

          Please do not hesitate to let us know if you have any further questions.

           

          Thanks,

          Noor

            • Re: port forwarding help ?
              billflippen New Member

              Follow up question....Netvanta3448

              Customer has added a policy for https to an exchange server above my https for admin.

               

              They only have 1 static public IP address.

               

              I still have ssh to the box and now must config via the CLI.

               

              I will need to change services I guess and then do a port forward

              I was wondering if there were any how to's on this

                • Re: port forwarding help ?
                  Employee

                  billflippen - First, you will need to change the port that HTTPS access uses on the NetVanta. As mentioned above, this can be changed on the "IP Services" page under the 'System' section of the navigation panel on the left.

                   

                  Second, you will need to create an "allow" rule on the security zone assigned to the WAN interface. This "allow" rule should have the destination security zone set to "self" and destination port set to whatever port you specified in the "IP Services" page.

                   

                  It is important to remember that the rule must be moved above any other rules which may match the traffic you are trying to allow.

                   

                  Please do not hesitate to let us know if you have any further questions.

                   

                  Thanks,

                  Noor

                    • Re: port forwarding help ?
                      billflippen New Member

                      Thank You noor,

                      so I am doing this from the CLI (since I no longer have web access).....

                       

                      I need to delete the https

                      As a side note I am not the only one programmng this....

                      I have 2 access-list that coontain https rules:

                       

                      ip access-list extended web-acl-4

                      remark Admin Access

                      permit tcp any any eq ssh log

                      permit icmp any any echo log

                       

                      ip access-list extended wizard-remote-access

                      remark Admin Access

                      permit tcp any any eq ssh log

                      permit tcp any any eq ssh log

                      permit icmp any any echo log

                       

                      ip access-list extended web-acl-24

                      remark "Exchange Server"

                      permit tcp any any eq https log

                      other permit rules...

                       

                      The only reference I see to these are: (in order of appears in the show-run)

                       

                      ip policy-class "public WAN"

                      allow list web-acl-4 self

                       

                      ip policy-class Public

                      some nat rules

                      nat destination list web-acl-24 address X.X.X.X

                      more nat rules

                      allow list wizard-remote access self

                       

                       

                      interface eth 0/1

                      ip access-policy Public

                       

                       

                      So it looks as though I can safely delete the "public WAN" policy class since it isn't assign to a port.

                      I can then delete  ip access-list web-acl-4 since it appears only in the "public WAN" policy class.

                      (I hate clutter)

                       

                      I don't know how to change the IP Services via the CLI (haven't found that branch yet) to change the port number the web GUI will use.

                       

                      So once I figure out how to do that...(Google Fu is failing me)

                       

                      add to the existing

                      ip access-list extended wizard-remote-access

                      permit tcp any self <new_port_number> log  (I am not sure of the self destination here)

                       

                      Since this this is an exclusive rule, I don't think I will need to move it up, but if I did, then how would I move it up the list via the CLI?

                        • Re: port forwarding help ?
                          Employee

                          billflippen - You are correct that you can delete "public WAN" as long as you do not already have it assigned to an interface.

                           

                          The command to change the HTTPs port is "ip http secure-server <TCP port". This command must be issued from config mode in the CLI.

                           

                          Based on your firewall configuration, I would probably just an entry to the ACL 'wizard-remote-access' that looked like this:

                           

                          permit tcp any any eq <TCP port> self log

                           

                          You should be okay with leaving the rule in its place as long as none of the above rules will match what you have set the new TCP port to be.

                           

                          I hope that answers your questions but let us know if you have any further ones.

                           

                          Thanks,

                          Noor

                            • Re: port forwarding help ?
                              Employee

                              billflippen -

                              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                               


                              Thanks,

                              Noor