Thanks for posting your question in the Support Community! The video [video] Configuring a Port Forward in AOS (NetVanta) and guide Port Forwarding Quick Configuration Guide are great places to start. See Configuring Port Forwarding in AOS and Configuring the Firewall (IPv4) in AOS for a deeper look and complete explanation of options.
- When using the web GUI, use the Firewall Wizard only for initial setup as any existing NAT or port forwarding rules will be lost
- Edit Security Zones in the Data → Firewall section for changes or new rules in the web GUI
- In the CLI, access-lists (ACLs) are used to match traffic based on source and/or destination IP, as well as source/destination port
- In the CLI, policy-classes contain ACLs with action to NAT/allow/discard
- Interfaces must be placed into a security zone (access-policy); normally the LAN interface is in Private while the WAN/ISP interface is in Public (or similar)
- See the linked guides above for configuration examples
Let us know if you have follow up questions along the way.
Ok thanks. Just to be sure I am understanding correctly, port forwarding and/or the firewall can be used like a NAT table? Meaning the router will listen for requests for one of my assigned IP addresses and forward the request, port and all, to the correct server.
Thanks for the "nudge" in the right direction.
You got it. For example, a NAT/port forward rule in the Public security zone can forward to an inside server IP, with the same destination port or with translation to a different port number. A typical server might listen for HTTPS connections on TCP port 443 and you would probably NAT the traffic without port translation. However, you might want to reach a server for RDS or something insecure and you don't want the standard port open to the public. Obviously, VPN would be best, or at least filter the policy to allow connections from only a known/trusted source IP. But if you need to be able to connect from anywhere, then you should at least listen on an obscure port number and translate to the actual port when NAT'ing to the inside host. For instance, allow connections on port 12380 on the outside but translate to port 80 to reach a web server.
Perfect. Thanks for the help, I am a bit new to all this. The videos are perfect and thanks for the explanation.
I really appreciate it!
Yep the vidoes and links are just what I am looking for.