2.1.28.3. Destination NAT (Conversion of destination's port/ single configuration)

2.1.28.3.1. Use case

The following use case is described.
<Example> Building up an open web server on ECL and accessing through the Internet
•Accessing WebServer01 located on a logical network (server segment) from all hosts on the Internet
•Converting the destination of communications having access made to a global address into the address of WebServer01 (destination NAT); port-converting communications addressed to TCP 80 into communications addressed to TCP 8080 of WebServer01
dnat-yes-port-structure-single

2.1.28.3.2. Conversion image

dnat-yes-port-traffic

2.1.28.3.3. Condition

It is assumed that the following works which depend on use cases have been completed.
Create Managed Firewall
Managed Firewall interface setting/ connection with a logical network
Managed Firewall routing setting (default-gateway setting)
•Destination IP :0.0.0.0
•Subnet Mask :0.0.0.0
•Gateway address: Gateway IPv4 address of Internet-GW (Example: 192.168.1.251)
•Interface: Port for setting the default gateway (Example: Port4)
*If necessary, add routing settings.
Routing setting of Internet-GW
•Destination: Global IP address to be used by destination NAT (Example: 153.x.x.10/32)
•Next hop
IP address of the interface of Managed Firewall (Example: 192.168.1.254)
*If necessary, add routing settings.
Settings needed on WebServer01
•Routing setting, iptables/Windows firewall settings, setting for handling name resolution, etc.

2.1.28.3.4. Step (1)-1 NAT object generation

Create a destination NAT object
After inputting setting values, press the [ Save ] button.

dnat-yes-port-create-nat-object

Items

Setting value

NAT Name

DNAT_153.x.x.10
External IP Address 153.x.x.10
Mapped IP Address 10.1.1.10

External Interface

Port4

Port Forward

Presence of check

Protocol

TCP

External Service Port

80

Mapped Port

8080

Note

  • For an External IP address, do not use an IP address actually assigned to other devices.

  • For an External IP address and Mapped IP address, do not use the same address.


2.1.28.3.5. Step (1)-2 Service object generation

Generate a service object.
After inputting setting values, press the [ Save ] button.

dnat-yes-port-create-service-object

Items

Setting value

Service Name

HTTP8080

Protocol Type

TCP

Source Port

Blank

Destination Port

8080

Note

  • Blank is defined as Any.


2.1.28.3.6. Steps (1)-3 Saving an object

Before generating a firewall policy, select [ Apply configuration ] on the device management screen to apply an object.

save

After saving is finished, only the [ Synchronize with Device ] button is displayed.
synchronize-device

2.1.28.3.7. Step (2)-1 Generating a firewall policy

Generate a firewall policy for destination NAT-used access from the Internet to a web server.
After inputting setting values, press the [ Save ] button.
dnat-yes-port-create-policy-single

Items

Setting value

Enable

Presence of check

Incoming Interface

Port4

Source Address

all

Outgoing Interface

Port5

Destination Address Type

NAT Object
Destination NAT DNAT_153.x.x.10

Service

HTTP8080
Action ACCEPT

NAT

Absence of check

Log

Any item


2.1.28.3.8. Step (2)-2 Saving the policy

Select [ Apply configuration ] on the device management screen to apply the firewall policy.

save

After saving is finished, only the [ Synchronize with Device ] button is displayed.
synchronize-device
Now the settings are over.