Configuring Port Forwarding for Just One Public IP

We're trying to replace a Cisco ASA with a Firebox, but I'm having trouble figuring something out (I'm using the web UI, by the way). We have a /27 block of IP's from our ISP, for which we use 1-to-1 NAT mappings so that unique public IP's can be used to reach various specific internal servers that have private IP addresses. From what I understand, this should be easy to set up: We just configure 1-to-1 NAT mappings in Network - NAT - 1-to-1 NAT, and then make sure the traffic matches a firewall policy on which 1-to-1 NAT has been enabled.

My problem is that, with one particular public IP (and it's not the firewall interface IP), we want to use port forwarding; this is so that a set of 5 IP camera systems can be reached from the internet, all via the same IP but with different ports. Currently with the ASA we have it set so that connections to this public IP get forwarded to the proper private IP based on destination port number. Note that we don't actually need to change the port number; we just need to use port forwarding to determine what private IP to forward it to, based on the port number.

Do you know how I can do this? From what I could gather it seemed like I'm supposed to A) Add this particular public IP as a secondary interface IP, B) In SNAT settings map this public IP to the 5 private addresses, and then C) Add a firewall policy in which the To field is set to my SNAT action. However, with respect to step B it won't let me add multiple hosts to the same IP address (it says the IP address is already in use), so I'm thinking I might be going about this in completely the wrong way. What do you guys think? Thank you for your help!

Best Answer

  • Options

    You need 5 SNAT setups to do this, and 5 policies, each with a different source port.
    On the SNAT you can set a source port if the camera port is different than the port on the incoming policy.


  • Options

    Thank you, that was exactly what I needed! I didn't realize I needed to create 5 different SNAT records to do this, 1 for each internal IP address, I thought I was supposed to add 1 SNAT record with all 5 internal addresses. Thanks again!

Sign In to comment.