24/02/2020 Configure Port Forwarding using Virtual Host to access devices on Internal network - Sophos Community

Configure Port Forwarding using Virtual Host to access

devices on Internal network
130130 26 janv. 2018 6 personnes ont jugé ceci utile

English | Español | Italiano | 日本語 | Français | Deutsch

Applicable Version: 10.04.0 Build 214, 304, 311, 338

Overview

This article demonstrates steps to configure Cyberoam to provide the access of internal resources
using virtual host.

Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.

Virtual Host maps services of a public IP address to services of a host in a private network. In other
words, itis a mapping of public IP address to an internal IP address. This virtual host is used as the
Destination address to access internal or DMZ server.

A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself.
Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP
address of Virtual host.

Cyberoam allows Port Forwarding for Virtual Hosts. Additionally, Cyberoam allows configuring a Port list for the
virtual host. The ports within the list can be comma separated. It can be mapped against a Port List or a Port.
Further a Port Range can now also be mapped against a single port. This creates one to one mapping or many to
one mapping between the external port and the mapped port.

Note:
· For a single virtual host, a maximum of 16 ports can be configured in a Port List.

· All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per the
configuration. A combination of both of these protocols within a Port List is not allowed.

Scenario

Throughout the article we will use the network parameters shown in the network diagram given
below. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The Web
Server is hosted in the DMZ.

https://community.sophos.com/kb/en-us/130130 1/5
24/02/2020 Configure Port Forwarding using Virtual Host to access devices on Internal network - Sophos Community

Network components External IP address (Public) IP address (Internal)

Web server 1.1.1.1 192.168.2.1 (Mapped)

For virtual hosts:

External IP: IP address through which Internet user’s access internal server.
Mapped IP: IP address bound to the internal server.

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission
for relevant feature(s).

Step 1: Create Virtual Host for Web server

https://community.sophos.com/kb/en-us/130130 2/5
24/02/2020 Configure Port Forwarding using Virtual Host to access devices on Internal network - Sophos Community

Go to Firewall > Virtual Host > Virtual Host and click Add to add virtual host for Web Server with the
parameters as specified in the table below.

Parameters Value Description

Basic Settings
Name WebServer Specify a name to identify thehost
Select the IP Family.
Available Options:
IP Family IPv4
· IPv4
· IPv6
Specify the external/public IP
1.1.1.1
External IP address on which the Host will be
accessed.
Specify the Internal/privateIP
Mapped IP 192.168.2.1 Address of the Web Server.

Specify the zone in which the host

Physical Zone DMZ
resides
Port Forwarding
Enable Port Click to enable the service of port
Enabled
Forwarding forwarding.
Select the protocol TCP or UDP that
Protocol TCP you want the forwarded packets to
use.
Select the type of external port from
the available options:

External Port
Port Available Options:
Type
• Port
• Port Range
• Port List
Specify public port number for which
External Port 80 you want to configure port
forwarding.
Mapped Port Type - Select the type of
mapped port from the available
options:
Mapped Port
Port
Type Available Options:
• Port
• Port Range
• Port List
Specify mapped port number on the
Mapped Port 80 destination network to which the
public port number is mapped.

https://community.sophos.com/kb/en-us/130130 3/5
24/02/2020 Configure Port Forwarding using Virtual Host to access devices on Internal network - Sophos Community

Click OK and the Virtual Host for Web_Server will be added successfully.

On clicking OK, the Add Firewall Rules For Virtual Host screen appears which allows you to create
firewall rules to allow access to Web_Server from other zones such as WAN zone.

Enable Add Firewall Rule(s) For Virtual Host and set rule parameters as desired.

Click Add Rule(s) to add the firewall rule.

Note:

https://community.sophos.com/kb/en-us/130130 4/5
24/02/2020 Configure Port Forwarding using Virtual Host to access devices on Internal network - Sophos Community

- In the given example, Virtual Host configuration for Web Server is shown. Virtual Host for other servers like
Mail Server, FTP Server or
Database Server can be created similarly.

- While adding the Firewall Rule for the Virtual Host, it is recommended to allow only the required services
corresponding to the
Server for security of the hosted server.

Step 3: Verify Firewall Rule(s)

To verify the Firewall Rules, go to Firewall > Rule > IPv4 Rule. Click to expand the DMZ – DMZ DMZ –
WAN and WAN – DMZ firewall rules. As shown in the image, three firewall rules are created for the
virtual host of Web Server as shown in the image below.

1. Auto: Allows traffic from WAN to Server

2. Reflexive: Ensures that traffic from Server to WAN is NATted.
3. Loopback: Allows access to server from the same zone, LAN or DMZ, in which Server is placed.

Document Version 2.1 – 16 June, 2015

Cet article apparaît dans les sujets suivants

CyberoamOS > Cyberoam Security Appliances (UTM and NGFW) > Technical Library > Firewall

Cet article vous a t-il fourni les informations que vous recherchiez ?

Tous les commentaires envoyés sont lus par un membre de notre équipe. En revanche, nous ne
répondons pas aux questions techniques spécifiques. Si vous avez besoin d'assistance technique,
veuillez poser votre question sur notre communauté. Pour tous produits sous licence, veuillez ouvrir
un incident support.

https://community.sophos.com/kb/en-us/130130 5/5