- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Port-Forwarding same ip different port
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port-Forwarding same ip different port
Hi,
How can I redirect, for example, the port 2525/TCP to port 25/TCP on the same IP.
So, the same IP will receive SMTP conections at port 25/TCP and 2525/TCP.
Thx
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums
When you create the VIP (virtual IP) definitions, check off the port forward option, and select the port to send over.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply !
Probably I wasn' t clear enough !
I have a Mail Server, which has a public IP (let' s say 2.2.2.2), which is connected to the DMZ port (let' s say 2.2.2.1).
Those IP addresses are part of a subnet block (let' s say) 2.2.2.0/29, which is routed to the Fortinet. So I have access to the Mail Server from Internet.
I have a Firewall Policy (wan1 -> dmz) to allow connections to port 25/TCP for SMTP. And, obviously, it' s working.
But, I want to receive SMTP connections to port 2525/TCP too (redirected to port 25/TCP), without make any adjustments in my Mail Server.
So, I can receive SMTP connections in both ports (transparently).
I can do that with IPTABLES in Linux Based Firewall, using a simple PREROUTING Rule:
iptables -t nat -A PREROUTING -p tcp -d 2.2.2.2 --dport 2525 -j DNAT --to-destination 2.2.2.2:25
How can I do it with Fortinet ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a VIP rule, put port 2525 on the outside and port 25 on the inside. Simple as that. Use SMTP as the service in the policy, and you' re done.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve tested it, and It doesn' t work.
If I put 2.2.2.2 on both External IP and Mapped IP.
The 2.2.2.2 doesn' t respond any connection, not even 25/TCP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The mapped IP has to be the server, and it' s port needs to be 25. 2.2.2.2 is the public IP. You need to map to the private IP address for this to function.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so it have to be a private address to work?
Because my Mail Server has the 2.2.2.2 (public), as I told you, I have the subnet block 2.2.2.0/29 routed to the Fortinet. So, the whole block is in the DMZ.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hserna: stupid Q: - did you put a Policy in place
ext:all -> dmz:VIP / allow
(DST-Addr in the Policy would be the VIP you have created)
-R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course !
Don' t get me wrong, but I have about 4 years of experience with Fortinet.
I' ve try it in some many ways. But none had ever worked.
But yesterday I needed it again, so I give a try asking in the forum.
Have anyone ever try it ?
There are several cases:
1. Same Public IP (already asigned and routed in the DMZ), different ports:
Port 2.2.2.2:2525 redirected to 2.2.2.2:25
2. Different Public IPs (already asigned and routed in the DMZ), same port:
Port 2.2.2.2:25 redirected to 2.2.2.3:25
3. Same mapped IP (public <-> private, using VIP), different ports:
Port 2.2.2.2:2525 redirected to 192.168.1.2:25
Where 2.2.2.2 is already a VIP (Static NAT) of 192.168.1.2
4. Different mapped IPs (public <-> private, using VIP), same port:
Port 2.2.2.2:25 redirected to 192.168.1.3:25
Where 2.2.2.2 is already a VIP (Static NAT) of 192.168.1.2
Where 2.2.2.3 is already a VIP (Static NAT) of 192.168.1.3
I' ve never make this 4 cases work.
But, as I told earlier, I can make it work with IPTABLES (Linux). So, I think it have to be a way of doing it.
I really appreciate your time and pacience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tried #3 in my 1000a with my mail server, and it seemed to have worked. I don' t have another mail server to configure to that port to test the traffic, but I didn' t get any errors making the rules.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- NO internet connection when using static... 153 Views
- SFP+ Module compatibility 98 Views
- Log messages when forwarding traffic 132 Views
- Import Firewall Policies from CLI or... 79 Views
- VXLAN, Virtual Switch and MTU 85 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.