I have 5 static ip that does 1:1 NAT to internal ip.
I have port 80, 443, 3389
I created VIP (Proxy ARP), NAT using 1:1, and then created Rules for 80, 443, 3389.
Now I want to change the RDP port to come in at something like 2500 to translate into 3389. If I do this via 1:1 NAT it does not work, but if I do port forward, it works. I would like the flexibility to use 1:1 with port translation but read somewhere that you can't use 1:1 with port forward for same ip / vip.
What is the workaround?
I prefer not to redo every single entry to one by one entries. See attachment - perhaps I'm over complicating this.
Well if you could translate from 2500 to 3389 it wouldnt be 1:1 ;) (As in 1:1 NAT :D)
Create an alias containing all the ports you want to forward and use this alias in your forwarding rule / firewall rule.
Like this you have "pseudo 1:1 NAT" (you just forward what you need, IMO the better solution)
Now just create the second rule where you map 2500 to 3389.
Thanks for input sir, but can you clarify two parts?
1. I understand creating aliases of ports - got that much
2. How exactly would I setup the rules (sample more like it or how it would look like in my case)
3. The second rule - how would this look like (screens or what part)
This has to be too easy…I have all 1:1 NAT and their corresponding rules for HTTP, HTTPS, SMTP, etc - very easy, but stuck on the RDP because I was to use different RDP port for incoming to automatically translate to 3389 when it hits our server. Just not sure how it should look and what I've tested so far has not worked. Am on 1.2.1 release, thanks.
Just dont use 1:1 NAT.
Use normal portforwardings.
Alias for NotOneToOne containing all to be forwarded ports instead of the 1:1 rule.
NAT-rule to forward NotOneToOne alias
NAT-rule to forward 2500 to 3389
Firewall rule to allow the NotOneToOne alias
and a rule to allow 3389
All ports are forwarded from OPT3 (ignore the rest of the rules that are not about OPT3)
Thank you for taking the time to illustrating that and explaining. I suppose I will have to remove that specific public ip from my 1:1 NAT and do port forwarding as you suggested. The other 1:1 can stay. Or I could even create an alias for each server of the ports I need and just use port forwards for all–hope that's correct. Does it mean I still need the VIP - I thought it VIPs were only for 1:1 or is it for any public ip I own whether 1:1 or port forward?
Yes you still need the VIP.
When you create the portforward you can select with "External address" the VIP.
If you also want that oubound traffic from this server leaves via the VIP you will need to enable outbound NAT and create a rule above all other rules in the form of: [attached screenshot]
x.x.24.11 is a VIP.
It is just as simple to change the port for RDP and add the rule. I have done this for several customers for security purposes. It works fine. It you are using it internally we just create a custom desktop icon and push that out all you internal users.