SG-3100 - NAT rule for single Public IP
Hello, I am attempting to create a NAT/Forward rule to send SFTP traffic on port 22 to an internal IP address. I have successfully tested from a handful of different devices that the NAT rule works and now I want to limit it to 5 specific public IPs that should be able to access this server. Since the public IPs are not part of a single subnet I assume I have to create 5 NAT entries but I am not having a lot of success.
For our use case the public IP is 184.108.40.206 and the translation rule would be to 192.168.2.10
What seems to be the proper rule setup firewall>NAT >Add
Source > Advanced > Single Host 220.127.116.11
Destination > Wan Net
All port details are listed as port 22
Redirect Target IP > 192.168.2.10
Everything else is default value
When I follow this process the server is not accessible. Any guidance would be greatly appreciated since I'm experiencing a flood of bots trying to brute force my server.
You can browse to Firewall -> Aliases -> IP and Add an alias that contains your public addresses. Use the new alias as the Source -> Advanced -> Single host or Alias entry.
Check your Destination and maybe use WAN Address instead of WAN Net (?).
@serbus thank you for the advice on the alias, that is helpful. Unfortunately the rule continues to block traffic. I can see the IP being blocked in my firewall logs. The only way I continue to get this to work is with an Any to Any rule. Really strange.
Verify that your alias was created correctly by browsing to Diagnostics -> Tables and selecting the alias name from the dropdown.
Are you having the NAT rule create a linked firewall rule that allows traffic to 192.168.2.10:22? That should be the default.
I think the destination for the NAT should be WAN Address not WAN Net.
@stephenw10 this is it! I totally forgot the source ports are randomized and as soon as I moved that back to any it worked. I really appreciate it!