SG-3100 - NAT rule for single Public IP

Spearhead1

Hello, I am attempting to create a NAT/Forward rule to send SFTP traffic on port 22 to an internal IP address. I have successfully tested from a handful of different devices that the NAT rule works and now I want to limit it to 5 specific public IPs that should be able to access this server. Since the public IPs are not part of a single subnet I assume I have to create 5 NAT entries but I am not having a lot of success.

For our use case the public IP is 144.161.111.111 and the translation rule would be to 192.168.2.10

What seems to be the proper rule setup firewall>NAT >Add

Source > Advanced > Single Host 144.161.111.111
Destination > Wan Net
All port details are listed as port 22
Redirect Target IP > 192.168.2.10

Everything else is default value

When I follow this process the server is not accessible. Any guidance would be greatly appreciated since I'm experiencing a flood of bots trying to brute force my server.

Thanks all!

Peter

serbus

Hello!

You can browse to Firewall -> Aliases -> IP and Add an alias that contains your public addresses. Use the new alias as the Source -> Advanced -> Single host or Alias entry.
Check your Destination and maybe use WAN Address instead of WAN Net (?).

John

Spearhead1

@serbus thank you for the advice on the alias, that is helpful. Unfortunately the rule continues to block traffic. I can see the IP being blocked in my firewall logs. The only way I continue to get this to work is with an Any to Any rule. Really strange.

serbus

Hello!

Verify that your alias was created correctly by browsing to Diagnostics -> Tables and selecting the alias name from the dropdown.

John

teamits

Are you having the NAT rule create a linked firewall rule that allows traffic to 192.168.2.10:22? That should be the default.

I think the destination for the NAT should be WAN Address not WAN Net.

stephenw10

@spearhead1 said in SG-3100 - NAT rule for single Public IP:

All port details are listed as port 22

If you set the source port to 22 also that's incorrect. It should be left as 'any' as it will be a random port.

Steve

Spearhead1

@stephenw10 this is it! I totally forgot the source ports are randomized and as soon as I moved that back to any it worked. I really appreciate it!

Spearhead1

@teamits said in SG-3100 - NAT rule for single Public IP:

Are you having the NAT rule create a linked firewall rule that allows traffic to 192.168.2.10:22? That should be the default.

confirmed, this was working automatically. Figured out it was the source port needing to be "any". Thanks!