topic Re: Allow inbound concetion to multiple servers from single public ip in General Topics

Allow inbound concetion to multiple servers from single public ip

MP18 — Fri, 15 Mar 2019 18:21:18 GMT

We have vendor device with public ip in internet.

IT need to talk to multiple servers inside the company network.

all the internal servers have private ip and connection need to come on different port numbers.

Currently I am allowing the incoming connection from vendor to one of our public ip address and using static nat translation

for destination address.

how can i do destination nat translation the single public ip address of firewall to the multiple ports and addresses?

Re: Allow inbound concetion to multiple servers from single public ip

OtakarKlier — Fri, 15 Mar 2019 19:45:50 GMT

Hello,

You will need a NAT for each server and just specify the 'Service' (service = port).

Hope that makes sense.

Re: Allow inbound concetion to multiple servers from single public ip

BPry — Fri, 15 Mar 2019 20:37:45 GMT

@MP18,

While what @OtakarKlier mentioned is right; I'd be amiss if I didn't mention this is a terrible security practice. You should be giving the IT folks access to a VPN (like the built-in GlobalProtect), limiting their access to the servers in question, and then letting them work like that. Exposing something to the outside via a NAT rule, even when properly restricted with a security policy and source addresses, is a terrible security practice.

Re: Allow inbound concetion to multiple servers from single public ip

MP18 — Sun, 17 Mar 2019 16:40:57 GMT

I agree with you.

But in current scenario the end device does not support support windows it runs on linux and current version of it does not

support global protect.

as we are migrating this from Cisco ASA it is better protected with PA.

Also then end device only talks to few servers on specfic port.